Metasploit mailing list archives
Exploiting non-English Windows
From: mmiller at hick.org (mmiller at hick.org)
Date: Thu, 7 Feb 2008 10:24:20 -0800
On Thu, Feb 07, 2008 at 03:47:07PM +0900, . wrote:
May I ask what is the current status on exploiting Windows programs with different locales?
Most exploits don't support non-english locales, but we definitely accept patches.
I think it would be great if the framework had capabilities such as remote language fingerprinting, or at least being able to specify the right opcodes for different locales during exploitation. I know that Mr. Jerome Athias has been working on creating a database of opcodes for different locales. Does anyone know the progress of this and if it is going to be incorporated into MSF?
Off and on over the past few years we have discussed the idea of having a feature ("return address pooling") that allows you to dynamically query the opcode database for a suitable address given information such as type of opcode required, locale, bad character restrictions, and so on. While this would definitely be a cool feature, there are some problems with integrating it cleanly. We would need to have some way to easily convey this information within an exploit and from a user. We would also need to know what DLLs have been loaded into the address space of the application being attacked (or at least a subset of them). To summarize, we would need to provide the following information tot he framework in some form: Exploit would need to provide: - Bad characters (already provided) - Opcode required (e.g. 'esp => eip') - DLLs loaded into target application User would need to provide: - Locale (we would default to english) - OS version (including service pack for best results) There's the possibility of including some nice integration with the aux modules to figure out the later (as you mentioned), but that does not exist as of yet. At any rate, we're definitely open to ideas on this feature. Another pre-req is that we would need to get the opcode database up to speed in terms of hotfixes for XP and 2003 Server. What do other folks think about this feature? Note that it would make metasploit dependent on being able to talk to the opcode database over the network in order for an exploit to function which may be less than desireable (although we could include default targets).
Current thread:
- Exploiting non-English Windows . (Feb 06)
- Exploiting non-English Windows bambam (Feb 07)
- Exploiting non-English Windows Leo Jackson (Feb 08)
- Exploiting non-English Windows mmiller at hick.org (Feb 07)
- Exploiting non-English Windows . (Feb 07)
- Exploiting non-English Windows bambam (Feb 07)