The Revenge of the Scammers

This exploit is an 0day in Ammyy Admin (http://www.ammyy.com/en/) a remote desktop type software that is well known for being the software that many fake tech support phone scammers used on their victims. It claims to be used by tens of millions of people. The 0-day works from the "controlled" end; when someone tries to connect to you, asking to control your computer, you send back the exploit and take over the controller. It has been written for and tested against the latest version of Ammyy Admin. (now 3.5)

This package includes two main parts: a fully commented Metasploit module, and the “aaexploit.exe” launcher. The MSF module generates a file “exploit.dat” that you will copy along with aaexploit.exe to a computer or VM to launch the exploit from. The exploit is actually launched from a DLL injected into a copy of AA, which hooks AA's data send functions, replacing them with the exploit data. This is done to avoid re-implementing AA's complex outer encryption wrapper, and allow for multiple connection types (although only one has been tested). Aaexploit.exe automates the extraction of the AA executable and dll and injection of the DLL.

This exploit has tested against many configurations, (Windows Vista and 7 32 and 64 bit) but so far it has been tested only on isolated networks. One of the ways AA can connect is via a relay in the cloud run by Ammyy. Via reverse-engineering and debugging, it is clear the same functions are reached through both methods (relay or direct), but for OPSEC reasons, I have not sent the exploit through the relays in the cloud. You can also avoid that by running your exploit from a VM directly connected to the internet, and blocking the rl.ammyy.com relay:

0. Open a windows VM you'll launch the exploit from.
1. Add the line "127.0.0.1 rl.ammyy.com" to C:\Windows\system32\drivers\etc\hosts
2. Set your VM to "bridged" and disable the firewall.
3. Forward TCP port 5931 from your router to your VM IP address.
4. When the bad guys ask for your Ammyy ID, tell them your EXTERNAL IP address. https://www.google.com/search?q=what+is+my+ip

This only allows direct connection rather than going through the Ammyy relay servers. Connections are encrypted, so you may not be concerned, but the choice is up to you.

If want to generate your own payload, drop the .rb file in your modules/exploits/windows/fileformat/ directory, start up metasploit, "use exploit/windows/fileformat/ammyy_admin_oob" and use the 3.5 direct target. Remember you have to start up a handler separately. The Always-On DEP-bypassing targets rely on loading a DLL from a UNC path, which can take a long time, depends on more things, and requires you to set up webdav and/or an SMB server somewhere manually. Also, nobody but the most paranoid security guys set the obscure Always-On DEP setting, so you really don't have to worry about it. The 3.4 targets are still in there because they were the latest until a few weeks ago, but your best bet is to stick with the latest 3.5.

Testing Instructions
1. Download Ammyy from the Ammyy website.
2. Set up two Windows VM's in an isolated network.
3. Use the Metasploit module to generate your exploit.dat file.
4. Copy the exploit.dat file and aaexploit.exe to the first VM (good guy VM) and run aaexploit.exe. After a few seconds, you will get a popup saying Ammyy isn't connected to the internet. Click to ignore it. Wait for 15 seconds to complete loading the exploit.
5. Start the Ammyy executable on the second VM (bad guy VM). After a few seconds, you will get a popup saying Ammyy isn't connected to the internet. Click to ignore it.
6. From the bad guy VM, type in the IP of the good guy VM in the “Client ID/IP” field and click Connect.
7. You will get a popup on the good guy VM asking if you want to allow the connection. Hit “allow” to send the exploit.
8. The bad guy VM should display a blank “Loading” window that  will sit there as long as your shellcode is running. In this exploit, I deliberately did NOT return execution flow to the  original thread, since I assumed you would not want to provide the bad guy with control over your VM.
