CVE-2007-3147

EXPLOITED

Yahoo! Messenger - Buffer Overflow in Webcam Upload ActiveX Control

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2007-3147 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including Metasploit, Excepti0n, MC, including a Metasploit module exploits/windows/browser/yahoomessenger_server.

AI-analyzed exploit summary This Metasploit module exploits a stack buffer overflow in Yahoo! Messenger 8.1.0.249's ActiveX control (ywcupl.dll) via an overly long string to the 'Server()' method followed by a 'Send()' call. It delivers a payload to achieve remote code execution.

Description

Buffer overflow in the Yahoo! Webcam Upload ActiveX control in ywcupl.dll 2.0.1.4 for Yahoo! Messenger 8.1.0.249 allows remote attackers to execute arbitrary code via a long server property value to the send method. NOTE: some of these details are obtained from third party information.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16519

This Metasploit module exploits a stack buffer overflow in Yahoo! Messenger 8.1.0.249's ActiveX control (ywcupl.dll) via an overly long string to the 'Server()' method followed by a 'Send()' call. It delivers a payload to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Yahoo! Messenger 8.1.0.249
No auth needed
Prerequisites: Victim must visit a malicious webpage hosting the exploit · Yahoo! Messenger 8.1.0.249 with vulnerable ActiveX control installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Excepti0n · cremotewindows
https://www.exploit-db.com/exploits/4053

This exploit targets a vulnerability in Yahoo's Ywcupl.dll ActiveX control (CVE-2007-3147) to achieve remote code execution. It generates an HTML file with malicious JavaScript that triggers a heap overflow, executing shellcode to download and run an arbitrary file from a specified URL.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Yahoo Ywcupl.dll ActiveX control
No auth needed
Prerequisites: Victim must visit the crafted HTML page · ActiveX control must be installed and enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Excepti0n · htmlremotewindows
https://www.exploit-db.com/exploits/4042

This exploit targets a heap overflow vulnerability in the Symantec Norton AntiVirus ActiveX control (clsid:DCE2F8B1-A520-11D4-8FD0-00D0B7730277) by spraying the heap with NOP sleds and shellcode, then triggering the overflow via the 'server' property. The shellcode executes calc.exe as a proof of concept.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Symantec Norton AntiVirus ActiveX control
No auth needed
Prerequisites: Victim must visit a malicious webpage or open the HTML file · ActiveX control must be installed and enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by MC · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/yahoomessenger_server.rb

This Metasploit module exploits a stack buffer overflow in Yahoo! Messenger 8.1.0.249's ActiveX control (ywcupl.dll) via an overly long string to the 'Server()' method followed by a 'Send()' call. It achieves remote code execution by leveraging a crafted payload and return address.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Yahoo! Messenger 8.1.0.249
No auth needed
Prerequisites: Target must have Yahoo! Messenger 8.1.0.249 installed · Target must visit a malicious webpage hosting the exploit
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (15)

Core 15
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/4042
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/24354
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/949817
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/2094
Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/25547
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/470861/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1018204
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/34758
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/24341
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1018203
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/2809

Scores

EPSS 0.6501
EPSS Percentile 98.5%

Details

VulnCheck KEV 2010-05-01
CWE
CWE-119
Status published
Products (6)
yahoo/messenger 2.0.1.4
yahoo/messenger 8.0
yahoo/messenger 8.0.0.863
yahoo/messenger 8.0.1
yahoo/messenger 8.0_2005.1.1.4
yahoo/messenger 8.1.0.249
Published Jun 11, 2007
Tracked Since Feb 18, 2026