Re: pen testing & obfuscated shell code (more neat stuff)

[Karsten Johansson <ksaj () penetrationtest com>]

In-Reply-To: <20040212180806.25015.qmail () www securityfocus com>

Greetings, 

I just did some experimenting with the idea of simply entering an ASCII characters as NOP sleds.

Using capital letters is dangerous because the first bunch are INC and DEC's, which may affect the shellcode. The 
latter capitals are PUSH and POPs, which will surely mess up the stack... this may or may not matter some of the time, 
but I'm sure it would be unpredictably buggy at best.  How 'leet is a buggy hack? (I've always been amused by the fact 
that viruses and worms seem to be better debugged than most other software out in the wild)

But there *is* a good ASCII range: abcdefghijklmno they dno't map to anything.  Don't use p or beyond since they map to 
opcodes again.

I created a file called alpha.com with only the contents 'abcdefghijklmno' in it, and ran it.  It exited without 
crashing, and EAX EBX ECX EDX etc are unchanged.  Tracing it didn't expose anything that would mess up dataflow either. 
 So now we have at least 1 real and 15 virtual NOPs that can be used safely and easily.

Too bad 's' maps to JNB, or I would use ksaj to brand my nop sleds.

I propose 'blindjoghack' as a new improved NOP sled, since it is self-referential, and won't crash the system. :)

     Karsten Johansson
     www.PENETRATIONTEST.com

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------