After a pretty busy week I decided to take a break and ... check some updates from Beyond Security Blog. I assumed it will be a good idea to check it on the VM. Here we go...
Bug was originally found by hyp3rlinx and is assigned to CVE-2018-6892. There is also a proof-of-concept code already available online[1, 2]. I wasn't really happy when I saw calc-shellcode so I decided to recreate the poc to get reverse shell to my Kali VM :)
It started here:
Immunity Debugger (where I had mona.py installed). App is ready so according to the advisory we should see the port 8888 ready to connect:
Using the poc from Exploit-DB as a skeleton to my own I landed here:
Checking results in ImmunityDbg:
So far so goo. Next I used mona.py to find interesting SEH values (!mona seh):
Next thing was to generate the pattern (using mona.py again). We are here:
Checking all again and running the poc:
Use alt+s to view overwritten SEH:
As we already know the (junk) value needed to overwrite the (n)SEH, we can prepare a new value - this time with the (short) JMP instruction. To do that we will use nasm_shell from Kali:
After the restart (ctrl+F2) and running our new poc-code, we should see something like this:
Good. Let's modify the code to prepare it for the finall shellcode:
To create the shellcode I used msfvenom:
The last step was to restart the app (I've done that still in Immunity Debugger ;)) and prepare netcat (or msfconsole) to receive reverse-shell. Checking:
Tadaa :] We are in.
Kudos to hyp3rlinx for finding the bug!
Big thanks to SSD for their responsible disclosure program.
See you next time!