1 /* Dreatica−FXP crew
3 * −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
4 * Target : Alt−N SecurityGateway v1.00−1.01
5 * −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
6 * Exploit : Alt−N SecurityGateway v1.00−1.01 Remote Stack Overflow Exploit
7 * Exploit date : 11.06.2008−14.06.2008
8 * Exploit writer : Heretic2 (firstname.lastname@example.org)
9 * OS : Windows ALL
10 * Crew : Dreatica−FXP
11 * −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
12 * Details : Obtain the overflow and crash the application is peace a cake job.
13 * To make a wroking code execution here is a hell. First we can see that
14 * the username before overflow the buffer pass through some functions,
15 * that changes and restrict some useful chars. Firstly the beffer gets
16 * lowered so the overflow should not contain upper chars :( . So i decided
17 * to use some encoders for the payload like nonupper and non alpha from MSF.
18 * The nonupper use the ‘@‘ (0x40) char which the app doesn’t eat at all.
19 * The nonalpha encoder in decoder code and the generated body contained
20 * always the 0xC0, 0xC1, 0x80, 0x81 which were translated to 0xE0, 0xE1,
21 * 0x90, 0x91. Don’t know, may be this chars translation was due to my russian locale.
22 * After few days of work i have comed with the required bindshell which bypass
23 * all restricted chars and executes. Thx to skylined, for his alpha tool.
24 * Bad chars : 0x00 0x40 0x41 0x42 0x43 0x44 0x45 0x46 0x47 0x48 0x49 0x4A 0x4B 0x4C 0x4D 0x4E
25 * 0x4F 0x50 0x51 0x52 0x53 0x54 0x55 0x56 0x57 0x58 0x59 0x5A 0x40 0x7b 0xAA 0xC0
26 * 0xC1 0xC2 0x80 0x81
27 * −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
28 * Thanks to:
29 * 1. securfrog ( <securfrog [at] gmail.com> )
30 * 2. ALPHA 2: Zero−tolerance ( <skylined [at] edup