Hi all,
This tutorial aims to show the utility of the Immunity Debugger pycommand pvefindaddr.
In this tutorial I’ll use a vulnerability in Chasys Media Player,
To download the application: http://www.chachaslab.com/chasys_media.php
For more information: Bypassing SafeSeh
Triggering the vulnerability:
When opening a malformed play list(m3u) the application crashes,
We’ll use the following simple perl script to create the .m3u file:
First of all, attach Immunity Debugger to the application and open the m3u file:
As we can see SE Handler is overwritten,
The next step is to find the offset to next SEH and SEH, in other words, how many bits are needed to reach SE Handler.
To do this we’ll use the Corelan’s Tool, in Immunity Debugger, run:
!pvefindaddr pattern_create 10000
Now go to the Immunity Debugger program folder, find the file named mspattern.txt, copy the pattern and past it in the perl script; the perl script will looks like:
Recreate the new m3u file, attach Immunity Debugger to the application and open the m3u file, again the Corelan’s Tool, run:
!pvefindaddr suggest
To see the result, go to view --> Log:
The offset to next SEH is 1308, and the offset to SEH is 1312.
After finding the offset, we need to find POP POP RET sequence in a non SAFE-SEH module, to list all modules run:
!pvefindaddr modules
As you can see, all modules are SAFE-SEH, the binary file(Player.exe) it self is SAFE-SEH,
So we can’t use POP POP RET.
To solve the issue we have to use an address outside the address range of loaded modules, to be more clear, we have to look for a call/jmp dword ptr[reg+nn] instructions, of course the instruction must be outside the address range of loaded modules, to do that, attach Immunity Debugger to the application and run :
!pvefindaddr jseh
Now use Metasploit to generate a shellcode;
And the last step, putting all pieces together, and finally the exploit will looks like:
Happy haxoring,
Peace.
1 comments:
why do you have the $rest variable set up like you do. Is that because you used a pointer to push DWORD...does it have to be like that?
Post a Comment