Exploiting the forensic investigator (AWE course training)wesley
This summer i am attending the Advanced Windows Exploitation (AWE) course of Offensive Security. The AWE course has been on my wishlist for a long time, because the previous courses (OSCP and OSCE) were amazing. One of the requirements for the AWE course, according to offsec, is a will to suffer intensely.
After completing OSCE, i’ve spend quite some time on exploit development. My thesis was to discover previously unknown vulnerabilities and exploit them. During this thesis i discovered a vulnerability in Wireshark (CVE-2014-2299).
However, this is around three years ago. To get ready for the AWE course, i really have to refresh my exploit development skills. So far, i wrote the following exploits to get ready for AWE:
- EasyToMp3 – basic buffer overflow
- The Offsec AWE challenge (very cool, they sent you a challenge to make sure you have the minimal knowledge)
- Wireshark – basic buffer overflow
- Wireshark – bypassing ASLR/DEP on Windows XP
After the Wireshark exploit i wanted to continue exercising writing exploits. However, rewriting known exploits is quite boring. Therefor i decided to search for a publicly known vulnerability, without a publicly available exploit.
During my search i came across a vulnerability in Photorec 6.14, which is shipped with Testdisk. The vulnerability was discovered by Denis Andzakovic. Photorec is a data carving tool which can be used to carve files from disk images. The utility is commonly used in digital forensic investigations to restore deleted files from a hard drive. The vulnerability could allow a criminal to prepare his/her disks in order to exploit the forensic tooling to get a hint that his data is being looked at or get an actual shell on the investigators system. The latter would allow the criminal to manipulate the evidence. There is an update available for Photorec that fixed the vulnerability (version 7.0). For the forensics it is important to make sure that they are using this version.
I decided to write a exploit for the vulnerability in Photorec 6.14. The target system is a Windows 7 machine, with ASLR and DEP enabled. The exploit writes an malicious image file to disk. When opening this image file with the “photorec_win.exe” executable, the following Windows appears:
After selecting the image by clicking “Proceed”, the vulnerability gets triggered. The shellcode is executed, for example a shell can be obtained on the system that opens the image file:
After some time of development, the final exploit code looks like this:
Some technical explanation on the exploit (using line numbers):
- #106 The image requirements are prepared that triggers the vulnerability.
- #30 The Virtualprotect placeholders are defined on the stack.
- #105 Jump to the beginning of the ROP chain (#43)
- #42 Retrieve the current stack pointer and calculate the address of the Virtualprotect placeholders on the stack
- #52 Calculate the Virtualprotect address dynamically by using an existing kernel32 call on the stack. Place it on the placeholder at #31.
- #64 Calculate the shellcode address and place it on the placeholder at #32
- #73 Place the shellcode address also at the placeholder at #33
- #77 Place the value 0x1000 (size) on the placeholder at #34
- #83 Place the value 0x40 (executable) on the placeholder at #35
- #89 Calculate a writable address, place it on the placeholder at #36
- #99 Jump to Virtualprotect which executes the shellcode, because all requirements are satisfied for Virtualprotect in order to work.
I am really looking forward for the AWE course. My intention is to write a AWE course review after the course. See you at Blackhat && Defcon!