Yahoo! Protocol: Part 12 - Shared Files Boot

[tansqrx 0]

With increased complexity in sharing files, the file sharing P2P command has become a target for boot code writers. One such attack comes in the form of the shared files boot. The shared files boot is the most popular and effective boot against Yahoo! Messenger as of spring 2005. Because of its effectiveness, the shared files boot is the basis for most other boot code in circulation and will be the main focus for the rest of this paper.

The basic structure of the shared files boot is shown in Figure 30. It is seen that the packet sent is not very complicated. The packet only contains the sender, recipient, type of transfer, and system information. The shared files boot gains its power not through an invalid packet or buffer overflow but through timing issues within Yahoo! Messenger. Sending a single shared files boot packet will not cause Yahoo! Messenger to crash. The same packet must be sent multiple times in rapid succession in order to create a crash. The operation usually requires three or more packets to be sent very close together. The number of packets needed may vary depending on the attacker’s internet connection speed, server load, network latency, and other network factors

 

Figure 30 - Shared Files Boot Structure

 

As discussed previously, once a request has been received by the victim the victim’s client must do considerable processing on the packet. Among other tasks, the client must access the registry, parse the message, and prepare Yserver.exe to accept the incoming file. If for whatever reason the victim’s client receives a second file request packet before processing is complete on the first one, a crash in the victim’s client will occur. Figure 31 shows the result of a shared files boot and Figure 32 shows the program used to create it.

 

Figure 31 - Results of a Shared Files Boot

 

Figure 32 - Shared Files Booter

 

http://www.ycoderscookbook.com/

Edited February 6, 2009 by tansqrx (see edit history)