Re: asm shellcode techniques (especially relevant for win32)

["Ryan Permeh" <ryan () eEye com>]

i've found both places useful, especcially when it comes to shoving as much
in a buffer as required(often you can shove your code other places, but not
always).  the original .printer (the portbinding, not the released
filewriting one) poc code i used looked like:

[code1][ebp][eip][setupandjumptocode1][code2]


i overflowed eip, hit the setupandjumptocode1, which setup ebp and stack,
and jumped back to code 1 that did an expansion/xor loop through therest of
the code to set it up, then jump to code2 when it ended.  i had to do it
that way simply because most of the availible buffer space was at the
beginning of the buffer (there was a strlen check, but it still let the
overflow through).

it was small and sticky, but it worked.  there is no best solution to
shellcode. whatever gets the job done reliably is good, small is better in
my opinion, but keep your options open.

one thing i've noted in experience is that ESP based variable references is
tricky to keep sane, especially if you play some tricks using stack, and
although having ebp free to play is cool, it is often not worth the hassle
in most cases.  your milage may vary.


Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer
http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities

----- Original Message -----
From: "RaiSe" <raise () netsearch-ezine com>
To: <vuln-dev () securityfocus com>
Sent: Wednesday, September 05, 2001 10:26 PM
Subject: Re: asm shellcode techniques (especially relevant for win32)


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> > Generally I preffer to code a proof-o-concept this way (when possible):
> >
> > [AAAAAAAAAAAAAA][EBP][EIP][SHELLCODE]
> >
> > not this way:
> >
> > [SHELLCODE][AAAAA][EBP][EIP]
>
>
> Yes, but first code has a problem. Look at this code:
>
> **
> int main(int argc. char *argv[])
> {
> char buffer[256];
>
> strcpy(buffer, argv[1]);
> printf("%s", argv[2]);
>
> }
> **
>
> If you put the shellcode after [EIP], you will overwrite argc and argv,
> so, printf will make segv fault. I think that is better to put shellcode
> before [EBP] and [EIP] when it is possible.
>
>
> ==============-----------------------------==============
> RaiSe
> UNDERSEC Security Team / http://www.undersec.com
> NetSearch Ezine Staff  / http://www.netsearch-ezine.com
> ysfk>2{5~~2s~eska2~}dw2k}g<<< XOR 18
> ==============-----------------------------==============
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: Made with pgp4pine 1.76
>
> iD8DBQE7lwkhSP4h0VxUtqMRApmOAJ9GpfM3Dt6dUqfkRRwC+7u4SeDfDgCgiXx2
> x83Kq3APOf7ZsCVCgDUYiBo=
> =k71I
> -----END PGP SIGNATURE-----