Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Advances In Windows Shellcode

From: "sk" <sk () scan-associates net>
Date: Wed, 15 Jan 2003 15:17:08 +0800
The 91++ bytes shellcode not only uses hard code addresses, it also using
hard coded socket descriptor of 0x11, which should _not_ work. (Anyone get
it working?)

Perhaps what is missing is a routine to find socket descriptor of the
current connection?

sk


From: Ing. Bernardo Lopez (bloodk_at_prodigy.net.mx)
Date: Wed Jan 01 2003 - 18:32:20 CST
I know this is not the faster way but...

Could be more easy to get the shellcode if you put in your program and
rebuild it (whitin a debugger, like softice)then you dump that modified
addres...



Whit this you can split the includes and other extra stuff, just getting
the minimal shellcode nesesary...



Have a nice day



PS:Well then , my hipotetical method or by doing a C prog whit includes
and all?



El mar, 31-12-2002 a las 23:02, Brett Moore escribió:
Advances in windows shellcode are few and far between. Papers exist
detailing the process using anonymous pipes and examples exist showing how
to use a socket directly as the handle for stdin, stdout and stderr.

RVA techniques can be used to write code that will run regardless of

service

pack, and there is not often times when shellcode space is extremely

limited

so we should be happy with universal remote callback shellcode of ~300
bytes.

David Litchfield's post regarding using a socket as a handle included a
statement:
"If you hard code addresses ..... you can get the exploit code down to 160
bytes"

Which got me to thinking of how to write smaller remote callback

shellcode.

What evolved was an idea, and then shellcode which sends a remote shell
back, uses only 2 api calls, and is only 91 bytes in size.

It does have limited uses, has hardcoded address for SP3, messy, could be
refined but should provoke some interesting thought tangents.

The code is not commented, is not at all user friendly, and to cut the

size

of the post is ill formated, but those who seek the answer should be able

to

get it work.

And now I go on holiday, my byte sequence patent should be ready for

filing

by the time I get back ;)



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: