About CVE-2019-9766 buffer overflow vulnerability penetration module preparation and testing-vulnerability warning-the black bar safety net

CVE-2019-9766 exposed about Free MP3 CD Ripper buffer overflow vulnerability in the conversion file, Free MP3 CD Ripper 2.6 in a stack-based buffer overflow vulnerability allows user-assisted remote attackers via a specially crafted. mp3 file to execute arbitrary code. This article describes in detail the vulnerability of the authentication method, the infiltration module of the preparation and testing process.
If you want to know the vulnerability details, please refer to the following URL: https://nvd.nist.gov/vuln/detail/CVE-2019-9766
! [](/Article/UploadPic/2019-4/201942151420132. png? www. myhack58. com)
The experimental environment
1. Penetration of the host: Kali-Linux-2019.1-vm-amd64
2. Target host: CN_Windows7_x86_sp1
3. Software Version: Free MP3 CD Ripper 2.6
Involved tools:
1. WinDbgx86-v6. 12. 2. 633
2. python-2.7.15
3. ImmunityDebugger1. 85
Experimental procedure
1. Verify that the buffer overflow vulnerability
1.1 by python to generate a custom. mp3 file, there will be 10,000 characters A converted to. mp3 file, the code is as follows:
! [](/Article/UploadPic/2019-4/201942151420287. png? www. myhack58. com)
1.2 在Kali中执行FmcrExploit.py generate TestFMCR. mp3 file, as shown below:
! [](/Article/UploadPic/2019-4/201942151420818. png? www. myhack58. com)
1.3 the TestFMCR. mp3 copied to the target host, open the Free MP3 CD Ripper, then open WinDbg, the 并将WinDbg附加到进程fcrip.exe Free MP3 CD Ripper process, as shown below:
! [](/Article/UploadPic/2019-4/201942151420949. png? www. myhack58. com)
1.4 in Free MP3 CD Ripper click“Convert”, select the TestFMCR. mp3 conversion, as shown below:
! [](/Article/UploadPic/2019-4/201942151420550. png? www. myhack58. com)
1.5 in WinDbg execute the Command g, you can see the program exception occurs, as shown below:
! [](/Article/UploadPic/2019-4/201942151420110. png? www. myhack58. com)
1.6 again execute the command! exchain, view the SEH chain information, as shown below:
! [](/Article/UploadPic/2019-4/201942151420179. png? www. myhack58. com)
After the above six steps, we have identified a buffer overflow vulnerability exists, and with 10000 characters in A successful overwrite SEH with.
2. Writing an exploit program
2.1 positioning of the overflow point, i.e. how many characters A to be able to cover the to SEH, first generate a length of 10000 and no repeating characters of text, the command is as follows:
root@kali:/usr/share/metasploit-framework/tools/exploit# ./ pattern_create. rb-l 10000
The contents are too many, here only a screenshot of part of it:
! [](/Article/UploadPic/2019-4/201942151420865. png? www. myhack58. com)
2.2 using the text replacement FmcrExploit. py of”A”*10000, repeat Step 1. 2, to generate TestFMCR. mp3 file;
2.3 repeat Step 1. 3, the 1.4, and 1. 5 and 1. 6, The found Pointer to the next SEH record is 0×46326846 cover, as shown below:
! [](/Article/UploadPic/2019-4/201942151420963. png? www. myhack58. com)
2.4 by 0×46326846 the positioning procedure of the overflow point, you can know that as long as the filling 4116 characters can overwrite the Pointer to next SEH record, as follows:
! [](/Article/UploadPic/2019-4/201942151420676. png? www. myhack58. com)
2.5 validation 2. 4 was the overflow point is correct, the FmcrExploit. py in the buffer assigned the value of”A”*4116, repeat Step 1. 2, to generate TestFMCR. mp3 file, copy the file to the target host;
2.6 in the target host, open the ImmunityDebugger1. 85, run Free MP3 CD Ripper, convert Step 2. 5 in the resulting mp3 file, give the following results:
! [](/Article/UploadPic/2019-4/201942151421244. png? www. myhack58. com)
You can see 4116 characters A just covered up Pointer to next SEH record, the positioning is successful.
2.7 Pointer to next SEH record as nseh, and indicates the next seh structure’s location, where the use of"\xeb\x06\x90\x90"filled, this four-byte disassembly results jmp 6, nop, nop three instructions, the jmp 6 shows skip 6 bytes, just skip the two nop instructions and one of the 4 bytes of the seh handler address, and then fall into the nop instruction area, glide into the shellcode in.
2.8 in this example we have to combine the use of seh and nseh, to be able to complete the overflow to attack of the whole process, the process is as follows:
! [](/Article/UploadPic/2019-4/201942151421344. png? www. myhack58. com)
2.9 look for pop pop ret three consecutive instructions is a difficulty. In xp this process will be much simpler, but win7 and higher version of the system added safeseh, and ASLR and other security protections. Way better than many difficulties, the solution is also there. In ImmunityDebugger1. 85 execute the command! mona seh, the results are as follows:

[1] [2] [3] next