Amaya Web Editor 11 Remote SEH Overwrite Exploit

Title: Amaya Web Editor 11 Remote SEH Overwrite Exploit
Advisory ID: ZSL-2009-4905
Type: Remote
Impact: System Access
Risk: (4/5)
Release Date: 30.01.2009
Summary
Amaya is a Web editor, i.e. a tool used to create and update documents directly on the Web.
Description
Amaya Web Editor is prone to a buffer overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input. Attackers may leverage these issues by overwriting SEH and execute arbitrary code in the context of the application. Failed attacks will cause denial of service conditions.

--------------------------------------------------------------------------------

lqwrm@zeroscience:~$ telnet 192.168.1.101 6161
Trying 192.168.1.101...
Connected to 192.168.1.101.
Escape character is '^]'.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\Amaya\WindowsWX\bin>dir
Volume in drive C is System
Volume Serial Number is D484-8540

Directory of C:\Program Files\Amaya\WindowsWX\bin

29.01.2009 19:27 <DIR> .
29.01.2009 19:27 <DIR> ..
16.12.2008 14:44 5.816.320 amaya.exe
16.12.2008 14:41 1.290.240 thotprinter.dll
19.08.2008 11:02 135.168 wxbase28u_net_vc_custom.dll
19.08.2008 11:01 1.220.608 wxbase28u_vc_custom.dll
19.08.2008 11:02 135.168 wxbase28u_xml_vc_custom.dll
19.08.2008 11:03 741.376 wxmsw28u_adv_vc_custom.dll
19.08.2008 11:03 286.720 wxmsw28u_aui_vc_custom.dll
19.08.2008 11:01 3.018.752 wxmsw28u_core_vc_custom.dll
19.08.2008 11:02 49.152 wxmsw28u_gl_vc_custom.dll
19.08.2008 11:02 524.288 wxmsw28u_html_vc_custom.dll
19.08.2008 11:03 593.920 wxmsw28u_xrc_vc_custom.dll
11 File(s) 13.811.712 bytes
2 Dir(s) 7.520.141.312 bytes free

C:\Program Files\Amaya\WindowsWX\bin>

--------------------------------------------------------------------------------

Vendor
W3C - http://www.w3.org/Amaya
Affected Version
11.0
Tested On
Microsoft Windows XP Professional SP2 (English)
Vendor Status
N/A
PoC
amaya_seh.pl
Credits
Vulnerability discovered by Mountassif Moad (Stack)
Exploit coded by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.packetstormsecurity.org/filedesc/amaya-seh.txt.html
[2] http://www.milw0rm.com/exploits/7926
[3] http://www.hackzone.ru/exploit/view/id/4505/
[4] http://securityreason.com/exploitalert/5643
Changelog
[31.01.2009] - Initial release
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk