thesp0nge OSCP guy. I break code and rebuild it with security in mind, taekwon-do, husband, dad. Chaotic good drow ranger. I blog @codiceinsicuro and @the_armoredcode.

How an excercise eventually becomes my first public exploit

How an excercise eventually becomes my first public exploit

A couple of days ago, I was working on my exploit-writing routine as preparation for my upcoming OSCE examination.

My standard routine those days is the following:

  • go to exploit-db;
  • look for PoC or old exploit;
  • rewrite them from scratch on newer operating systems.

Since the DEP bypass is out of the scope of the “Cracking the perimeter” course, I won’t deal with it by now.

I was working on the CVE-2018-9128 vulnerability that is about a buffer overflow for DVD X Player Standard it can be exploited with a carefully crafted playlist file.

EDB-ID 44438 describes how to overwrite SEH structure in a very standard way to obtain an arbitrary code execution. This code was designed to attack Windows XP SP3 operating system for x86 architecture.

For my preparation, I’m using a VirtualBox Microsoft Windows 7 SP1 for x86 architecture virtual machin, with both DEP and ASLR disabled.

I installed the vulnerable package from the vendor website and I started writing the exploit from scratch from the very beginning:

  • fill the file with a large number of ‘A’s in order to see what happens to the program;
  • find the SEH overwrite, so try to understand which part of my payloads overwrites the SEH address;
  • calculate the bad characters;
  • find a POP-POP-RET sequence;

Here it was where I found something blocking. One of the few usable POP-POP-RET sequences was available at 0x00401838 since all other ones were in modules with SAFESEH enabled. Obviously, I can’t write a NULL character in my payload since it would break the whole string written into the evil playlist.

During my bad characters hunting I found that 0x1a would turn into 0x00 so I can use a bad character to obtain the requested null byte. As side effect, I couldn’t write any further bytes into memory from this position onwards.

All my exploitation chain would relay on backward jumps. My next SEH address, which it was executed right after my POP-POP-RET sequence, brings the code back to a big 400 bytes backward jump.

The jump brings the EIP into my NOP sled and eventually to my reverse shell payload.

So, this funny exercise that it was apparently trivial to executed, lead me to have my first exploit to be published on exploit-db and it will teach me a different way to write a SEH exploit payload.

Enjoy it!

comments powered by Disqus