creating a "cc" opcode from ASCII shell code

[Aaron Adams <aadams () securityfocus com>]

I'm sending this to the list on behalf of deros68 <at> yahoo.com. Please
respond to the list or him directly, rather than me.

Thanks.
Moderator

-------- Original Message --------

I have developed an email exploit, incoming email via
smtp,  for a certain email program.  I want to develop
a "run calc.exe" POC and submit to the email vendor -
also get credit for it.  My first 0 day exploit - not
DOS attack.  -:)

If you open or preview the email the stack get
overlaid.  So far - so good.  However it soon gets
messy.  All input data is translated to UTF-8.  I
built a translate table, a long process with
Windbg/Olly, and have decided that I am forced to
create ASCII shell code so that I can launch calc.exe
and return to the thread.   Only hex 20 -79 input
survive untouched.

problem 1.

EIP  EIP +4  EIP +8 etc...------ rest of stack

EIP at 0013c000

I can overwrite EIP with the start of my ASCII
shellcode.  For exploit to work the data that overlays
EIP +4  (0013c004) must be a safe address  like
40404040 or 60606060, also it must be ASCII  otherwise
it gets translated on input.

Fine - I can use a mix of   dec ecx/inc ecx   hex
49/41 that produces a "safe" address and executable
code that does not effectively change anything.   say
49414941

ASCII shell code that runs calc.exe - I think that I
can adapt some found on the net.

What is stumping me is the following:

I want to create several breakpoints in the generated
shell code so that I can debug it in Olly:

I cannot (so far) create some ASCII shell code that
will generate instream the "cc" opcode from
simple ASCII input code.

I tried using the Metasploit "shell code" generator
and failed.   Also - there is no means of delivery via
Metasploit so I gave up on using it.

Maybe I am just tired....  My guess is that I must
seed a register with an ASCII value and then
and/xor/not it with approriate value.  I have tried
using add/sub with no luck.

thanks

deros68