niedziela, 29 lipca 2018

CVE-2018-6892 quick autopsy

After a pretty busy week I decided to take a break and ... check some updates from Beyond Security Blog. I assumed it will be a good idea to check it on the VM. Here we go...
Bug was originally found by hyp3rlinx and is assigned to CVE-2018-6892. There is also a proof-of-concept code already available online[1, 2]. I wasn't really happy when I saw calc-shellcode so I decided to recreate the poc to get reverse shell to my Kali VM :)

It started here:

After a while I decided to switch to Immunity Debugger (where I had installed). App is ready so according to the advisory we should see the port 8888 ready to connect:

Using the poc from Exploit-DB as a skeleton to my own I landed here:

Checking results in ImmunityDbg:

So far so goo. Next I used to find interesting SEH values (!mona seh):

Next thing was to generate the pattern (using again). We are here:

Checking all again and running the poc:

Use alt+s to view overwritten SEH:

As we already know the (junk) value needed to overwrite the (n)SEH, we can prepare a new value - this time with the (short) JMP instruction. To do that we will use nasm_shell from Kali:

After the restart (ctrl+F2) and running our new poc-code, we should see something like this:

Good. Let's modify the code to prepare it for the finall shellcode:

To create the shellcode I used msfvenom:

The last step was to restart the app (I've done that still in Immunity Debugger ;)) and prepare netcat (or msfconsole) to receive reverse-shell. Checking:

Tadaa :] We are in.

Kudos to hyp3rlinx for finding the bug!
Big thanks to SSD for their responsible disclosure program.

See you next time!


Brak komentarzy:

Prześlij komentarz