Dailydave mailing list archives
Re: So shellcode work is phun
From: Dave Aitel <dave () kof immunityinc com>
Date: Tue, 30 Jun 2009 11:28:00 -0400
So today, in class, at the very end of the day, one of the students go his bindshell working. And he was connecting to it happily and quite pleased with himself and checking out his admin cmd.exe in taskmanager until we pointed out that he should probably bind to localhost instead of 0.0.0.0, at which point he got super paranoid. :> Anyways, one of the things we teach in class is to do error correction in your shellcode. That jne might cost you 2 bytes of space, but at least that 1/100th of a time when your bind() fails, you don't have to worry that you AVed some poor guy's lsass. That same thing is true for parsing the PEB and it's mighty linked lists. If you make assumptions about what order modules are loaded in, then things are going to blow up eventually. Probably not when you want them too. -dave On Mon, Jun 29, 2009 at 3:42 AM, Chris Eagle <cseagle () redshift com> wrote:
Perhaps relevant: http://www.harmonysecurity.com/blog/2009/06/retrieving-kernel32s-base-address.html Chris Jared DeMott wrote:Dear Dave, Just for phun, I sat down to test a simple popup calc shellcode on Windows 7 RC today and it pooped. I verified that it worked on XP and Vista, and thought darn ... now I'm going to have to see why it failed on Windows 7 and email H D Moore. Anyone else seen this or am I on crack today? Cheers, Jared _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- So shellcode work is phun Jared DeMott (Jun 29)
- Re: So shellcode work is phun Chris Eagle (Jun 29)
- Re: So shellcode work is phun Dave Aitel (Jun 30)
- Re: So shellcode work is phun Chris Eagle (Jun 29)