Vulnerability Development mailing list archives

Re: shellcode with standard characters

From: sin <sin () insolence net>
Date: Thu, 12 Jun 2003 17:42:50 -0500 (CDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

along the same idea's of what you are talking about is a phrack article
called 'Alphanumeric IA32 Shellcode' or simlar, i think its in issue 57.
basically what your looking for is instructions with opcodes that are
within your prereq's, and operands to those instructions are within it; i
myself decided putting the non alphanumeric shellcode on the stack using
'valid' instructions was the best bet, but i dont understand the modr/m &&
sib bytes well enough to fully understand the article; and thus wasnt able
to create a way to jmp or call esp, not without using non alphanumeric
characters anyways; the authors original idea is somewhat neat in that we
can use je/jne/jo/etc that use fixed offset's, so as i understood it
we write our code where certain parts can be called a second time and not
affect things really; i.e. the first time through the code writes to
itself and alters what will be execution the second time; the second time
it actually executes it; but i could be way off base; anyways yes thats
the only article i know of that covers this; you might look into the
papers that described like how they got around imapd's toupper() and
polymorphic/encrypted shellcode papers...
if you find anything good, let me know

j

On Thu, 12 Jun 2003, JohnnyRun wrote:

Date: Thu, 12 Jun 2003 11:20:00 +0200
From: JohnnyRun <gianni79 () gamebox net>
To: vuln-dev () securityfocus com
Subject: shellcode with standard characters

Hi!
This is my first post and I'm looking for some documentation.
A friend of mine has produced a segfault with malloc vulnerability on an
application.
We would like to produce something more interesting.
The field overflowed can accept only characters between 0 and 128. Any
other character is replaced with a whitespace.

Can we inject shellcode with only this characters avaible?
Can you suggest me documentation about shellcode writing?

Thanks a lot
JohnnyRun

--
-------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+6QHtoEcehqzkkpgRAj6NAKCpdlJ7bb7GEoIdK/Ugd++bHaT15gCfRLHx
JJEm7A7FmQjMUSQfjhgSLSc=
=UNq+
-----END PGP SIGNATURE-----

Current thread:

shellcode with standard characters JohnnyRun (Jun 12)
- Re: shellcode with standard characters andrewg (Jun 12)
- Re: shellcode with standard characters KF (Jun 12)
- Re: shellcode with standard characters sin (Jun 12)
- Re: shellcode with standard characters Jose Ronnick (Jun 12)
- Re: shellcode with standard characters steve (Jun 12)