Penetration Testing mailing list archives
Re: pen testing & obfuscated shell code (more neat stuff)
From: Karsten Johansson <ksaj () penetrationtest com>
Date: 13 Feb 2004 15:42:08 -0000
In-Reply-To: <20040212180806.25015.qmail () www securityfocus com> Greetings, I just did some experimenting with the idea of simply entering an ASCII characters as NOP sleds. Using capital letters is dangerous because the first bunch are INC and DEC's, which may affect the shellcode. The latter capitals are PUSH and POPs, which will surely mess up the stack... this may or may not matter some of the time, but I'm sure it would be unpredictably buggy at best. How 'leet is a buggy hack? (I've always been amused by the fact that viruses and worms seem to be better debugged than most other software out in the wild) But there *is* a good ASCII range: abcdefghijklmno they dno't map to anything. Don't use p or beyond since they map to opcodes again. I created a file called alpha.com with only the contents 'abcdefghijklmno' in it, and ran it. It exited without crashing, and EAX EBX ECX EDX etc are unchanged. Tracing it didn't expose anything that would mess up dataflow either. So now we have at least 1 real and 15 virtual NOPs that can be used safely and easily. Too bad 's' maps to JNB, or I would use ksaj to brand my nop sleds. I propose 'blindjoghack' as a new improved NOP sled, since it is self-referential, and won't crash the system. :) Karsten Johansson www.PENETRATIONTEST.com --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
Current thread:
- Re: pen testing & obfuscated shell code (more neat stuff) Karsten Johansson (Feb 13)
- Re: pen testing & obfuscated shell code (more neat stuff) Steve Kemp (Feb 16)
- RE: pen testing & obfuscated shell code (more neat stuff) Omar Herrera (Feb 16)
- <Possible follow-ups>
- Re: pen testing & obfuscated shell code (more neat stuff) Karsten Johansson (Feb 17)
- Re: pen testing & obfuscated shell code (more neat stuff) Angelo Dell'Aera (Feb 17)