Exploit Development: Easy RM RMVB to DVD Burner 1.8.11 (SEH overflow example #1)
SEH (Structured Exception Handler) is a mechanism created by Windows that mitigates the abuse of buffer overflows. This post will cover the development process of one possible exploit of Easy RM RMVB to DVD Burner 1.8.11 that bypass this technique.
Disclaimer: PLEASE! This is for research purposes only and should only be used on authorized systems. Accessing a computer system or network without authorization or explicit permission is illegal.
Easy RM RMVB to DVD Burner 1.8.11:
- Software running on Windows XP SP3 at 10.10.0.20.
- Kali attacking machine at 10.10.0.22.
- Exploit in the “Register your copy” feature.
- All development process was taken in Windows XP.
Crashing the software:
This is my initial python script used to replicate the crash:
To crash the software we need to:
- Open it.
- Press the “Register” button.
- Ctrl + V the content of exploit.txt in the “Enter User Name” field.
- Click on “Go”.
Taking a look at SEH and nSEH values, it is possible to check that both of them have been filled with “\x41”, the letter A in hex:
Controlling nSEH and SEH:
How much “A”s do we need to use until reaching SEH and nSEH? Before using pattern_create.rb + patern_offset.rb from Metasploit Framework to find out, we can try first some Binary Search to avoid creating a big unique string:
Crashing Easy RM RMVB to DVD Burner again we realize that SEH now has “B”s!
That’s great, let’s generate now a unique 1000 chars length string:
Sending the malicious string to the software and crashing it again:
Using patter_offset.rb with the parameter 41306141 show that the offset corresponds to 0! Wow!
So, to overflow SEH and nSEH we need the buffer to be something like this:
buffer = junk + nSEH + SEH + junk
As we know that we need 1000 chars to reach SEH, this is how our exploit code should looks like to control it:
Finding a return address:
As we have control of SEH, we can insert any address that corresponds to any instruction we want to be executed. A good sequence of instructions we could use here is POP POP RET. These instructions may be found in .dlls used by the software. To check this, we can use mona script inside Immunity Debugger:
Our updated exploit code should now looks like this:
Crashing the server again, we see that we have reached an exception. We now press Shift+F9 and put a breakpoint at 0x10037859:
Little space to work:
After redirecting our flow with POP POP RET, we came up with little space to work:
Although we have only a few bytes, there are some good space up where some of our initial “A”s are. What we could do now is jump up a few bytes back to have some more space to work. One simple Assembly code for so is “\xEB\x??”, where “\xEB” corresponds to the jump and “\x??” to the number of bytes to go back. If we choose 128 bytes to go back, this is how our exploit should looks like:
After crashing the software, we now see that we indeed have jumped a few bytes back, giving us a little more space to work:
Generating Egg Hunter:
Now that we have for about ~128 bytes to use, we can generate a 32 bytes Egg Hunter using mona script with the egg value of “r4f4”:
Ok, so we now that our egg hunter code will be somewhere near our last “A”s. Let’s put some NOPs (\x90) before and after the egg hunter to help us identify it on dump later on:
Crashing the software again and we can see that our egg hunter is there!
The Egg Hunter will now be run and try to find the string “r4f4r4f4” in memory to redirect the execution flow to there. We need now to create a new stage to place our shellcode to be appended right after our egg:
Generating final shellcode:
Great! Anything we put in shellcode variable will be executed. Let’s use Metastploit to generate one bind shell TCP on port 4444:
msfvenom -a x86 — platform Windows -p windows/shell_bind_tcp LPORT=4444 -f python -e x86/alpha_mixed
Getting a shell:
And that’s it! All we need to do now is execute the final exploit code, CTRL +V its content to the software and hope for a new port 4444 opened on the victim’s machine:
Final exploit code can be found here on my Github.