Yahoopops <= 1.6, Remote Buffer Overflow Exploit

Full Version: Yahoopops <= 1.6, Remote Buffer Overflow Exploit

GovernmentSecurity.org > System Security > Windows Systems

101

Oct 11 2004, 02:45 PM

CODE

/*

YahooPOPS v1.6 and prior SMTP port buffer overflow exploit v0.1
Exploit code by class101 [at] DFind.kd-team.com
Bind a shellcode to the port 101.

Thanx to Behrang Fouladi(behrang@hat-squad.com) for the bug discovery
Thanx to HDMoore and Metasploit.com for their kickass ASM work

Instead of to move like you Behrang EBX to ESP after overwritting EIP,
I found out that only jumping to EBX is needed because our crafted payload
starts at EBX.

The exploit is tested working on Win2K SP4 and WinXP SP1, and it should works
also on NT4 and 2003 as the shellcode is designed for.

The jmp esp is from libcurl.dll wich come with yahoopops, just to notice there is no need of an offset update,
this is already "universal".

This exploit can't overflow the port 110 (POP3), not enough space in the buffer to add a bind/reverse shell
maybe enough to spawn only one as the well know KaHT.
If you want to try on POP3, you should request more than 180 bytes to overwrite EAX and ECX
Maybe in a v0.2, I will add it , anyway check http://DFind.kd-team.com regulary.

*/

Plz don't bother noobi (for ShouiZen & compagnie)
Plz dont bother how to scan
Plz dont bother if you cant find a victim

Just dl the YahooPOPS v1.6 or less and test it , it works on NT4, 2003, XP, 2K thats all.
You are owned agathos.

SOURCE CODE available at http://DFind.kd-team.com

bye

101

Oct 11 2004, 04:16 PM

also to fix my error, this isnt v1.6 but v0.6 , bye...

Nikscap

Oct 11 2004, 04:17 PM

okay thx man .

ShouiZen

Oct 11 2004, 04:34 PM

it old this exploits

invisible-boy

Oct 11 2004, 06:12 PM

this exploit for http://www.hat-squad.com/

Copkill

Oct 11 2004, 06:37 PM

The .zip is empty ?

! C:\101_ypops.zip: Unknown method in 101_ypops.exe
! C:\101_ypops.zip: No files to extract

101

Oct 11 2004, 08:41 PM

QUOTE(ShouiZen @ Oct 11 2004, 04:34 PM)

it old this exploits

No its from today because it's my code and its working not as the agathos win/linux mix loll
And if you arent happy you know what I say you ShouiZen.

101

Oct 11 2004, 08:43 PM

QUOTE(Copkill @ Oct 11 2004, 06:37 PM)

The .zip is empty ?

! C:\101_ypops.zip: Unknown method in 101_ypops.exe
! C:\101_ypops.zip: No files to extract

Simply update your winzip CopKill, here it works fine.

0_o

Oct 11 2004, 09:05 PM

tanq dude

@ShouiZen

hey man if u r feeling its not usefull for u ,dont make a comment
its not on his duty to share the exploit which he wrote it

Kynroxes

Oct 11 2004, 09:41 PM

ya this code's date is october 2004 with little quest with google I don't find another code for this vuln.
the code created by hat-squad dated in public version : September 22, 2004 so I don't test the older but I think 101 doesn't a liar.

ShouiZen

Oct 11 2004, 10:46 PM

owww sorry Kynroxes it a very tools fo r you for you sorry man poor children

tssssssssssssss

101 good tools but the exploits agathos works very fine man!!

101

Oct 12 2004, 08:51 AM

QUOTE(ShouiZen @ Oct 11 2004, 10:46 PM)

owww sorry Kynroxes it a very tools fo r you for you sorry man poor children

Shut the (filtered) up ShouiZen, you dunno what you are talking about , for example I have just to search for all your posts to laugh my sexy ass off yep lollll.
I added in the thread just for you , Don't bother noobi.

bye

ShouiZen

Oct 12 2004, 02:47 PM

tsss 101 yes you're a elite!!

good exploits!!

To be continued shut your A**

_ET_

Oct 12 2004, 03:17 PM

Very good work...

Let's see how effective this thing is

ComSec

Oct 12 2004, 03:43 PM

locking this thread.... we dont want a 3 world war here

@ShouiZen if you dont have anything constructive to say apart from "this is old and mention another exploit.. then dont reply

101 has coded a tool for the benefit of our members... to which most of us are grateful

old or new code can be modified daily.... if this is coded in Oct 2004... then its new be it modified or re-coded

@101 in away you started this Flame...with your comments at the bottom of the opening thread

keep them to yourself in future !!!

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.