FreeMp3 Ripper 2.6 – Exploiting with EIP overwrite (almost SEH)
As I study for my OSCE (from Offensive Security) I’m at a point that I’m browsing exploitDB looking for applications to test out my exploit skills. I find applications that are known to be exploitable and then I attempt to create the exploit blind. For todays blog post we’ll be discussing the application Free Mp3 Ripper (http://www.freerip.com/). After a little hard work I was able to create an mp3 file which would generate a reverse shell. …Lets begin
- After downloading and installing the application I began with the usual, attempting to write a series of “A”s to see if I could cause a crash. As this is a non network based application these A’s came in a file with an “mp3” extension.
![](http://www.x0rsecurity.com/wp-content/uploads/2019/06/image.png)
2. Playing around with the applicaiton I opened the exploit.mp3 from the applicaiton and found that it crashed! …upon inspection with that appeared to be an SEH (structured exception handler) overwrite ….more on this later.
![](http://www.x0rsecurity.com/wp-content/uploads/2019/06/image-1.png)
![](http://www.x0rsecurity.com/wp-content/uploads/2019/06/image-2.png)
![](http://www.x0rsecurity.com/wp-content/uploads/2019/06/image-3.png)
3. Having believed to have found my path towards exploitation I attempted to identify where SEH was overwritten using a 5000 metasploit pattern.
![](http://www.x0rsecurity.com/wp-content/uploads/2019/06/image-4.png)
![](http://www.x0rsecurity.com/wp-content/uploads/2019/06/image-5.png)
4. I then went about trying to identify any bad chars
![](http://www.x0rsecurity.com/wp-content/uploads/2019/06/image-6.png)
![](http://www.x0rsecurity.com/wp-content/uploads/2019/06/image-7.png)
5. I then went about trying to find a pop pop ret that exists within a module that wasnt ASLR or DEP protected.
![](http://www.x0rsecurity.com/wp-content/uploads/2019/06/image-8.png)
A rerun the exploit seems to show it working with the memory address I specified!
![](http://www.x0rsecurity.com/wp-content/uploads/2019/06/image-9.png)
PAUSE!
![](http://www.x0rsecurity.com/wp-content/uploads/2019/06/image-10.png)
At this point I tried inserting some shell code and had noticed I couldnt consistently trigger SEH. As of today I still dont know why other than I just couldnt anymore. I dont think it was due to a bad characater but the behavior deffently changed once i put mroe characters into my 5000 buffer. I burned a day of messing with this when i backed up and attempted to find a different path.
6. Going back to the drawing board I started expermiting with buffers of varying lengths and eventually found that at <> I could directly overwrite EIP.
![](http://www.x0rsecurity.com/wp-content/uploads/2019/06/image-11.png)
7. Proceeding on round 2, i confirmed still no bad characters
8. I then eventually constructed the following buffer which landed me in a very small space.
(sorry missing screenshot)
9. reviewing the stack I found that about 200 bytes backwards led to my set of A’s. To get there I crafted a jump 200 to ESP and replaced my A’s with NOP’S
mov eax,esp
sub eax,200
jmp eax
![](http://www.x0rsecurity.com/wp-content/uploads/2019/06/image-12.png)
![](http://www.x0rsecurity.com/wp-content/uploads/2019/06/image-13.png)
10. Having plenty of space I then went about creating a reverse shell.
![](http://www.x0rsecurity.com/wp-content/uploads/2019/06/image-15.png)
![](http://www.x0rsecurity.com/wp-content/uploads/2019/06/image-14.png)
11. Foiled again….when I ran my reverse shell it didnt work 🙁
![](http://www.x0rsecurity.com/wp-content/uploads/2019/06/image-16.png)
12. It took me a while to realize that I needed to align my stack. So i placed an adjustment to ESP directly after my jump to my NOP sled.
![](http://www.x0rsecurity.com/wp-content/uploads/2019/06/image-17.png)
![](http://www.x0rsecurity.com/wp-content/uploads/2019/06/image-18.png)
![](http://www.x0rsecurity.com/wp-content/uploads/2019/06/image-19.png)
13. Trying it again and I was able to catch my reverse shell!!!!
![](http://www.x0rsecurity.com/wp-content/uploads/2019/06/image-20.png)