CVE-2004-0636
published 2004-11-23CVE-2004-0636: Buffer overflow in the goaway function in the aim:goaway URI handler for AOL Instant Messenger (AIM) 5.5, including 5.5.3595, allows remote attackers to…
PriorityP346critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
66.02%
99.2th percentile
Buffer overflow in the goaway function in the aim:goaway URI handler for AOL Instant Messenger (AIM) 5.5, including 5.5.3595, allows remote attackers to execute arbitrary code via a long Away message.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aol | instant_messenger | — | — |
| aol | instant_messenger | — | — |
| aol | instant_messenger | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x90\xe9\x13\xfc\xff\xff
bytes↗
EB 0F 8B 34 24 33 C9 80 C1 B0 80 36 DE 46 E2 FA
- →Monitor for processes launching with URI arguments matching 'aim:goaway?message=' followed by an abnormally long string (>1000 bytes), which indicates exploitation of the AIM goaway buffer overflow. ↗
- →Flag use of the return address 0x10015599 (call ebx in rtvideo.dll) in memory or shellcode, as it is the stable NT-universal gadget used by the PoC exploit. ↗
- →Flag use of the SEH overwrite gadget at 0x1108118f (pop/pop/ret in proto.com) as used by the Metasploit module for this CVE. ↗
- →Detect outbound TCP connections to port 1180 from the AIM process shortly after processing a goaway URI, as the PoC bind-shell shellcode listens on that port. ↗
- →Bad characters for payload filtering/detection: null byte, tab, LF, CR, space, quote, percent, ampersand, apostrophe, plus, forward-slash, colon, angle brackets, question mark, at-sign — any AIM goaway URI message parameter containing these may indicate a crafted/encoded payload. ↗
- ·The PoC exploit (395) targets AIM 5.5.3595 specifically and uses offsets based on the exe/dll from that package; the return address 0x10015599 (rtvideo.dll) is described as 'NT universal' but may not apply to all builds. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
AOL Instant Messenger AIM - goaway Overflow (Metasploit)
exploitdb·2010-07-03
CVE-2004-0636 AOL Instant Messenger AIM - goaway Overflow (Metasploit)
AOL Instant Messenger AIM - goaway Overflow (Metasploit)
---
##
# $Id: aim_goaway.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'AOL Instant Messenger goaway Overflow',
'Description' => %q{
This module exploits a flaw in the handling of AOL Instant
Messenger's 'goaway' URI handler. An attacker can execute
arbitrary code by supplying a overly sized buffer as the
'message' parameter. This issue is known to affect AOL Instant
Messenger 5.5.
},
'License' => MSF_LICENSE,
'Author' =>
[
'skape',
'thief '
],
'V
Exploit-DB
AOL Instant Messenger AIM - 'Away' Message Remote (2)
exploitdb·2004-09-02
CVE-2004-0636 AOL Instant Messenger AIM - 'Away' Message Remote (2)
AOL Instant Messenger AIM - 'Away' Message Remote (2)
---
/* CAN-2004-0636 */
/*
* AIM Away Message Buffer Overflow Exploit
* Exploit by John Bissell A.K.A. HighT1mes
*
* Exploit:
* ========
* drizzit.c
*
* Vulnerable Software:
* ====================
* - AIM 5.5.3588
* - AIM 5.5.3590 Beta
* - AIM 5.5.3591
* - AIM 5.5.3595
* and a couple others versions...
*
* If you want to try other return addressees for other versions of
* AIM then edit the return address.. But the current one embedded
* will work for sure with all the AIM versions listed above.
*
* I used some of the metasploit shellcode for this exploit with some
* modifications to get this into stealth mode so it is harder to
* detect the attack. Since I'm using metasploit shellcode that means this
* exploit can be used on any NT t
Exploit-DB
AOL Instant Messenger AIM - 'Away' Message Local Overflow
exploitdb·2004-08-14
CVE-2004-0636 AOL Instant Messenger AIM - 'Away' Message Local Overflow
AOL Instant Messenger AIM - 'Away' Message Local Overflow
---
/*
subject: local PoC exploit for AIM 5.5.3595
vendor: http://www.aim.com
cve: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0636
credits: Matt Murphy
date: 10 August 2004
notes: exploits localy if an argument is supplied, otherwise prints the url.
offsets are based on exe/dll provided in the package, so it should be NT universal.
shellcode makes a bindshell on port 1180.
greets: roSec - Romanian Security Research - www rosec info
author: mandragore
*/
#include
#include
#include
#pragma comment(lib,"ws2_32.lib")
#define GPA 0x004040a4
#define LLA 0x00404088
#define fatal(x) { perror(x); exit(1); }
unsigned char bsh[]={
0xEB,0x0F,0x8B,0x34,0x24,0x33,0xC9,0x80,0xC1,0xB0,0x80,0x36,0xDE,0x46,0xE2,0xFA,
0xC3
Metasploit
AOL Instant Messenger goaway Overflow
metasploit
AOL Instant Messenger goaway Overflow
AOL Instant Messenger goaway Overflow
This module exploits a flaw in the handling of AOL Instant Messenger's 'goaway' URI handler. An attacker can execute arbitrary code by supplying an overly sized buffer as the 'message' parameter. This issue is known to affect AOL Instant Messenger 5.5.
No writeups or analysis indexed.
http://secunia.com/advisories/12198/http://www.idefense.com/application/poi/display?id=121&type=vulnerabilitieshttp://www.kb.cert.org/vuls/id/735966https://exchange.xforce.ibmcloud.com/vulnerabilities/16926http://secunia.com/advisories/12198/http://www.idefense.com/application/poi/display?id=121&type=vulnerabilitieshttp://www.kb.cert.org/vuls/id/735966https://exchange.xforce.ibmcloud.com/vulnerabilities/16926
2004-11-23
Published