cbcvebase.
CVE-2009-1209
published 2009-04-01

CVE-2009-1209: Stack-based buffer overflow in W3C Amaya Web Browser 11.1 allows remote attackers to execute arbitrary code via a script tag with a long defer attribute.

PriorityP357critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
12.37%
95.7th percentile
Stack-based buffer overflow in W3C Amaya Web Browser 11.1 allows remote attackers to execute arbitrary code via a script tag with a long defer attribute.

Affected

1 ranges
VendorProductVersion rangeFixed in
w3amaya

Detection & IOCsextracted from sources · hover to see the quote

registry0x02101917
bytes
JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJITiKyosYyyN8YzN9IT4utL4SkoqRSwcUOJKKJ7rMSzKKLIrkDysvcONtBUOjKrQCwEscPlFEWcWJJVuk9pPkCPqqMeokZTQPKLTkoQaws8qYJFZmKLsbOVZBVvxEzfPdOwnQ921l6Q4OOyN362JfnrQSmUkkZr1e4OdhgnQLISp9gkKZIntL7qa5Sl4QroV5vUKDhxKyR3KSPMjTrMJvKnbVnlTLkKFOyPozWf7NiqgXcTQVkMDbKqZtBuOXkT1pjusNTJkL4cOMmPszZmLtkmQsbRWUKppS6SpMSQrilNum5nMYmL8k8ok2NSLjKkJ32WzA
bytes
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x48\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x63
  • Exploit triggers via an HTML <script> tag with an excessively long 'defer' attribute — detect HTTP responses or files containing a <script> tag where the defer attribute value is abnormally large (thousands of characters).
  • Exploit payload uses a SEH (Structured Exception Handler) overwrite chain; the pop/pop/ret gadget address 0x02101917 is located inside an Amaya module — presence of this address in a crash context or memory scan of Amaya is indicative of exploitation.
  • Exploit requires a buffer of ~6887 bytes of padding before the SEH overwrite — network or file-based detection should flag HTML files with a <script defer=...> attribute value exceeding ~6000 characters.
  • Malicious HTML exploit files targeting this CVE have been observed with the filenames 'exploit.html', 'remote_love.html', and 'Devil_inside.html' — monitor for creation or download of these filenames.
  • The exploit targets Windows XP SP2 specifically; Amaya 11.1 and 11.2 are the confirmed vulnerable versions.
  • ·The SEH pop/pop/ret gadget address (0x02101917) is specific to the Amaya module as shipped; this address may differ across builds, patch levels, or OS configurations and should be validated before use in signatures.
  • ·Two distinct shellcode payloads are present across exploit variants (alphanumeric SEH exploit for 11.2 vs. raw x86 shellcode for 11.1); detection rules should account for both encodings.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.