Reanimating the Exploit

Opinions of hackers that tried to use of this exploit might vary from "works but not very well" to "doesn't work at all." Thus, the hacker must spend some time and effort to make it work efficiently .

It is important to note that the source code of this exploit has been widely replicated on the Internet and its copies can be downloaded from many locations. However, these copies contain "improvements" that have irreversibly ruined it. First, the code in these copies is presented in ASCII encoding, in contrast to the original, which used Unicode (compare Fig. 7.3 and Fig. 7.4). Second, the 0D0D0D0Dh characters located in the tail of the string that provokes the overflow are in these copies replaced by devil knows what. Finally, "extra" <CR> characters in the overflowing strings and in the shellcode string cannot be tolerated. However, in the replicas of this exploit the situation is exactly as I have described.

image from book
Figure 7.3: A fragment of the original exploit ” all strings are Unicode strings, and the 0D0D0D0Dh code is in the end
image from book
Figure 7.4: The same fragment after replication ” All strings are ASCII strings, and the 0D0D0D0Dh code is replaced by 3F3Fh

Thus, a clever hacker will always use only the original BoF PoC exploit Skillful hackers may even slightly improve it. For instance, they certainly will balance the code: If the distance between the first executable command of the nopslides block and the beginning of the shellcode is not a multiple of five (because the length of the OR EAX, 0D0D0D0DDh instruction is exactly 5 bytes), the bytes will be borrowed from the shellcode, which would inevitably crash it. This problem can be solved by creating a buffer zone of four NOP (90h) commands in the beginning of the shellcode.



Shellcoder's Programming Uncovered
Shellcoders Programming Uncovered (Uncovered series)
ISBN: 193176946X
EAN: 2147483647
Year: 2003
Pages: 164

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net