Re: pen testing & obfuscated shell code (more neat stuff)

["Angelo Dell'Aera" <buffer () antifork org>]

On 16 Feb 2004 17:52:45 -0000
Karsten Johansson <ksaj () penetrationtest com> wrote:

> In-Reply-To: <002d01c3f358$6339a660$6401a8c0@harrypotter>

> Since  the people  that use  NOP sleds  don't really  care  about the
> registers and what's on the stack, then there are probably a lot more
> useful NOP  sled opcodes available -  as long as  they don't generate
> errors.

Don't like too much talking about  myself but I just want to point out
a work I  realized two years ago  for showing how to defeat  an IDS in
"shellcode  catching".  In  that  occasion,  I  wrote  two  completely
alphanumeric codes  you may find  on my homepage (reported  below) and
named buffer-i386-raptus.c  and buffer-i386-delirium.c. In particular,
the latter  is an alphanumeric asm  code which builds  a shellcode and
then executes it.  Using these codes, you can use whatever padding you
want since  they make no assumptions on  the registers'  contents thus
always  setting them  properly. This  is  obviously true  even if  you
generate an  alphanumeric shellcode using  f.e. Rix's ASC  starting by
"I-make-no-assumptions" classic shellcode.

Regards.  

--

Angelo Dell'Aera 'buffer' 
Antifork Research, Inc.         http://buffer.antifork.org

PGP information in e-mail header

Attachment: _bin
Description: