Knowledge is not an object, it’s a flow
Save the environment - don’t print this document !
If you want to show your respect for my work - donate : http://www.corelan.be:8800/index.php/donate/
http://www.corelan.be:8800 - Page 1 / 19
Peter Van Eeckhoutte's Blog
:: [Knowledge is not an object, it´s a flow] ::
Exploit writing tutorial part 7 : Unicode – from 0×00410041 to calc
Peter Van Eeckhoutte · Friday, November 6th, 2009
Finally … after spending a couple of weeks working on unicode and unicode exploits, I’m glad and happy to be able to release this next article in my basic exploit writing
series : writing exploits for stack based unicode buffer overflows (wow – that’s a mouthful).
You may (or may not) have encountered a situation where you’ve performed a stack buffer overflow, overwriting either a RET address or a SEH record, but instead of
seeing 0×41414141 in EIP, you got 0×00410041.
Sometimes, when data is used in a function, some manipulations are applied. Sometimes data is converted to uppercase, to lowercase, etc… In some situations data
gets converted to unicode. When you see 0×00410041 in EIP, in a lot of cases, this probably means that your payload had been converted to unicode before it was put
on the stack.
For a long time, people assumed that this type of overwrite could not be exploited. It could lead to a DoS, but not to code execution.
In 2002, Chris Anley wrote a paper showing that this statement is false. The term “Venetian Shellcode” was born.
In Jan 2003, a phrack article was written by obscou, demonstrating a technique to turn this knowledge into working shellcode, and about one month later, Dave Aitel
released a script to automate this process.
In 2004, FX demonstrated a new script that would optimize this technique even further.
Finally, a little while later, SkyLined released his famous alpha2 encoder to the public, which allows you to build unicode-compatible shellcode too. We’ll talk about these
techniques and tools later on.
This is 2009 – here’s my tutorial. It does not contain