Rick’s Playground

POP POP RET - Sample assembly pattern for exploiting SEH based vulnerability. After too much high level dealing with  IS risk, metrics, governance, I found myself a nice SEH exploit development tutorial from Corelan Team to fulfill my itchiness to the geeky stuff. Here it is - Link

Nice neat stuff with actual vulnerable application - the SORITONG mp3 player. ( I couldn’t find the original application package anywhere else so I just registered on the Corelan team site and downloaded the application.) Just a few notes in order to have a full working exploit:

1. Make sure you use the memdump method (the 2nd method in the tutorial) when you try to locate a POP POP RET assembly pattern. I couldn’t locate any usable POP POP RET from the player.dll and end up with a “POP POP RET” in address 0×42103cdc. I am yet to determine whether this is a portable address or just hardcoded in my own XP machine.

2. Only “POP EDI POP ESI RET” will work and if register EBX or EBP are involved and your exploit will likely to be broken. I still need to figure out what’s the exact reason but I guess by poping to EBX or EBP will change the stack segment.

BTW time to go back to explore new features in Metasploit and I haven’t got a chance to explore in depth after it was acquired by Rapid7. I decide to play with a few fuzzing tools before coming back to exploits writing just to make sure I am not getting bored.