> i am trying to analyze the shellcode used in this exploit:
> http://www.milw0rm.com/exploits/7477
>
> If i echo the unescaped shellcode i only get wierd chinese (i think)
letters.
>
> What's the right way to analyze what kind of shellcode is beeing used and
what command > is beeing executed by it.
You picked quite the example there. You can echo the unescaped code and
you'll get UTF-16 characters. You can use iconv to convert to UTF-8 and
then \x it up, compile it in a mock-up executable, then debug it to get at
the assembly.
But you'll see in the comments above the JavaScript unescape call that the
payload was generated with Metasploit using the shikata_ga_nai encoder,
which encodes the original exploit as polymorphic shellcode using XOR.
That's going to be an exercise on its own.
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
> http://www.milw0rm.com/exploits/7477
>
> If i echo the unescaped shellcode i only get wierd chinese (i think)
letters.
>
> What's the right way to analyze what kind of shellcode is beeing used and
what command > is beeing executed by it.
You picked quite the example there. You can echo the unescaped code and
you'll get UTF-16 characters. You can use iconv to convert to UTF-8 and
then \x it up, compile it in a mock-up executable, then debug it to get at
the assembly.
But you'll see in the comments above the JavaScript unescape call that the
payload was generated with Metasploit using the shikata_ga_nai encoder,
which encodes the original exploit as polymorphic shellcode using XOR.
That's going to be an exercise on its own.
PaulM
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
[ reply ]