I'm sending this to the list on behalf of deros68 <at> yahoo.com. Please
respond to the list or him directly, rather than me.
Thanks.
Moderator
-------- Original Message --------
I have developed an email exploit, incoming email via
smtp, for a certain email program. I want to develop
a "run calc.exe" POC and submit to the email vendor -
also get credit for it. My first 0 day exploit - not
DOS attack. -:)
If you open or preview the email the stack get
overlaid. So far - so good. However it soon gets
messy. All input data is translated to UTF-8. I
built a translate table, a long process with
Windbg/Olly, and have decided that I am forced to
create ASCII shell code so that I can launch calc.exe
and return to the thread. Only hex 20 -79 input
survive untouched.
problem 1.
EIP EIP +4 EIP +8 etc...------ rest of stack
EIP at 0013c000
I can overwrite EIP with the start of my ASCII
shellcode. For exploit to work the data that overlays
EIP +4 (0013c004) must be a safe address like
40404040 or 60606060, also it must be ASCII otherwise
it gets translated on input.
Fine - I can use a mix of dec ecx/inc ecx hex
49/41 that produces a "safe" address and executable
code that does not effectively change anything. say
49414941
ASCII shell code that runs calc.exe - I think that I
can adapt some found on the net.
What is stumping me is the following:
I want to create several breakpoints in the generated
shell code so that I can debug it in Olly:
I cannot (so far) create some ASCII shell code that
will generate instream the "cc" opcode from
simple ASCII input code.
I tried using the Metasploit "shell code" generator
and failed. Also - there is no means of delivery via
Metasploit so I gave up on using it.
Maybe I am just tired.... My guess is that I must
seed a register with an ASCII value and then
and/xor/not it with approriate value. I have tried
using add/sub with no luck.
thanks
deros68
Received on Jun 22 2007
Intro
