alpha_mixed encoding not alpha

[msairam at intoto.com (M Purandhar Sairam)]

hi miller,
            As far as my understanding that every shellcode contains nops
(might present) + decoder stub(at the start of it)
 + (encoded shellcode). when they say it as an encoded shellcode it actually
means only the shellcode which gets executed, its not either decoder stub or
nops. The bytes of the shellcode what you are looking at is actually the
decoder stub which decodes the encoded shellcode while executing. This is
not a bug.

regards,
sairam

2008/7/21 Ty Miller <tyronmiller at gmail.com>:

> Hi guys,
>
> I didn't get a response on this one. If anyone has any comments or
> suggestions relating to the email below, please shoot em through.
>
> Thanks,
> Ty
>
>
>
> On Sun, Jun 29, 2008 at 1:18 PM, Ty Miller <tyronmiller at gmail.com> wrote:
>
> > Hey guys,
> >
> > I've been messing around with alphanumeric shellcode encoding lately. I
> > tried to generate some mixed alpha encoded shellcode via the MSF3.1 web
> > interface using;
> > - "Windows Execute Command" payload
> > - command "dir"
> > - no filtered characters since they're encoded anyway
> > - "x86/alpha_mixed" encoder
> >
> > This generates the shellcode below. Alpha chars should be between 0x41 to
> > 0x5a for uppercase and 0x61 to 0x7a for lowercase (and 0x30 - 0x39 for
> > numeric), meaning the following shellcode isn't alpha characters only since
> > it starts with "0xdb".
> >
> > Can you please let me know what I am doing wrong, or whether its a bug?
> >
> > Thanks,
> > Ty
> >
> >
> > /*
> >  * windows/exec - 293 bytes
> >  * http://www.metasploit.com
> >  * Encoder: x86/alpha_mixed
> >  * EXITFUNC=seh, CMD=dir
> >  */
> > unsigned char buf[] =
> > "\xdb\xc8\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49\x49"
> > "\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
> > "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
> > "\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b"
> > "\x4c\x4d\x38\x47\x34\x43\x30\x45\x50\x43\x30\x4c\x4b\x51\x55"
> > "\x47\x4c\x4c\x4b\x43\x4c\x45\x55\x44\x38\x45\x51\x4a\x4f\x4c"
> > "\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x47\x50\x45\x51\x4a\x4b"
> > "\x47\x39\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49"
> > "\x50\x4c\x59\x4e\x4c\x4d\x54\x49\x50\x42\x54\x43\x37\x49\x51"
> > "\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47\x4b\x51"
> > "\x44\x46\x44\x44\x44\x42\x55\x4d\x35\x4c\x4b\x51\x4f\x51\x34"
> > "\x45\x51\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51"
> > "\x4f\x45\x4c\x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45\x51"
> > "\x4a\x4b\x4b\x39\x51\x4c\x46\x44\x45\x54\x48\x43\x51\x4f\x46"
> > "\x51\x4c\x36\x45\x30\x51\x46\x42\x44\x4c\x4b\x47\x36\x46\x50"
> > "\x4c\x4b\x51\x50\x44\x4c\x4c\x4b\x42\x50\x45\x4c\x4e\x4d\x4c"
> > "\x4b\x45\x38\x43\x38\x4d\x59\x4b\x48\x4d\x53\x49\x50\x43\x5a"
> > "\x46\x30\x43\x58\x4c\x30\x4d\x5a\x45\x54\x51\x4f\x42\x48\x4a"
> > "\x38\x4b\x4e\x4c\x4a\x44\x4e\x50\x57\x4b\x4f\x4b\x57\x43\x54"
> > "\x43\x59\x42\x52\x45\x50\x41\x41";
>
> _______________________________________________
> http://spool.metasploit.com/mailman/listinfo/framework
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20080721/77b34848/attachment.htm>