niedziela, 29 lipca 2018

CVE-2018-6892 quick autopsy

After a pretty busy week I decided to take a break and ... check some updates from Beyond Security Blog. I assumed it will be a good idea to check it on the VM. Here we go...
Bug was originally found by hyp3rlinx and is assigned to CVE-2018-6892. There is also a proof-of-concept code already available online[1, 2]. I wasn't really happy when I saw calc-shellcode so I decided to recreate the poc to get reverse shell to my Kali VM :)

It started here:

After a while I decided to switch to Immunity Debugger (where I had mona.py installed). App is ready so according to the advisory we should see the port 8888 ready to connect:


Using the poc from Exploit-DB as a skeleton to my own I landed here:


Checking results in ImmunityDbg:


So far so goo. Next I used mona.py to find interesting SEH values (!mona seh):


Next thing was to generate the pattern (using mona.py again). We are here:


Checking all again and running the poc:


Use alt+s to view overwritten SEH:


As we already know the (junk) value needed to overwrite the (n)SEH, we can prepare a new value - this time with the (short) JMP instruction. To do that we will use nasm_shell from Kali:


After the restart (ctrl+F2) and running our new poc-code, we should see something like this:


Good. Let's modify the code to prepare it for the finall shellcode:


To create the shellcode I used msfvenom:


The last step was to restart the app (I've done that still in Immunity Debugger ;)) and prepare netcat (or msfconsole) to receive reverse-shell. Checking:



Tadaa :] We are in.

Kudos to hyp3rlinx for finding the bug!
Big thanks to SSD for their responsible disclosure program.

See you next time!

Cheers
o/






Brak komentarzy:

Prześlij komentarz