PE Section Header Injection using Code Cave

Hello Everyone! It’s been a while, today I am going to write about poping calc.exe in PuTTY v0.66 via utilizing injected code cave, with help on section header injections.

Get the program here

For this experiment, you will need CFF explorer, Immunity Debugger and PuTTY.

First things first, what is this code cave?

According to Wikipedia, A code cave is a series of null bytes in a process’s memory. The code cave inside a process’s memory is often a reference to a section of the code’s script functions that have the capacity for the injection of custom instructions.

In simple terms, it’s basically adding a bunch of instruction inside a program that can be used to alter the flow of execution.

Customizing the Section Header

Once you install PuTTY v0.66 you need to open the executable inside CFF explorer.

This is how it looks like, we need to go to the section headers and add a section header (Empty Space). Because if you add a section header without padding it to “Empty” it’s gonna crash program to avoid this mess you can directly add a header with empty space.

Initialize it with 1000 blank spaces, let’s name this section as .pwn

Let’s save it!

Let’s load the process inside immunity debugger

Now we need to figure out the starting of this program so that we can load our code cave once the program starts.

This is where the program starts and it can be found when you click “run”, let’s alter this instruction to go to our section called .pwn

Let’s select the memory map and look for .pwn

This is where our segment is, let’s copy this address.

Let’s alter the entry point from PUSH to JMP <address of .pwn> to do that double click and do assemble.

Also, make sure you select Fill with NOPs to make the necessary arrangements.

Now hit F7 you will see something like

You would want to change it again by double-clicking to the following and assemble it.

Once you are done with that, you need to use msfvenom to create the instruction that you want to execute to show how it’s done I am going to pop the calc.exe as always.

C:\Users\Coding_Karma>
C:\Users\Coding_Karma>msfvenom -p windows/exec CMD=calc.exe -f hex
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 193 bytes
Final size of hex file: 386 bytes
fce8820000006089e531c0648b50308b520c8b52148b72280fb74a2631ffac3c617c022c20c1cf0d01c7e2f252578b52108b4a3c8b4c1178e34801d1518b592001d38b4918e33a498b348b01d631ffacc1cf0d01c738e075f6037df83b7d2475e4588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ffe05f5f5a8b12eb8d5d6a018d85b20000005068318b6f87ffd5bbf0b5a25668a695bd9dffd53c067c0a80fbe07505bb4713726f6a0053ffd563616c632e65786500

Let’s copy this payload and paste it.

Let’s binary paste this and execute the program and BOOM!

We successfully executed the Code Cave executing calc.exe, now you can also add an SEH exit function on your msfvenom if you want this to work elegantly, which is an exercise for the reader.

Now if you save this executable whenever you open it, this pops a calc.exe

You can create a backdoor out of it and do a lot of things according to the MSFvenom payload.

Also if you have an exit SEH function it would execute PuTTY normally and gives the program a really graceful exit without crashing it and raising suspicion.

Thank you!