Yahoo Messenger WScript.Shell ActiveX control command execution

Added: 07/29/2010

Background

Yahoo! Messenger is an instant messaging application. It includes the WScript.Shell ActiveX control.

Problem

The Execute method of the WScript.Shell ActiveX control allows command execution when a malicious web page is loaded in Internet Explorer.

Resolution

Set the kill bit for Class ID 72C24DD5-D70A-438B-8A42-98424B88AFB8 as described in Microsoft Knowledge Base Article 240797.

References

http://www.exploit-db.com/exploits/14473/

Limitations

Exploit works on Yahoo Messenger 10.0.0.1270-us and requires a user to open the exploit page in Internet Explorer.

The option "Initialize and script ActiveX controls not marked as safe" must be enabled in Internet Explorer.

After launching the exploit, the exploit.exe file must be downloaded and saved onto the specified share.

The specified share must be accessible to the target.

Platforms

Windows

Back to exploit index