Re: unicode shellcode question

[Patrick Webster <patrick () aushack com>]

It depends whether you can control both the 1st & 2nd bytes of the
unicode.... in some circumstances this may be possible, however most
of the ASCII based applications will add a null to the 1st byte (i.e.
'A' = \x00\x41).

Have a Google for venetian shellcode :)

http://www.blackhat.com/presentations/win-usa-04/bh-win-04-fx.pdf
http://www.phenoelit-us.org/win/vense.txt

-Patrick

On Sat, Oct 31, 2009 at 8:10 PM, corelanc0d3r <corelanc0d3r () gmail com> wrote:
> Hi,
>
> I am working on building an exploit for a stack bof (in a windows
> application), but I'm having difficulties building unicode compatible
> shellcode
>
> I control eip and have written a few lines of unicode friendly code
> that will put the address where my shellcode buffer resides into one
> of the registers  (eax or ebx)
>
> So if I can put unicode shellcode in that buffer, and do a jump eax,
> it should work
> The "jump eax" is no problem... but I don't know how to go from a
> plain shellcode (such as spawning calc) to unicode compatible code...
>
> How do I convert plain ascii shellcode into unicode shellcode & make it work ?
>
> tx
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework