Recognize-Security

AOL 9.5 Phobos.Playlist Import() Stack-based Buffer Overflow exploit (meta)

Posted by Trancer on Jan 25 2010

AOL Wrote a new Metaspoit exploit module for the AOL 9.5 Phobos.Playlist ActiveX control Import() stack-based buffer overflow vulnerability.

This module exploits a stack-based buffer overflow within Phobos.dll of AOL 9.5. By setting an overly long value to ‘Import()’, an attacker can overrun a buffer and execute arbitrary code.

This vulnerability was found by Hellcode Research and was published recently by Dz_attacker. Still no patch from AOL, if you want to test it you can get the vulnerable package from the AOL 9.5 page.

The exploit was successfully tested on the following platforms:
– AOL 9.5 (Revision 4337.155) on Internet Explorer 7, Windows XP SP3

Phobos.dll version tested:
– File Version: 9.5.0.1
– ClassID: A105BD70-BF56-4D10-BC91-41C88321F47C
– RegKey Safe for Script: False
– RegKey Safe for Init: False
– Implements IObjectSafety: False
– KillBitSet: False

Due to the safe for initialization and safe for scripting settings of this ActiveX control, exploitation is possible only from Local Machine Zone, which means the victim must run the generated exploit file locally.

Download aol_phobos_bof.rb.
Also on Metasploit and exploit-db.

References:
OSVDB 61964
exploit-db 11204

Categories: Exploits, Metasploit

0 Comments | Comments RSS | TrackBack URL

Recognize-Security Welcome to the Machine January 2010

AOL 9.5 Phobos.Playlist Import() Stack-based Buffer Overflow exploit (meta) Posted by Trancer on Jan 25 2010 Wrote a new Metaspoit exploit module for the AOL 9.5 Phobos.Playlist ActiveX control Import() stack-based buffer overflow vulnerability. This module exploits a stack-based buffer overflow within Phobos.dll of AOL 9.5. By setting an overly long value to ‘Import()’, an attacker can overrun a buffer and execute arbitrary code. This vulnerability was found by Hellcode Research and was published recently by Dz_attacker. Still no patch from AOL, if you want to test it you can get the vulnerable package from the AOL 9.5 page. The exploit was successfully tested on the following platforms: – AOL 9.5 (Revision 4337.155) on Internet Explorer 7, Windows XP SP3 Phobos.dll version tested: – File Version: 9.5.0.1 – ClassID: A105BD70-BF56-4D10-BC91-41C88321F47C – RegKey Safe for Script: False – RegKey Safe for Init: False – Implements IObjectSafety: False – KillBitSet: False Due to the safe for initialization and safe for scripting settings of this ActiveX control, exploitation is possible only from Local Machine Zone, which means the victim must run the generated exploit file locally. Download aol_phobos_bof.rb. Also on Metasploit and exploit-db. References: OSVDB 61964 exploit-db 11204 Categories: Exploits, Metasploit 0 Comments \| Comments RSS \| TrackBack URL Leave a Reply Click here to cancel reply. Name (required) Mail (will not be published) (required) Website	Categories Advisories Articles Exploitation Exploits LOLz Malware Metasploit Presentations Rec-Sec Security News Tools Vulnerabilities Web Application Security Archives March 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 December 2008 November 2008 October 2008 September 2008 August 2008 January 2008 June 2007 May 2007 April 2007 March 2007 February 2007 Pages About Recognize-Security Links BinaryVision BlackHat Security BugSec Ltd. Digital Whisper Extraexploit Inj3ct0r exploit database milw0rm NiX IRC Network NullByte Pankaj Kohli Peter Van Eeckhoutte The Metasploit Project TryThis0ne Udi Mosayev Uninformed xorl eax, eax Meta RSS 2.0 ATOM 1.0 RDF 1.0 Links OPML OpenSearch
Valid XHTML \| Valid CSS \| RSS \| Comments RSS Copyright © 2009 Recognize-Security. Some rights reserved. ~~Security~~ Hacking, However, is an art, not a science.

January 2010

AOL 9.5 Phobos.Playlist Import() Stack-based Buffer Overflow exploit (meta)

Leave a Reply