Wednesday, July 4, 2012

Unicode exploits

A couple of days ago I finished the Unicode exploitation tutorials from Corelan. You can find the exploits I developed here and here.

In the article Peter Van Eeckhoutte listed some instructions for "eating" added nul bytes, but not all of them.

They are quite useful so I have tried to create a list of them all. The binary format of a unicode nul eating instruction is "00XX00" where the XX is a number greater than zero and less than 0x7f.
I did the following:

$ for i in {1..127}; do php -r 'echo "\x00\x'$(printf "%x" $i)'\x00";' | ndisasm -b 32 - > $(printf "%x.s" $i); done
$ for file in *; do if [ $(wc -l $file|awk '{print $1}') != "1" ]; then rm -f $file; fi; done

Now the files in the directory contains single instructions of the needed format. These are the instructiosn:

000400            add [eax+eax],al
000C00            add [eax+eax],cl
001400            add [eax+eax],dl
001C00            add [eax+eax],bl
002400            add [eax+eax],ah
002C00            add [eax+eax],ch
003400            add [eax+eax],dh
003C00            add [eax+eax],bh
004000            add [eax+0x0],al
004100            add [ecx+0x0],al
004200            add [edx+0x0],al
004300            add [ebx+0x0],al
004500            add [ebp+0x0],al
004600            add [esi+0x0],al
004700            add [edi+0x0],al
004800            add [eax+0x0],cl
004900            add [ecx+0x0],cl
004A00            add [edx+0x0],cl
004B00            add [ebx+0x0],cl
004D00            add [ebp+0x0],cl
004E00            add [esi+0x0],cl
004F00            add [edi+0x0],cl
005000            add [eax+0x0],dl
005100            add [ecx+0x0],dl
005200            add [edx+0x0],dl
005300            add [ebx+0x0],dl
005500            add [ebp+0x0],dl
005600            add [esi+0x0],dl
005700            add [edi+0x0],dl
005800            add [eax+0x0],bl
005900            add [ecx+0x0],bl
005A00            add [edx+0x0],bl
005B00            add [ebx+0x0],bl
005D00            add [ebp+0x0],bl
005E00            add [esi+0x0],bl
005F00            add [edi+0x0],bl
006000            add [eax+0x0],ah
006100            add [ecx+0x0],ah
006200            add [edx+0x0],ah
006300            add [ebx+0x0],ah
006500            add [ebp+0x0],ah
006600            add [esi+0x0],ah
006700            add [edi+0x0],ah
006800            add [eax+0x0],ch
006900            add [ecx+0x0],ch
006A00            add [edx+0x0],ch
006B00            add [ebx+0x0],ch
006D00            add [ebp+0x0],ch
006E00            add [esi+0x0],ch
006F00            add [edi+0x0],ch
007000            add [eax+0x0],dh
007100            add [ecx+0x0],dh
007200            add [edx+0x0],dh
007300            add [ebx+0x0],dh
007500            add [ebp+0x0],dh
007600            add [esi+0x0],dh
007700            add [edi+0x0],dh
007800            add [eax+0x0],bh
007900            add [ecx+0x0],bh
007A00            add [edx+0x0],bh
007B00            add [ebx+0x0],bh
007D00            add [ebp+0x0],bh
007E00            add [esi+0x0],bh
007F00            add [edi+0x0],bh

I hope these are useful.

No comments:

Post a Comment