Metasploit mailing list archives
alpha_mixed encoding not alpha
From: tyronmiller at gmail.com (Ty Miller)
Date: Tue, 22 Jul 2008 10:39:55 +1000
Hi guys, Thanks for the responses. I didn't actually receive the email from Sairam; hence, my probe for an answer again. I tried specifying a bad characters list to exclude all non-alpha numeric characters, but the resulting shellcode still includes characters from the bad characters list. I haven't looked at the module code for this yet to see if I could put in a workaround, but I don't have time right now. I'll put this on the list of things to do for the future. Thanks again for your help, Ty On Mon, Jul 21, 2008 at 11:38 PM, H D Moore <hdm at metasploit.com> wrote:
Sairam answered part of this -- basically the alpha decoders still need a GetPC() to figure out their current location. Even if you pick an alpha decoder, it will still look at the bad characters list to determine which GetPC() code to use. In this case, 0xdb was not in the bad chars list, so it was used to GetPC(). The only way to force all alpha is by setting a bad characters list excluding non-alpha ranges, but that requires BufferRegister/BufferOffset to be specified so it can skip the GetPC() code. Looking at the module code, it seems like the old hack of GETPCTYPE=win32 no longer works... -HD On Monday 21 July 2008, Ty Miller wrote:I didn't get a response on this one. If anyone has any comments or suggestions relating to the email below, please shoot em through._______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework
hi miller, As far as my understanding that every shellcode conatins a decoder stub(at the start of it) + nops (might present) + (encoded shellcode). when they say it as an encoded shellcode it actually means only the shellcode which gets executed, its not either decoder stub or nops. The bytes of the shellcode what you are looking at is actually the decoder stub which decodes the encoded shellcode while executing. This is not a bug. regards, sairam 2008/7/21 Ty Miller <tyronmiller at gmail.com>:
- Show quoted text - Hi guys, I didn't get a response on this one. If anyone has any comments or suggestions relating to the email below, please shoot em through. Thanks, Ty On Sun, Jun 29, 2008 at 1:18 PM, Ty Miller <tyronmiller at gmail.com> wrote:Hey guys, I've been messing around with alphanumeric shellcode encoding lately. I tried to generate some mixed alpha encoded shellcode via the MSF3.1 web interface using; - "Windows Execute Command" payload - command "dir" - no filtered characters since they're encoded anyway - "x86/alpha_mixed" encoder This generates the shellcode below. Alpha chars should be between 0x41 to 0x5a for uppercase and 0x61 to 0x7a for lowercase (and 0x30 - 0x39 for numeric), meaning the following shellcode isn't alpha characters only since it starts with "0xdb". Can you please let me know what I am doing wrong, or whether its a bug? Thanks, Ty /* * windows/exec - 293 bytes * http://www.metasploit.com * Encoder: x86/alpha_mixed * EXITFUNC=seh, CMD=dir */ unsigned char buf[] = "\xdb\xc8\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41" "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42" "\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b" "\x4c\x4d\x38\x47\x34\x43\x30\x45\x50\x43\x30\x4c\x4b\x51\x55" "\x47\x4c\x4c\x4b\x43\x4c\x45\x55\x44\x38\x45\x51\x4a\x4f\x4c" "\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x47\x50\x45\x51\x4a\x4b" "\x47\x39\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49" "\x50\x4c\x59\x4e\x4c\x4d\x54\x49\x50\x42\x54\x43\x37\x49\x51" "\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47\x4b\x51" "\x44\x46\x44\x44\x44\x42\x55\x4d\x35\x4c\x4b\x51\x4f\x51\x34" "\x45\x51\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51" "\x4f\x45\x4c\x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45\x51" "\x4a\x4b\x4b\x39\x51\x4c\x46\x44\x45\x54\x48\x43\x51\x4f\x46" "\x51\x4c\x36\x45\x30\x51\x46\x42\x44\x4c\x4b\x47\x36\x46\x50" "\x4c\x4b\x51\x50\x44\x4c\x4c\x4b\x42\x50\x45\x4c\x4e\x4d\x4c" "\x4b\x45\x38\x43\x38\x4d\x59\x4b\x48\x4d\x53\x49\x50\x43\x5a" "\x46\x30\x43\x58\x4c\x30\x4d\x5a\x45\x54\x51\x4f\x42\x48\x4a" "\x38\x4b\x4e\x4c\x4a\x44\x4e\x50\x57\x4b\x4f\x4b\x57\x43\x54" "\x43\x59\x42\x52\x45\x50\x41\x41";_______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework
-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20080722/f9d39853/attachment.htm>
Current thread:
- alpha_mixed encoding not alpha Ty Miller (Jul 21)
- alpha_mixed encoding not alpha M Purandhar Sairam (Jul 21)
- alpha_mixed encoding not alpha H D Moore (Jul 21)
- alpha_mixed encoding not alpha Ty Miller (Jul 21)