Metasploit mailing list archives
alpha_mixed encoding not alpha
From: msairam at intoto.com (M Purandhar Sairam)
Date: Mon, 21 Jul 2008 17:31:23 +0530
hi miller, As far as my understanding that every shellcode contains nops (might present) + decoder stub(at the start of it) + (encoded shellcode). when they say it as an encoded shellcode it actually means only the shellcode which gets executed, its not either decoder stub or nops. The bytes of the shellcode what you are looking at is actually the decoder stub which decodes the encoded shellcode while executing. This is not a bug. regards, sairam 2008/7/21 Ty Miller <tyronmiller at gmail.com>:
Hi guys, I didn't get a response on this one. If anyone has any comments or suggestions relating to the email below, please shoot em through. Thanks, Ty On Sun, Jun 29, 2008 at 1:18 PM, Ty Miller <tyronmiller at gmail.com> wrote:Hey guys, I've been messing around with alphanumeric shellcode encoding lately. I tried to generate some mixed alpha encoded shellcode via the MSF3.1 web interface using; - "Windows Execute Command" payload - command "dir" - no filtered characters since they're encoded anyway - "x86/alpha_mixed" encoder This generates the shellcode below. Alpha chars should be between 0x41 to 0x5a for uppercase and 0x61 to 0x7a for lowercase (and 0x30 - 0x39 for numeric), meaning the following shellcode isn't alpha characters only since it starts with "0xdb". Can you please let me know what I am doing wrong, or whether its a bug? Thanks, Ty /* * windows/exec - 293 bytes * http://www.metasploit.com * Encoder: x86/alpha_mixed * EXITFUNC=seh, CMD=dir */ unsigned char buf[] = "\xdb\xc8\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41" "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42" "\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b" "\x4c\x4d\x38\x47\x34\x43\x30\x45\x50\x43\x30\x4c\x4b\x51\x55" "\x47\x4c\x4c\x4b\x43\x4c\x45\x55\x44\x38\x45\x51\x4a\x4f\x4c" "\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x47\x50\x45\x51\x4a\x4b" "\x47\x39\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49" "\x50\x4c\x59\x4e\x4c\x4d\x54\x49\x50\x42\x54\x43\x37\x49\x51" "\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47\x4b\x51" "\x44\x46\x44\x44\x44\x42\x55\x4d\x35\x4c\x4b\x51\x4f\x51\x34" "\x45\x51\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51" "\x4f\x45\x4c\x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45\x51" "\x4a\x4b\x4b\x39\x51\x4c\x46\x44\x45\x54\x48\x43\x51\x4f\x46" "\x51\x4c\x36\x45\x30\x51\x46\x42\x44\x4c\x4b\x47\x36\x46\x50" "\x4c\x4b\x51\x50\x44\x4c\x4c\x4b\x42\x50\x45\x4c\x4e\x4d\x4c" "\x4b\x45\x38\x43\x38\x4d\x59\x4b\x48\x4d\x53\x49\x50\x43\x5a" "\x46\x30\x43\x58\x4c\x30\x4d\x5a\x45\x54\x51\x4f\x42\x48\x4a" "\x38\x4b\x4e\x4c\x4a\x44\x4e\x50\x57\x4b\x4f\x4b\x57\x43\x54" "\x43\x59\x42\x52\x45\x50\x41\x41";_______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework
-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20080721/77b34848/attachment.htm>
Current thread:
- alpha_mixed encoding not alpha Ty Miller (Jul 21)
- alpha_mixed encoding not alpha M Purandhar Sairam (Jul 21)
- alpha_mixed encoding not alpha H D Moore (Jul 21)
- alpha_mixed encoding not alpha Ty Miller (Jul 21)