alpha_mixed encoding not alpha

[tyronmiller at gmail.com (Ty Miller)]

Hi guys,

Thanks for the responses. I didn't actually receive the email from Sairam;
hence, my probe for an answer again.

I tried specifying a bad characters list to exclude all non-alpha numeric
characters, but the resulting shellcode still includes characters from the
bad characters list. I haven't looked at the module code for this yet to see
if I could put in a workaround, but I don't have time right now. I'll put
this on the list of things to do for the future.

Thanks again for your help,
Ty


On Mon, Jul 21, 2008 at 11:38 PM, H D Moore <hdm at metasploit.com> wrote:

> Sairam answered part of this -- basically the alpha decoders still need a
> GetPC() to figure out their current location. Even if you pick an alpha
> decoder, it will still look at the bad characters list to determine which
> GetPC() code to use. In this case, 0xdb was not in the bad chars list, so
> it was used to GetPC(). The only way to force all alpha is by setting a
> bad characters list excluding non-alpha ranges, but that requires
> BufferRegister/BufferOffset to be specified so it can skip the GetPC()
> code. Looking at the module code, it seems like the old hack of
> GETPCTYPE=win32 no longer works...
>
> -HD
>
> On Monday 21 July 2008, Ty Miller wrote:
> > I didn't get a response on this one. If anyone has any comments or
> > suggestions relating to the email below, please shoot em through.
>
>
> _______________________________________________
> http://spool.metasploit.com/mailman/listinfo/framework

hi miller,
            As far as my understanding that every shellcode conatins a
decoder stub(at the start of it) + nops (might present)
 + (encoded shellcode). when they say it as an encoded shellcode it actually
means only the shellcode which gets executed, its not either decoder stub or
nops. The bytes of the shellcode what you are looking at is actually the
decoder stub which decodes the encoded shellcode while executing. This is
not a bug.

regards,
sairam


2008/7/21 Ty Miller <tyronmiller at gmail.com>:

> - Show quoted text -
> Hi guys,
>
> I didn't get a response on this one. If anyone has any comments or
> suggestions relating to the email below, please shoot em through.
>
> Thanks,
> Ty
>
>
> On Sun, Jun 29, 2008 at 1:18 PM, Ty Miller <tyronmiller at gmail.com> wrote:
>
> > Hey guys,
> >
> > I've been messing around with alphanumeric shellcode encoding lately. I
> > tried to generate some mixed alpha encoded shellcode via the MSF3.1 web
> > interface using;
> > - "Windows Execute Command" payload
> > - command "dir"
> > - no filtered characters since they're encoded anyway
> > - "x86/alpha_mixed" encoder
> >
> > This generates the shellcode below. Alpha chars should be between 0x41 to
> > 0x5a for uppercase and 0x61 to 0x7a for lowercase (and 0x30 - 0x39 for
> > numeric), meaning the following shellcode isn't alpha characters only since
> > it starts with "0xdb".
> >
> > Can you please let me know what I am doing wrong, or whether its a bug?
> >
> > Thanks,
> > Ty
> >
> >
> > /*
> >  * windows/exec - 293 bytes
> >  * http://www.metasploit.com
> >  * Encoder: x86/alpha_mixed
> >  * EXITFUNC=seh, CMD=dir
> >  */
> > unsigned char buf[] =
> > "\xdb\xc8\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49\x49"
> > "\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
> > "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
> > "\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b"
> > "\x4c\x4d\x38\x47\x34\x43\x30\x45\x50\x43\x30\x4c\x4b\x51\x55"
> > "\x47\x4c\x4c\x4b\x43\x4c\x45\x55\x44\x38\x45\x51\x4a\x4f\x4c"
> > "\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x47\x50\x45\x51\x4a\x4b"
> > "\x47\x39\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49"
> > "\x50\x4c\x59\x4e\x4c\x4d\x54\x49\x50\x42\x54\x43\x37\x49\x51"
> > "\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47\x4b\x51"
> > "\x44\x46\x44\x44\x44\x42\x55\x4d\x35\x4c\x4b\x51\x4f\x51\x34"
> > "\x45\x51\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51"
> > "\x4f\x45\x4c\x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45\x51"
> > "\x4a\x4b\x4b\x39\x51\x4c\x46\x44\x45\x54\x48\x43\x51\x4f\x46"
> > "\x51\x4c\x36\x45\x30\x51\x46\x42\x44\x4c\x4b\x47\x36\x46\x50"
> > "\x4c\x4b\x51\x50\x44\x4c\x4c\x4b\x42\x50\x45\x4c\x4e\x4d\x4c"
> > "\x4b\x45\x38\x43\x38\x4d\x59\x4b\x48\x4d\x53\x49\x50\x43\x5a"
> > "\x46\x30\x43\x58\x4c\x30\x4d\x5a\x45\x54\x51\x4f\x42\x48\x4a"
> > "\x38\x4b\x4e\x4c\x4a\x44\x4e\x50\x57\x4b\x4f\x4b\x57\x43\x54"
> > "\x43\x59\x42\x52\x45\x50\x41\x41";
>
> _______________________________________________
> http://spool.metasploit.com/mailman/listinfo/framework
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20080722/f9d39853/attachment.htm>