Vulnerability Development mailing list archives
Re: asm shellcode techniques (especially relevant for win32)
From: "Ryan Permeh" <ryan () eEye com>
Date: Wed, 5 Sep 2001 17:47:15 -0700
i've found both places useful, especcially when it comes to shoving as much in a buffer as required(often you can shove your code other places, but not always). the original .printer (the portbinding, not the released filewriting one) poc code i used looked like: [code1][ebp][eip][setupandjumptocode1][code2] i overflowed eip, hit the setupandjumptocode1, which setup ebp and stack, and jumped back to code 1 that did an expansion/xor loop through therest of the code to set it up, then jump to code2 when it ended. i had to do it that way simply because most of the availible buffer space was at the beginning of the buffer (there was a strlen check, but it still let the overflow through). it was small and sticky, but it worked. there is no best solution to shellcode. whatever gets the job done reliably is good, small is better in my opinion, but keep your options open. one thing i've noted in experience is that ESP based variable references is tricky to keep sane, especially if you play some tricks using stack, and although having ebp free to play is cool, it is often not worth the hassle in most cases. your milage may vary. Signed, Ryan Permeh eEye Digital Security Team http://www.eEye.com/Retina -Network Security Scanner http://www.eEye.com/Iris -Network Traffic Analyzer http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities ----- Original Message ----- From: "RaiSe" <raise () netsearch-ezine com> To: <vuln-dev () securityfocus com> Sent: Wednesday, September 05, 2001 10:26 PM Subject: Re: asm shellcode techniques (especially relevant for win32)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1Generally I preffer to code a proof-o-concept this way (when possible): [AAAAAAAAAAAAAA][EBP][EIP][SHELLCODE] not this way: [SHELLCODE][AAAAA][EBP][EIP]Yes, but first code has a problem. Look at this code: ** int main(int argc. char *argv[]) { char buffer[256]; strcpy(buffer, argv[1]); printf("%s", argv[2]); } ** If you put the shellcode after [EIP], you will overwrite argc and argv, so, printf will make segv fault. I think that is better to put shellcode before [EBP] and [EIP] when it is possible. ==============-----------------------------============== RaiSe UNDERSEC Security Team / http://www.undersec.com NetSearch Ezine Staff / http://www.netsearch-ezine.com ysfk>2{5~~2s~eska2~}dw2k}g<<< XOR 18 ==============-----------------------------============== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQE7lwkhSP4h0VxUtqMRApmOAJ9GpfM3Dt6dUqfkRRwC+7u4SeDfDgCgiXx2 x83Kq3APOf7ZsCVCgDUYiBo= =k71I -----END PGP SIGNATURE-----
Current thread:
- asm shellcode techniques (especially relevant for win32) Franklin DeMatto (Sep 04)
- Re: asm shellcode techniques (especially relevant for win32) Enrique A. CompaƱ Gzz. (Sep 05)
- Re: asm shellcode techniques (especially relevant for win32) RaiSe (Sep 05)
- Re: asm shellcode techniques (especially relevant for win32) Ryan Permeh (Sep 05)
- Re: asm shellcode techniques (especially relevant for win32) RaiSe (Sep 05)
- Re: asm shellcode techniques (especially relevant for win32) Enrique A. CompaƱ Gzz. (Sep 05)