Re: NOD32 Antivirus Long Path Name Stack Overflow Vulnerabilities

[Ismael Briones <ismak@xxxxxxxxxxx>]

You could use in your shellcode any character allowed as a directory 
character in Windows. The path name will be then converted to Unicode by 
Nod32 process.
So you have to deal with this too. I used Alpha2 
(http://www.edup.tudelft.nl/~bjwever/documentation_alpha2.html.php from 
Berend-Jan Wever) to encode an alphanumeric shellcode that will be then 
converted to Unicode:

"*
--unicode*
Make shellcode unicode-proof. This means it will only work when it gets 
converted to unicode (inserting a '0' after each byte) before it gets 
executed.
"



v9@xxxxxxxxxxx wrote:
> > Although the vulnerabilities are hard to exploit, > it's not impossible.
> > There are some restrictions to bypass:
> >
> > - The path name is formated in Unicode, so we have to find an opcode in an 
> > address with an unicode format
> > - The shellcode has to be in the path name so we have to use an Alphanumeric 
> > shellcode
> >     
>
> What's to stop someone from encoding the path(shellcode) in unicode(using both 
> bytes of unicode/no null bytes)? Also, is there a special situation why it has 
> to be strictly alphanumeric? Because, in general this is not the case.
>
> I've worked with these guidelines myself in the 
> past(http://fakehalo.us/xfinder-ds.pl), and I see no specific issue with doing 
> similar for this, unless information to the contrary isn't included.
>