Vulnerability Development mailing list archives
creating a "cc" opcode from ASCII shell code
From: Aaron Adams <aadams () securityfocus com>
Date: Fri, 22 Jun 2007 03:58:24 -0600
I'm sending this to the list on behalf of deros68 <at> yahoo.com. Please respond to the list or him directly, rather than me. Thanks. Moderator -------- Original Message -------- I have developed an email exploit, incoming email via smtp, for a certain email program. I want to develop a "run calc.exe" POC and submit to the email vendor - also get credit for it. My first 0 day exploit - not DOS attack. -:) If you open or preview the email the stack get overlaid. So far - so good. However it soon gets messy. All input data is translated to UTF-8. I built a translate table, a long process with Windbg/Olly, and have decided that I am forced to create ASCII shell code so that I can launch calc.exe and return to the thread. Only hex 20 -79 input survive untouched. problem 1. EIP EIP +4 EIP +8 etc...------ rest of stack EIP at 0013c000 I can overwrite EIP with the start of my ASCII shellcode. For exploit to work the data that overlays EIP +4 (0013c004) must be a safe address like 40404040 or 60606060, also it must be ASCII otherwise it gets translated on input. Fine - I can use a mix of dec ecx/inc ecx hex 49/41 that produces a "safe" address and executable code that does not effectively change anything. say 49414941 ASCII shell code that runs calc.exe - I think that I can adapt some found on the net. What is stumping me is the following: I want to create several breakpoints in the generated shell code so that I can debug it in Olly: I cannot (so far) create some ASCII shell code that will generate instream the "cc" opcode from simple ASCII input code. I tried using the Metasploit "shell code" generator and failed. Also - there is no means of delivery via Metasploit so I gave up on using it. Maybe I am just tired.... My guess is that I must seed a register with an ASCII value and then and/xor/not it with approriate value. I have tried using add/sub with no luck. thanks deros68
Current thread:
- creating a "cc" opcode from ASCII shell code Aaron Adams (Jun 22)
- Re: creating a "cc" opcode from ASCII shell code Valdis . Kletnieks (Jun 22)
- Re: creating a "cc" opcode from ASCII shell code H D Moore (Jun 22)
- Re: creating a "cc" opcode from ASCII shell code Dude VanWinkle (Jun 24)
- <Possible follow-ups>
- Re: creating a "cc" opcode from ASCII shell code lists73 (Jun 25)