Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Exploiting non-English Windows

From: mmiller at hick.org (mmiller at hick.org)
Date: Thu, 7 Feb 2008 10:24:20 -0800
On Thu, Feb 07, 2008 at 03:47:07PM +0900, . wrote:

May I ask what is the current status on exploiting Windows programs with
different locales?


Most exploits don't support non-english locales, but we definitely
accept patches.


I think it would be great if the framework had capabilities such as remote
language fingerprinting,
or at least being able to specify the right opcodes for different locales
during exploitation.

I know that Mr. Jerome Athias has been working on creating a database of
opcodes for different locales.
Does anyone know the progress of this and if it is going to be incorporated
into MSF?


Off and on over the past few years we have discussed the idea of having
a feature ("return address pooling") that allows you to dynamically
query the opcode database for a suitable address given information such
as type of opcode required, locale, bad character restrictions, and so
on.  While this would definitely be a cool feature, there are some
problems with integrating it cleanly.  We would need to have some way to
easily convey this information within an exploit and from a user.  We would
also need to know what DLLs have been loaded into the address space of
the application being attacked (or at least a subset of them).  To
summarize, we would need to provide the following information tot he
framework in some form:

Exploit would need to provide:

  - Bad characters (already provided)
  - Opcode required (e.g. 'esp => eip')
  - DLLs loaded into target application

User would need to provide:

  - Locale (we would default to english)
  - OS version (including service pack for best results)

There's the possibility of including some nice integration with the aux
modules to figure out the later (as you mentioned), but that does not
exist as of yet.

At any rate, we're definitely open to ideas on this feature.  Another
pre-req is that we would need to get the opcode database up to speed in
terms of hotfixes for XP and 2003 Server.

What do other folks think about this feature?  Note that it would make
metasploit dependent on being able to talk to the opcode database over
the network in order for an exploit to function which may be less than
desireable (although we could include default targets).
Previous By Date Next
Previous By Thread Next

Current thread: