Re: Does size matter?

[vlad902 <vlad902 () gmail com>]

On Tue, 8 Mar 2005 01:07:27 +0100, Gigi Sullivan <sullivan () sikurezza org> wrote:
> Greetings,
>
>    it's not my intention to send spam, despite the email's subject :)
>
>    What I'm referring to is related to shellcode (or call it whatever you
>    want) size; it's common knowledge -- or at least it used to be so, IMHO --
>    that it may be possible to experience size constraints while trying to
>    overflow a buffer (just think about plain stack-based overflows without any
>    kind of protection/mitigation techniques) so that one is unable to find
>    enough space to store his fancy executable stuff... directly into the
>    overflowable buffer.
>
>    So I was just curious: does size really still matters nowadays or we have
>    enough space to do whatever we want in order to execute our shellcode [1]?
>
>    Are there any difference between OSes? (i.e. usually Windows apps offer (as
>    a feature? :)) just enough space to do our job)

I sure think so, and the metasploit team and I have worked hard on
providing small payloads*. On windows, size is not as big an issue as
most people think. If conventional payloads are too large you can
still resort to using ordinal stagers (<100 bytes.) Also, in most
cases you can locate a buffer at a predictable location, and even if
it's very small you can still most likely use an egghunt payload in
that scenario.

I think that small size is a bigger issue on linux/bsd then
windows/solaris. For windows/solaris you are most likely attacking a
native binary and can predict where the buffer will be if you know the
remote OS version. For linux/bsd however you can never be too sure of
where everything is, and so in cases where you have to blindly guess a
buffer location a couple more nops here and there can go a long way.
:)

Just some metasploit whoring, comparisons between sizes in 2.2 and 2.3:

Name: Size of payload in 2.2 (bytes) vs. size of payload in 2.3 (bytes)

Linux/x86 bindshell: 88 vs. 84
Linux/x86 connect back: 105 vs. 70
Linux/x86 findsock (recv): 95 vs. 69

BSD/x86 bindshell: 151 vs. 78
BSD/x86 connect back: 64 vs. 68 (Size grew because of bug fix)
BSD/x86 findsock (recv): None vs. 70

Windows/x86 bindshell: 375 vs. 321**
Windows/x86 connectback: 357 vs. 291**
Windows/x86 findsock (recv) stager: none vs. 92***

* The win32 non-ordinal stagers still have to be re-written.
** Will be smaller in the next release.
*** Ordinal-based stager.

> TIA, bye
> Lorenzo
>
> [1] yes, syscall proxying and other cool methods could help us developing more
>     complex shellcode without worring too much about size, but I was thinking
>     about old shellcode contests where the winner was who had it more
>     little (always shellcode buddies, always shellcode :))
>
> --
> Lorenzo Cavallaro `Gigi Sullivan' <sullivan () sikurezza org>
>
> Until I loved, life had no beauty;
> I did not know I lived until I had loved. (Theodor Korner)
>
> See the reality in your eyes, when the hate makes you blind. (A.H.X)
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> https://lists.immunitysec.com/mailman/listinfo/dailydave

-vlad902
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave