FreeMp3 Ripper 2.6 – Exploiting with EIP overwrite (almost SEH)

As I study for my OSCE (from Offensive Security) I’m at a point that I’m browsing exploitDB looking for applications to test out my exploit skills. I find applications that are known to be exploitable and then I attempt to create the exploit blind. For todays blog post we’ll be discussing the application Free Mp3 Ripper (http://www.freerip.com/). After a little hard work I was able to create an mp3 file which would generate a reverse shell. …Lets begin

  1. After downloading and installing the application I began with the usual, attempting to write a series of “A”s to see if I could cause a crash. As this is a non network based application these A’s came in a file with an “mp3” extension.

2. Playing around with the applicaiton I opened the exploit.mp3 from the applicaiton and found that it crashed! …upon inspection with that appeared to be an SEH (structured exception handler) overwrite ….more on this later.

After opening the application you need to skip the registration code
To run the exploit mp3 you need to click on convert and then browse to the mp3 file

3. Having believed to have found my path towards exploitation I attempted to identify where SEH was overwritten using a 5000 metasploit pattern.

location found i was able to directly overwrite the SEH address…..or so i thought

4. I then went about trying to identify any bad chars

If you notice i append a unique string (in this case AAAA) in front of my badchars incase i need to locate them in memory
A review of dump and it appears that all my chars are present!

5. I then went about trying to find a pop pop ret that exists within a module that wasnt ASLR or DEP protected.

0x10001692 seems to work!

A rerun the exploit seems to show it working with the memory address I specified!

PAUSE!

At this point I tried inserting some shell code and had noticed I couldnt consistently trigger SEH. As of today I still dont know why other than I just couldnt anymore. I dont think it was due to a bad characater but the behavior deffently changed once i put mroe characters into my 5000 buffer. I burned a day of messing with this when i backed up and attempted to find a different path.

6. Going back to the drawing board I started expermiting with buffers of varying lengths and eventually found that at <> I could directly overwrite EIP.

7. Proceeding on round 2, i confirmed still no bad characters

8. I then eventually constructed the following buffer which landed me in a very small space.

(sorry missing screenshot)

9. reviewing the stack I found that about 200 bytes backwards led to my set of A’s. To get there I crafted a jump 200 to ESP and replaced my A’s with NOP’S

mov eax,esp
sub eax,200
jmp eax

10. Having plenty of space I then went about creating a reverse shell.

11. Foiled again….when I ran my reverse shell it didnt work 🙁

12. It took me a while to realize that I needed to align my stack. So i placed an adjustment to ESP directly after my jump to my NOP sled.

13. Trying it again and I was able to catch my reverse shell!!!!