http get overflow

[ninjatools at hush.com (ninjatools at hush.com)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We've written a couple http bugs, and I usually use the following technique.
 It isn't neccesarily the cleanest, but it offen works quiet well.

I usually use one of the amazing egghunt shellcodes written by matt miller
(skape), for example:

http://www.hick.org/~mmiller/shellcode/win32/egghunt_syscall.c

Sometimes you can get away with using a standard encoder, but it's often
easier (and you have enough space) to just encode it with an alpahnumeric
encoder.  Skylined's encoder (it's in metasploit) is very good, and an
updated and improved version will be out in the next version of metasploit.
 Also, we should have support for encoding "extra" payloads, but right
now I just hardcode the encoded egghunt into the exploit.  I then put
the normal shellcode in an HTTP header, giving me plenty of room, and
the egghunt finds it, and executes it.

I don't think the current metasploit really has a good example of this,
 but you might want to check the serv-u exploit where I did something
similar.


- -spoon

On Wed, 29 Sep 2004 07:09:53 -0700 Vlad902 <vlad902 at gmail.com> wrote:
> Write your own or depend on smaller shellcodes being encoded. Also
> look at msfencode rather then the online demonstration as that's
> a bit
> dated.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkFa/pUACgkQtCeTLzI39eP3egCfdHTsHLY5O6cFifPCWKWWzUdoZmkA
nRk6oIqUAn5YqXBg6Wgku15XtqQ1
=94Q6
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427