PE Section Header Injection using Code Cave

It’s been a while, today I am going to write about poping calc.

exe in PuTTY v0.

66 via utilizing injected code cave, with help on section header injections.

Get the program hereFor this experiment, you will need CFF explorer, Immunity Debugger and PuTTY.

First things first, what is this code cave?According to Wikipedia, A code cave is a series of null bytes in a process’s memory.

The code cave inside a process’s memory is often a reference to a section of the code’s script functions that have the capacity for the injection of custom instructions.

In simple terms, it’s basically adding a bunch of instruction inside a program that can be used to alter the flow of execution.

Customizing the Section HeaderOnce you install PuTTY v0.

66 you need to open the executable inside CFF explorer.

This is how it looks like, we need to go to the section headers and add a section header (Empty Space).

Because if you add a section header without padding it to “Empty” it’s gonna crash program to avoid this mess you can directly add a header with empty space.

Initialize it with 1000 blank spaces, let’s name this section as .

pwnLet’s save it!Let’s load the process inside immunity debuggerNow we need to figure out the starting of this program so that we can load our code cave once the program starts.

This is where the program starts and it can be found when you click “run”, let’s alter this instruction to go to our section called .

pwnLet’s select the memory map and look for .

pwnThis is where our segment is, let’s copy this address.

Let’s alter the entry point from PUSH to JMP <address of .

pwn> to do that double click and do assemble.

Also, make sure you select Fill with NOPs to make the necessary arrangements.

Now hit F7 you will see something likeYou would want to change it again by double-clicking to the following and assemble it.

Once you are done with that, you need to use msfvenom to create the instruction that you want to execute to show how it’s done I am going to pop the calc.

exe as always.

C:UsersCoding_Karma>C:UsersCoding_Karma>msfvenom -p windows/exec CMD=calc.

exe -f hex[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload[-] No arch selected, selecting arch: x86 from the payloadNo encoder or badchars specified, outputting raw payloadPayload size: 193 bytesFinal size of hex file: 386 bytesfce8820000006089e531c0648b50308b520c8b52148b72280fb74a2631ffac3c617c022c20c1cf0d01c7e2f252578b52108b4a3c8b4c1178e34801d1518b592001d38b4918e33a498b348b01d631ffacc1cf0d01c738e075f6037df83b7d2475e4588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ffe05f5f5a8b12eb8d5d6a018d85b20000005068318b6f87ffd5bbf0b5a25668a695bd9dffd53c067c0a80fbe07505bb4713726f6a0053ffd563616c632e65786500Let’s copy this payload and paste it.

Let’s binary paste this and execute the program and BOOM!We successfully executed the Code Cave executing calc.

exe, now you can also add an SEH exit function on your msfvenom if you want this to work elegantly, which is an exercise for the reader.

Now if you save this executable whenever you open it, this pops a calc.

exeYou can create a backdoor out of it and do a lot of things according to the MSFvenom payload.

Also if you have an exit SEH function it would execute PuTTY normally and gives the program a really graceful exit without crashing it and raising suspicion.

Thank you!.

. More details

Leave a Reply