Metasploit mailing list archives
Re: unicode shellcode question
From: Patrick Webster <patrick () aushack com>
Date: Sun, 1 Nov 2009 00:47:09 +1100
It depends whether you can control both the 1st & 2nd bytes of the unicode.... in some circumstances this may be possible, however most of the ASCII based applications will add a null to the 1st byte (i.e. 'A' = \x00\x41). Have a Google for venetian shellcode :) http://www.blackhat.com/presentations/win-usa-04/bh-win-04-fx.pdf http://www.phenoelit-us.org/win/vense.txt -Patrick On Sat, Oct 31, 2009 at 8:10 PM, corelanc0d3r <corelanc0d3r () gmail com> wrote:
Hi, I am working on building an exploit for a stack bof (in a windows application), but I'm having difficulties building unicode compatible shellcode I control eip and have written a few lines of unicode friendly code that will put the address where my shellcode buffer resides into one of the registers (eax or ebx) So if I can put unicode shellcode in that buffer, and do a jump eax, it should work The "jump eax" is no problem... but I don't know how to go from a plain shellcode (such as spawning calc) to unicode compatible code... How do I convert plain ascii shellcode into unicode shellcode & make it work ? tx _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- unicode shellcode question corelanc0d3r (Oct 31)
- Re: unicode shellcode question Patrick Webster (Oct 31)
- Re: unicode shellcode question NSO Research (Oct 31)
- Re: unicode shellcode question Patrick Webster (Oct 31)