1 /* CAN−2004−0636 */
4 * AIM Away Message Buffer Overflow Exploit
5 * Exploit by John Bissell A.K.A. HighT1mes
7 * Exploit:
8 * ========
9 * drizzit.c
11 * Vulnerable Software:
12 * ====================
13 * − AIM 5.5.3588
14 * − AIM 5.5.3590 Beta
15 * − AIM 5.5.3591
16 * − AIM 5.5.3595
17 * and a couple others versions...
19 * If you want to try other return addressees for other versions of
20 * AIM then edit the return address.. But the current one embedded
21 * will work for sure with all the AIM versions listed above.
23 * I used some of the metasploit shellcode for this exploit with some
24 * modifications to get this into stealth mode so it is harder to
25 * detect the attack. Since I’m using metasploit shellcode that means this
26 * exploit can be used on any NT type OS, like win2k, winnt, winxp across
27 * any service pack.. I don’t know about SP2 though I haven’t tested
28 * it yet.
30 * On a side note I pourposly did not include the download+exec shellcode
31 * even though I have it because I’m sick and tired of these little
32 * spam/adware bitchs messing peoples computers up for profit.. You can
33 * still download/upload through the shell to the victim. It just
34 * isn’t automated like download+exec would be.
36 * In my opinion the reverse connect (−r option) is the most dangerous
37 * because you can encode your ip address and pick a port, and then
38 * when the victim visits the evil web page or email whatever.. then the
39 * attack will automatically open his AIM even its not already open and
40 * connect to you and then terminate the AIM process to be stealth so
41 * the victim doesn’t know what him them.. As I remind people in the
42 * exploit usage you need to remember to use netcat to listen on a
43 * port you picked for the exploit to connect to...
45 * One reason I decided to include the generation of html code for
46 * this exploit is I noticed almost no puts small limits on the