hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > System Security > Windows Systems
101
Oct 11 2004, 02:45 PM
CODE

/*

YahooPOPS v1.6 and prior SMTP port buffer overflow exploit v0.1
Exploit code by class101 [at] DFind.kd-team.com
Bind a shellcode to the port 101.

Thanx to Behrang Fouladi(behrang@hat-squad.com) for the bug discovery
Thanx to HDMoore and Metasploit.com for their kickass ASM work

Instead of to move like you Behrang EBX to ESP after overwritting EIP,
I found out that only jumping to EBX is needed because our crafted payload
starts at EBX.

The exploit is tested working on Win2K SP4 and WinXP SP1, and it should works
also on NT4 and 2003 as the shellcode is designed for.

The jmp esp is from libcurl.dll wich come with yahoopops, just to notice there is no need of an offset update,
this is already "universal".

This exploit can't overflow the port 110 (POP3), not enough space in the buffer to add a bind/reverse shell
maybe enough to spawn only one as the well know KaHT.
If you want to try on POP3, you should request more than 180 bytes to overwrite EAX and ECX
Maybe in a v0.2, I will add it , anyway check http://DFind.kd-team.com regulary.

*/


Plz don't bother noobi (for ShouiZen & compagnie)
Plz dont bother how to scan
Plz dont bother if you cant find a victim

Just dl the YahooPOPS v1.6 or less and test it , it works on NT4, 2003, XP, 2K thats all.
You are owned agathos.

SOURCE CODE available at http://DFind.kd-team.com

bye
101
Oct 11 2004, 04:16 PM
also to fix my error, this isnt v1.6 but v0.6 , bye...
Nikscap
Oct 11 2004, 04:17 PM
okay thx man .
ShouiZen
Oct 11 2004, 04:34 PM
it old this exploits
invisible-boy
Oct 11 2004, 06:12 PM
this exploit for http://www.hat-squad.com/
Copkill
Oct 11 2004, 06:37 PM
The .zip is empty ?

! C:\101_ypops.zip: Unknown method in 101_ypops.exe
! C:\101_ypops.zip: No files to extract
101
Oct 11 2004, 08:41 PM
QUOTE(ShouiZen @ Oct 11 2004, 04:34 PM)
it old this exploits
*



No its from today because it's my code and its working not as the agathos win/linux mix loll
And if you arent happy you know what I say you ShouiZen.
101
Oct 11 2004, 08:43 PM
QUOTE(Copkill @ Oct 11 2004, 06:37 PM)
The .zip is empty ?

!  C:\101_ypops.zip: Unknown method in 101_ypops.exe
!  C:\101_ypops.zip: No files to extract
*




Simply update your winzip CopKill, here it works fine.
0_o
Oct 11 2004, 09:05 PM
tanq dude


@ShouiZen

hey man if u r feeling its not usefull for u ,dont make a comment
its not on his duty to share the exploit which he wrote it
Kynroxes
Oct 11 2004, 09:41 PM
ya this code's date is october 2004 with little quest with google I don't find another code for this vuln.
the code created by hat-squad dated in public version : September 22, 2004 so I don't test the older but I think 101 doesn't a liar.
ShouiZen
Oct 11 2004, 10:46 PM
owww sorry Kynroxes it a very tools fo r you for you sorry man poor children sad.gif sad.gif sad.gif sad.gif unsure.gif

tssssssssssssss biggrin.gif biggrin.gif biggrin.gif

101 good tools but the exploits agathos works very fine man!! laugh.gif laugh.gif
101
Oct 12 2004, 08:51 AM
QUOTE(ShouiZen @ Oct 11 2004, 10:46 PM)
owww sorry Kynroxes it a very tools fo r you for you sorry man poor children sad.gif  sad.gif  sad.gif  sad.gif  unsure.gif
*



Shut the (filtered) up ShouiZen, you dunno what you are talking about , for example I have just to search for all your posts to laugh my sexy ass off yep lollll.
I added in the thread just for you , Don't bother noobi.


bye
ShouiZen
Oct 12 2004, 02:47 PM
tsss 101 yes you're a elite!! biggrin.gif biggrin.gif biggrin.gif good exploits!! biggrin.gif biggrin.gif biggrin.gif

To be continued shut your A**
_ET_
Oct 12 2004, 03:17 PM
Very good work...

Let's see how effective this thing is biggrin.gif
ComSec
Oct 12 2004, 03:43 PM
locking this thread.... we dont want a 3 world war here

@ShouiZen if you dont have anything constructive to say apart from "this is old and mention another exploit.. then dont reply

101 has coded a tool for the benefit of our members... to which most of us are grateful

old or new code can be modified daily.... if this is coded in Oct 2004... then its new be it modified or re-coded

@101 in away you started this Flame...with your comments at the bottom of the opening thread

keep them to yourself in future !!!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.