cbcvebase.
CVE-2008-0659
published 2008-02-08

CVE-2008-0659: Stack-based buffer overflow in Aurigma Image Uploader ActiveX control (ImageUploader4.ocx) 4.5.70 and earlier, as used in MySpace MySpaceUploader.ocx 1.0.0.4…

PriorityP359critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
56.34%
98.9th percentile
Stack-based buffer overflow in Aurigma Image Uploader ActiveX control (ImageUploader4.ocx) 4.5.70 and earlier, as used in MySpace MySpaceUploader.ocx 1.0.0.4, allows remote attackers to execute arbitrary code via a long Action property.

Affected

4 ranges
VendorProductVersion rangeFixed in
aurigmaimage_uploader_activex_control<= 4.5.70
aurigmaimage_uploader_activex_control
myspacemyspaceuploader
piczoimageuploader4

Detection & IOCsextracted from sources · hover to see the quote

filenameMySpaceUploader.ocx 1.0.0.4
filenameImageUploader4.ocx
port4444
bytes
%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a
bytes
%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a
bytes
%u0A0A%u0A0A
  • Detect instantiation of MySpaceUploader.ocx ActiveX control version 1.0.0.4 in browser context, which is vulnerable to remote buffer overflow exploitation.
  • Detect heap spray pattern using repeated 0x0A0A0A0A NOP sled in JavaScript, characteristic of this ActiveX exploit.
  • Detect Alpha2-encoded shellcode stubs beginning with %u03eb%ueb59%ue805%ufff8%uffff in JavaScript unescape() calls, used by both bind and exec payloads in this exploit.
  • Detect EXITFUNC=seh shellcode encoding pattern (Alpha2 encoder) delivered via JavaScript unescape() in HTML pages loading MySpaceUploader.ocx.
  • Flag loading of ImageUploader4.ocx (CLSID distinct from CVE-2008-0659) in browser, particularly when the Action property is set to a long string value.
  • ·The exploit shellcode targets win32 (Windows 32-bit) only; the bind shell payload opens LPORT=4444 and the exec payload runs calc.exe as a proof-of-concept — real-world attackers would substitute a different payload.
  • ·CVE-2008-1490 (ImageUploader4.ocx) is documented as a different CLSID from CVE-2008-0659; detections must distinguish between the two ActiveX controls to avoid false positives.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.