RE: pen testing & obfuscated shell code (more neat stuff)

[Omar Herrera <oherrera () prodigy net mx>]

>  -----Original Message-----
>  From: Karsten Johansson [mailto:ksaj () penetrationtest com]
>  ...
>  Using capital letters is dangerous because the first bunch are INC
and
>  DEC's, which may affect the shellcode. The latter capitals are PUSH
and
>  POPs, which will surely mess up the stack... this may or may not
matter
>  some of the time, but I'm sure it would be unpredictably buggy at
best.
>  How 'leet is a buggy hack? (I've always been amused by the fact that
>  viruses and worms seem to be better debugged than most other software
out
>  in the wild)
Well, if you execute a an injected shellcode in a program you are
already messing up many things, so you shouldn't worry so much.
Actually, your shellcode is going to initialize many of the registers
(you just can't rely on the original values left by the program anyway),
so INC and DEC are ok.

Push and pop might mess the stack, but it is also not a big deal, your
shellcode will push to whatever is pointed by the stack and pop the
same. 
You could try to balance push and pops so that you end at the same stack
pointer+-1 (depending where you land in the sled), but I'm not sure if
these would be of too much help.

>  But there *is* a good ASCII range: abcdefghijklmno they dno't map to
>  anything.  Don't use p or beyond since they map to opcodes again.
Actually this range does map to opcodes (See Intel Architecture Software
Developer's Manual, Volume 2: Instruction Set Reference - Appendix A;
you can find a copy here:
http://developer.intel.com/design/pentium/manuals/24319101.pdf)

If you disassemble your ascii sled it will give you something like:
C:\SEGURIDAD\NASM-98-win>ndisasmw.exe reg.asm
00000000  61                popa
00000001  626364            bound sp,[bp+di+0x64]
00000004  65666768696A6B6C  gs a32 push dword 0x6c6b6a69
0000000C  6D                insw
0000000D  6E                outsb
0000000E  6F                outsw

(this was done with ndisasmw, included with nasm) and from the reference
above we have:
letter          opcode
a                       popa
b                       bound
c                       arpl
d                       seg=fs
e                       seg=gs
f                       "Operand size"
g                       "Address size"
h                       push
i                       imul
j                       push                    
k                       imul    
l                       insb
m                       insw
n                       outsb
o                       outsw

So, it seems that you sled actually did a push, and no harm was done :-)
Jon Erickson actually has examples of ascii-printable shellcode in his
book "Hacking, The Art of Exploitation" and he makes use of INC, DEC,
PUSH and POP a lot (might be worth checking).

Regards,

Omar Herrera



---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------