Re: pen testing & obfuscated shell code (more neat stuff)

[Karsten Johansson <ksaj () penetrationtest com>]

In-Reply-To: <002d01c3f358$6339a660$6401a8c0@harrypotter>

Greetings, 
 
Thanks to those who emailed me.  'abcdefghijklmno' 
does indeed map to opcodes.  The quick test I did 
showed them as unmapped, but they definitely are 
mapped.  One person found that a .com file with my 
suggested NOP sled actually made his mouse jump all 
over the place.  That's not very NOPish at all. 
 
As well, a few people provided some really good links 
on the subject.  Here are two good ones: 
 
http://www.livejournal.com/community/
shellcode/1983.html - ASCII shellcode for writing a 
message to the console 
 
http://cansecwest.com/noplist-v1-1.txt - NOP 
equivalents used by SNORT spp_fnord.c 
 
Since the people that use NOP sleds don't really care 
about the registers and what's on the stack, then 
there are probably a lot more useful NOP sled opcodes 
available - as long as they don't generate errors. 
 
I am thinking about finishing the document that I 
posted here on Byte code replacement, because I wrote 
that when extended registers weren't an issue.  If 
anyone wants to help, just let me know. 
 
    Karsten Johansson 
    www.PENETRATIONTEST.com 
 

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------