Monday, May 16, 2011

Exploit Development Made Easy with pvefindaddr

    Hi all,
    This tutorial aims to show the utility of the Immunity Debugger pycommand pvefindaddr.
    In this tutorial I’ll use a vulnerability in Chasys Media Player,
    To download the application: http://www.chachaslab.com/chasys_media.php
    For more information: Bypassing SafeSeh
    
    Triggering the vulnerability:
    When opening a malformed play list(m3u) the application crashes,
    We’ll use the following simple perl script to create the .m3u file:




   
     Let’s Exploi It:

    First of all, attach Immunity Debugger to the application and open the m3u file:


As we can see SE Handler is overwritten,
The next step is to find the offset to next SEH and SEH, in other words, how many bits are needed to reach SE Handler.
To do this we’ll use the Corelan’s Tool, in Immunity Debugger, run:

!pvefindaddr pattern_create 10000

Now go to the Immunity Debugger program folder, find the file named mspattern.txt, copy the pattern and past it in the perl script; the perl script will looks like:



Recreate the new m3u file, attach Immunity Debugger to the application and open the m3u file, again the Corelan’s Tool, run:

!pvefindaddr suggest

To see the result, go to view --> Log:


    The offset to next SEH is 1308, and the offset to SEH is 1312.
    After finding the offset, we need to find POP POP RET sequence in a non SAFE-SEH module, to list all modules run:

!pvefindaddr modules


    As you can see, all modules are SAFE-SEH, the binary file(Player.exe) it self is SAFE-SEH,
    So we can’t use POP POP RET.
    To solve the issue we have to use an address outside the address range of loaded modules, to be more clear, we have to look for a call/jmp dword ptr[reg+nn] instructions, of course the instruction must be outside the address range of loaded modules, to do that, attach Immunity Debugger to the application and run :

!pvefindaddr jseh


    Found CALL DWORD PTR SS:[EBP+30] at 0x00280b0b
    Now use Metasploit to generate a shellcode;
    And the last step, putting all pieces together, and finally the exploit will looks like:
 

Happy haxoring,
Peace.
Posted by Hicham
Labels: , ,

1 comments:

Anonymous said...

why do you have the $rest variable set up like you do. Is that because you used a pointer to push DWORD...does it have to be like that?

August 6, 2011 at 3:17 AM

Post a Comment

Subscribe to: Post Comments (Atom)