| Source | Link |
|---|---|
| libyahoo2 | www.libyahoo2.sourceforge.net/ymsg-9.txt |
| ycoderscookbook | www.ycoderscookbook.com/ |
| venkydude | www.venkydude.com/articles/yahoo.htm |
| libyahoo2 | www.libyahoo2.sourceforge.net/README |
| astahost | www.astahost.com/info.php/yahoo-protocol-part-10-peer-peer-transfers_t11490.html |
# SPDX-FileCopyrightText: 2009 LSS
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.102001");
script_version("2023-08-01T13:29:10+0000");
script_tag(name:"last_modification", value:"2023-08-01 13:29:10 +0000 (Tue, 01 Aug 2023)");
script_tag(name:"creation_date", value:"2009-04-23 08:34:11 +0200 (Thu, 23 Apr 2009)");
script_tag(name:"cvss_base", value:"0.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:N");
script_name("Yahoo Messenger Detection");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2009 LSS");
script_family("Service detection");
script_dependencies("find_service.nasl");
script_require_ports("Services/unknown", 5101);
script_xref(name:"URL", value:"http://libyahoo2.sourceforge.net/ymsg-9.txt");
script_xref(name:"URL", value:"http://www.astahost.com/info.php/yahoo-protocol-part-10-peer-peer-transfers_t11490.html");
script_xref(name:"URL", value:"http://libyahoo2.sourceforge.net/README");
script_xref(name:"URL", value:"http://www.ycoderscookbook.com/");
script_xref(name:"URL", value:"http://www.venkydude.com/articles/yahoo.htm");
script_tag(name:"summary", value:"Yahoo Messenger is running on this machine and this port. It can
be used to share files and chat with other users.");
script_tag(name:"qod_type", value:"remote_banner");
exit(0);
}
# nb: Tested with Yahoo Messenger versions 7 and 8.
include("host_details.inc");
include("port_service_func.inc");
#YMSG - The first four bytes of all packets are always YMSG - the
# protocol name.
ymsg = string("YMSG");
#version - The next four bytes are for the protocol version number.
# For version 9, these are 0x09 0x00 0x00 0x00
# NOTE: The last three bytes of this may just be padding bytes.
# NOTE: In the network byte order version field looks
# like 0x00 0x09 0x00 0x00, last 2 bytes represent zero padding.
#nb: using Yahoo Messenger 7! Wireshark shows YMSG version 13 (hex 0x0d).
#The latest version of YahooMsg 9 uses YMSG 16 (hex 0x10)
version = raw_string(0x00 ,0x10 ,0x00 ,0x00);
#pkt_len - A two byte value, in network byte order, stating how many bytes
# are in the _data_ section of the packet. In practice, this
# value does not exceed about 1000.
pkt_len = raw_string( 0x00, 0x00);
#later on when we craft the data section of the packet we will
#update pkt_len field
#service - This is an opcode that tells the client/server what kind of
# service is requested/being responded to. There are 45 known
# services.
# We will try to use:
# 1) P2PFILEXFER = 0x4d - transfer a file between two peers,
# yahoo server not used!!!
# - 2 bytes
service = raw_string( 0x00, 0x4d);
#status - In case of a response from the server, indicates the status
# of the request (success/failure/etc.). For a request, it is 0
# in most cases, except for packets that set the user's status
# (set status, typing notify, etc.)
# - 4 bytes
#status states that we are available
status = raw_string(0x00, 0x00, 0x00, 0x00);
#session - The session id is used primarily when connecting through a HTTP
#id proxy. It is set in all cases, but has no effect in a direct
# connection. When the client sends the first packet, it is 0,
# the server responds with a session id that is used by the client
# and the server in all further packets. The server may change
# the session id, in which case the client must use the new
# session id henceforth.
#we put some junk inside sesion_id
session_id = raw_string(0x00,0x00,0x00,0x00);
#DATA - The data section is pkt_len bytes long and consists of a series
# of key/value pairs. All keys are numeric strings. The packet
# contains their numeric values in the ASCII character set. e.g.
# 1 == 0x31, 21 == 0x32 0x31
# Every key and value is terminated by a two byte sequence of
# 0xc0 0x80. Some keys may have empty values.
# The actual keys sent, and their meanings depend on the service
# in use.
separator = raw_string(0xc0, 0x80);
crap_len = 512;
#NOTE: YMSG 7 gives a response for a request with any value for key 5,
#while YMSG 9 seems to respond only to CORRECT 5 key value (correct user_id)
first_key_value_pair = string( "4" + separator + "bladyjoker" + separator);
second_key_value_pair = string( "241" + separator + "0" + separator);
third_key_value_pair = string( "5" + separator + "bladyjoker" + separator);
fourth_key_value_pair = string( "13" + separator + "5" + separator);
fifth_key_value_pair = string( "49" + separator + "PEERTOPEER" + separator);
data = first_key_value_pair
+ second_key_value_pair
+ third_key_value_pair
+ fourth_key_value_pair
+ fifth_key_value_pair;
pkt_len = raw_string(0x00, 0x3D); #data section length in bytes
yahoo_pkt = ymsg + version + pkt_len + service + status + session_id + data;
yahoo_pkt_len = strlen(yahoo_pkt);
port = unknownservice_get_port( default:5101 ); #Yahoo Messeger client listening port!!! FILE SHARING
sock = open_sock_tcp( port );
if( sock ) {
send( socket:sock, data:yahoo_pkt, length:yahoo_pkt_len );
recv_buffer = recv( socket:sock, length:256 );
close( sock );
if( "YMSG" >< recv_buffer ) {
set_kb_item( name:"yahoo_messenger/installed", value:TRUE );
service_register( port:port, proto:"yahoo_messenger" );
log_message( port:port );
}
}
exit( 0 );
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation