Original Author, POC, and vulnerable software: https://www.exploit-db.com/exploits/27747
...and we get our initial crash where our SEH handler and nSEH have been overwritten with 41s.
Calculating the offset values
As usual, we use Metasploit's pattern _create.rb and pattern_offset.rb
We update our POC with the following offset values
...and we verify that we hit the correct offset values as shown with the Cs and Bs
Since this a SEH based buffer overflow, as usual we will need a POP-POP-RET address.
I am using mona.py to find this address.
Also, note that we will need to find an address that SAFESEH and ASLR disabled.
We will use address 0x0041B865
Again, we update our POC with our SEH Handler redirect address
We send our exploit up and we have successfully redirected code execution as we hit our POP-POP-RET address.
We follow the POP-POP-RET and we hit our nSEH which is just right below our As
Note: We currently do not see our Ds.
...however, if we scroll further down, we can see that our Ds are still loaded in memory. Just need find them...aka. egghunter.
Since our first jump is limited to just 4 bytes, we will do a 2 byte reverse short jmp
EB 80 or jmp short reverse 128 bytes.
We update our nSEH with EB 80 and added 2 more NOPs (not necessary) to complete the 4 bytes.
We fire up the POC on more time, take the pop-pop-ret, and hit our first jump
After going through the 256 hex characters, we found that 0xa is the only restricted character
So far, we have accomplished the following:
1. Successfully crash the program and overwrite the SEH and nSEH
2. Calculated the offset values
3. Found POP-POP-RET address
4. Completed the first jump from nSEH which allows 127 bytes of address space
Reminder...you can create an egghunter using mona.py
Note: I am using a slightly different egghunter shellcode.
We update our POC with our egghunter shellcode and add the egg in front of our Ds
Send the exploit up...take the first jump (EB 80) and we land on our NOP sled.
If we scroll down, our egghunter is just right below our the NOP sled.
We let the egghunter execute while adding a breakpoint at JMP EDI to check the value of EDI.
Here we can see that we have successfully located our egg...all that we need to do now is add our reverse shellcode right after our egg.
At this point we are ready to add our reverse shell
Final Proof-of-Concept: https://github.com/pyt3ra/freeFTPd-1.0.10-SEH-Based-Buffer-Overflow
Post a Comment