First of all…thanks b33f from fuzzysecurity.com for your hint which helped a lot in solving the reliability issue of my last exploit :-) !
In my last article I wrote about a missing reliable way of executing shellcode. I received a mail from b33f about the MSVCR70.dll which is installed by the application. Well at this point it seems like I’ve been fooled by an application :-D! During my investigations I did not notice this DLL and supposed that it’s a system dll like all others, but it is indeed installed by the application:
And there is a usable (and only one…. puh) way to run my shellcode via a PUSH ESP / RETN:
This means you’ve got a reliable exploit for WinXP and Win7. But during my play-abouts I noticed that my controllable input (junk, shellcode etc.) is placed on completely different memory addresses on WinXP and Win7 but all in all within a manageable distance. The controllable input starts at:
Windows XP: ESP+400 (Solution: ADD ESP,404 # POP EDI # POP ESI # RETN from SoundEditorPro.exe):
Windows 7: ESP+5CC (Solution: ADD ESP,838 # POP EDI # POP ESI # POP EBX # RETN from SoundEditorPro.exe):
Therefor…if you try to use the Windows XP ESP alignment in Windows 7 you’ll find out that you move the ESP into an area in front of your actual input which you do not control. If you use the Win7 ESP alignment on Windows XP, the ESP is placed 1092 bytes behind the Win7 ESP alignment point. The solution: Take the Windows 7 ESP alignment as a base and built a chain of it: