Re: So shellcode work is phun

[Dave Aitel <dave () kof immunityinc com>]

So today, in class, at the very end of the day, one of the students go his
bindshell working. And he was connecting to it happily and quite pleased
with himself and checking out his admin cmd.exe in taskmanager until we
pointed out that he should probably bind to localhost instead of 0.0.0.0, at
which point he got super paranoid. :>

Anyways, one of the things we teach in class is to do error correction in
your shellcode. That jne might cost you 2 bytes of space, but at least that
1/100th of a time when your bind() fails, you don't have to worry that you
AVed some poor guy's lsass.

That same thing is true for parsing the PEB and it's mighty linked lists. If
you make assumptions about what order modules are loaded in, then things are
going to blow up eventually. Probably not when you want them too.

-dave


On Mon, Jun 29, 2009 at 3:42 AM, Chris Eagle <cseagle () redshift com> wrote:

> Perhaps relevant:
>
>
> http://www.harmonysecurity.com/blog/2009/06/retrieving-kernel32s-base-address.html
>
> Chris
>
> Jared DeMott wrote:
> > Dear Dave,
> >
> > Just for phun, I sat down to test a simple popup calc shellcode on
> > Windows 7 RC today and it pooped.  I verified that it worked on XP and
> > Vista, and thought darn ... now I'm going to have to see why it failed
> > on Windows 7 and email H D Moore.  Anyone else seen this or am I on
> > crack today?
> >
> > Cheers,
> > Jared
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave () lists immunitysec com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave