Dailydave mailing list archives

RE: Shellcode

From: "Dafydd Stuttard" <daf () ngssoftware com>
Date: Wed, 30 Nov 2005 09:57:41 -0000

I recently wrote a short paper called "Writing Small Shellcode", which
includes a short hashing algorithm which produces one-byte non-colliding
hashes for the eight functions (in kernel32.dll & ws2_32.dll) required to
implement a bindshell:

http://www.ngssoftware.com/papers/WritingSmallShellcode.pdf

Although the example is specific to those functions, it is easy to find
suitable algorithms programmatically, by dynamically building candidate
algorithms using a list of suitable x86 instructions (xor, add, rol, etc),
and testing each algorithm to identify collisions. Notice that if you
iterate through a library's exported functions in a defined sequence then
you can tolerate collisions provided that the correct function is the first
match in each case.

I also considered 4-bit hashes, but I'd be surprised if these are efficient:
the overhead required to unpack the hash block into usable form would
presumably outweigh the reduction in its size.

Cheers
Daf

-----Original Message-----
From: Dave Aitel [mailto:dave () immunitysec com]
Sent: 30 November 2005 02:55
To: Isaac Dawson
Cc: dailydave () lists immunitysec com
Subject: Re: [Dailydave] Shellcode

If you choose your hashing algorithm correctly, I bet you can use ONE
byte hashes too. Given N sets of function names S[0] to S[N] is there a
hash function H that for all sets in S can differentiate between them
into an 8 bit space and can also differentiate between module names
M[0]-M[N]? What about 4 bits? :> Then you get to minimize the size of
the hash that can do that. . .

Surely there's a Phrack article here somewhere. :>

-dave

Isaac Dawson wrote:

Hi Pedro,
You may be better off creating a hash table of function names and
inserting hashing code into your shellcode. That is of course if you
are looking up a lot of strings/function addresses etc. Although it
may not be the best solution I find it really easy to read and look at
to create string/hash section in your shellcode (I put mine at the
bottom of the code). So we have something like:
startup:
  call fwd
  inc ebx
  inc ebx ; now we have the exact address to the __emit junk.
  mov [ebp+someoffset], ebx ; store our address on the stack so we can
work with it easier

fwd:
call get_data_offset

get_data_offset:
  pop ebx ; this gives our current location due to popping the last
return address from the stack
  ret
  __emit(your stuff)
  __emit(some more of your stuff)

Look around the net for hashing algorithms there are plenty out there.
(Some better than others!).
Or just create your own its not too hard and you can get it really
small, 2 bytes is better than 4 :).
Hope this helps,
-Isaac

On 11/30/05, *Alexander Sotirov* <asotirov () determina com
<mailto:asotirov () determina com>> wrote:

    Pedro E wrote:

    > LibraryReturn:
    >       pop ecx                         ;get the library string
    >       mov [ecx + 10], dl              ;MY PROBLEM is this line I
    don't
    > have the right permissions to modify the NULL value and finish
    the string
    >       mov ebx, 0x79470221             ;LoadLibraryA(libraryname);
    >       push ecx                        ;beginning of user32.dll
    >       call ebx                        ;eax will hold the module
    handle
    >       jmp short FunctionName
    > xxx
    > ..
    > ..
    > GetLibrary:
    >       call LibraryReturn
    >       db 'user32.dllN'

    Just put the string on the stack:

    push 0x5f5f6c6c              ; 'll__'
    push 0x642e3233            ; '32.d'
    push 0x72657375            ; 'user'
    call LibraryReturn

    LibraryReturn:
        lea ecx, [esp+4]            ; esp+4 points to the string
    "user32.dllXX"
        mov [ecx + 10], dl        ; the string is on the stack, so you

can

    write the null terminator


    or even better:

    xor eax, eax
    mov ax, 6c6c
    push eax                          ; 'll\0\0'
    push 0x642e3233            ; '32.d'
    push 0x72657375            ; 'user'
    call LibraryReturn



    Alex

Current thread:

Shellcode Pedro E (Nov 29)
- RE: Shellcode Dave Korn (Nov 29)
  - RE: Shellcode Dave Korn (Nov 29)
- Re: Shellcode Alexander Sotirov (Nov 29)
  - Re: Shellcode Isaac Dawson (Nov 29)
    - Re: Shellcode Dave Aitel (Nov 29)
    - Re: Shellcode H D Moore (Nov 29)
    - Re: Shellcode halvar (Nov 30)
    - RE: Shellcode Dafydd Stuttard (Nov 30)
    - Re: Shellcode halvar (Nov 30)
    - Re: HOLY GOD WE ARE SO OLD Matt Hargett (Nov 30)
    - Re: Shellcode halvar (Nov 30)
    - Re: Shellcode Dustin D. Trammell (Nov 30)
    - RE: Shellcode Dave Korn (Nov 30)
- <Possible follow-ups>
- Fwd: RE: Shellcode H D Moore (Nov 30)