in

Easy 'Ping' payload query !

Just something that's keeping me awake at nights... !

I know the default 'Ping' payload is a repeating alphabet sequence .. anybody know why it doesn't include the last 3 characters of the alphabet?! (ie. it repeats just a..w, not a..z) ?

cheers,

Solution: Easy 'Ping' payload query !

Ok, inbetween a few glasses of white, having disassembled the XP 'Ping.exe' executable, it's possible that this may be due to a bug in the Ping executable itself...

In order to send an ICMP Echo request, Ping.exe constructs a data structure containing the payload of (by default) 32 bytes and then calls the IcmpSendEcho2 function within iphlpapi.dll which does the actual work of sending that data.

However, the actual code within Ping.exe (shown below) that constructs the data to send appears to be incorrect;

jaf:
33D2                     XOR EDX,EDX
6A 17                   PUSH 17            <--- ?   Surely 1A?
8BC1                    MOV EAX,ECX
5E                         POP ESI
F7F6                     DIV ESI
8B85 18FBFFFF   MOV EAX,DWORD PTR SS:[EBP-4E8]
80C2 61               ADD DL,61
881408                 MOV BYTE PTR DS:[EAX+ECX],DL
41                         INC ECX
3BCF                    CMP ECX,EDI
72 E6                    JB SHORT jaf

The offending line is the 'PUSH 17' which causes 23 (decimal) characters to be generated before beginning at 'a' again in the data structure area,  Character 23 just happens to be 'w' !

Altering said instruction to 'PUSH 1A' (decimal 26) allows Ping to function as (I believe) it was originally intended by the programmer.. consequently generating the correct sequence of characters and (in a default Ping) sending 'abcdefghijklmnopqrstuvwxyzabcdef' rather than 'abcdefghijklmnopqrstuvwabcdefghi'  !

Altering the executable is straight-forward once Windows File Protection is out of the way.. use a Hex editor (or the poor mans version, Debug.exe) and search for the bytes 33 D2 6A 17 in the code - alter the 17 to 1A and save - job done.  Ping - well the Microsoft hacked version - now works as originally intended?? (perhaps we'll never known)   It goes without saying that it's not recommened that you start hacking the windows system files so... I'm not going to explain how to bypass WFP, if you can't find out, don't go any further ...

As an aside, during my investigations, I stumbled upon the man himself, the original author of Ping, Mike Muuse, who was unfortunately tragically killed - gives a whole new meaning to the phrase 'smart-ar$3' (in the nicest sense!)  

http://ftp.arl.army.mil/~mike/

I'll leave the thread open for a few days, just incase someone with more assember knowledge that me (ie. most!) can explain the apparent bug or, indeed, shed some light on the actual reasoning behind this..

cheers,

Popular Tags

Browse All Tags