Penetration Testing mailing list archives
RE: pen testing & obfuscated shell code (more neat stuff)
From: Omar Herrera <oherrera () prodigy net mx>
Date: Sat, 14 Feb 2004 18:12:24 -0600
-----Original Message----- From: Karsten Johansson [mailto:ksaj () penetrationtest com] ... Using capital letters is dangerous because the first bunch are INC
and
DEC's, which may affect the shellcode. The latter capitals are PUSH
and
POPs, which will surely mess up the stack... this may or may not
matter
some of the time, but I'm sure it would be unpredictably buggy at
best.
How 'leet is a buggy hack? (I've always been amused by the fact that viruses and worms seem to be better debugged than most other software
out
in the wild)
Well, if you execute a an injected shellcode in a program you are already messing up many things, so you shouldn't worry so much. Actually, your shellcode is going to initialize many of the registers (you just can't rely on the original values left by the program anyway), so INC and DEC are ok. Push and pop might mess the stack, but it is also not a big deal, your shellcode will push to whatever is pointed by the stack and pop the same. You could try to balance push and pops so that you end at the same stack pointer+-1 (depending where you land in the sled), but I'm not sure if these would be of too much help.
But there *is* a good ASCII range: abcdefghijklmno they dno't map to anything. Don't use p or beyond since they map to opcodes again.
Actually this range does map to opcodes (See Intel Architecture Software Developer's Manual, Volume 2: Instruction Set Reference - Appendix A; you can find a copy here: http://developer.intel.com/design/pentium/manuals/24319101.pdf) If you disassemble your ascii sled it will give you something like: C:\SEGURIDAD\NASM-98-win>ndisasmw.exe reg.asm 00000000 61 popa 00000001 626364 bound sp,[bp+di+0x64] 00000004 65666768696A6B6C gs a32 push dword 0x6c6b6a69 0000000C 6D insw 0000000D 6E outsb 0000000E 6F outsw (this was done with ndisasmw, included with nasm) and from the reference above we have: letter opcode a popa b bound c arpl d seg=fs e seg=gs f "Operand size" g "Address size" h push i imul j push k imul l insb m insw n outsb o outsw So, it seems that you sled actually did a push, and no harm was done :-) Jon Erickson actually has examples of ascii-printable shellcode in his book "Hacking, The Art of Exploitation" and he makes use of INC, DEC, PUSH and POP a lot (might be worth checking). Regards, Omar Herrera --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
Current thread:
- Re: pen testing & obfuscated shell code (more neat stuff) Karsten Johansson (Feb 13)
- Re: pen testing & obfuscated shell code (more neat stuff) Steve Kemp (Feb 16)
- RE: pen testing & obfuscated shell code (more neat stuff) Omar Herrera (Feb 16)
- <Possible follow-ups>
- Re: pen testing & obfuscated shell code (more neat stuff) Karsten Johansson (Feb 17)
- Re: pen testing & obfuscated shell code (more neat stuff) Angelo Dell'Aera (Feb 17)