Re: Advances In Windows Shellcode

From: sk (sk@scan-associates.net)
Date: Tue Jan 14 2003 - 23:17:08 PST

Next message: Rob Lindenbusch: "RE: Checkpoint FW-1 on Nokia - potential user enumeration bug?"

Previous message: John the Kiwi: "Re: AW: MS Terminal Services open to the world"
Maybe in reply to: Brett Moore: "Advances In Windows Shellcode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The 91++ bytes shellcode not only uses hard code addresses, it also using
hard coded socket descriptor of 0x11, which should _not_ work. (Anyone get
it working?)

Perhaps what is missing is a routine to find socket descriptor of the
current connection?

sk

>From: Ing. Bernardo Lopez (bloodk_at_prodigy.net.mx)
>Date: Wed Jan 01 2003 - 18:32:20 CST
>I know this is not the faster way but...
>
>Could be more easy to get the shellcode if you put in your program and
>rebuild it (whitin a debugger, like softice)then you dump that modified
>addres...

>Whit this you can split the includes and other extra stuff, just getting
>the minimal shellcode nesesary...

>Have a nice day

>PS:Well then , my hipotetical method or by doing a C prog whit includes
>and all?

>El mar, 31-12-2002 a las 23:02, Brett Moore escribió:
> Advances in windows shellcode are few and far between. Papers exist
> detailing the process using anonymous pipes and examples exist showing how
> to use a socket directly as the handle for stdin, stdout and stderr.
>
> RVA techniques can be used to write code that will run regardless of
service
> pack, and there is not often times when shellcode space is extremely
limited
> so we should be happy with universal remote callback shellcode of ~300
> bytes.
>
> David Litchfield's post regarding using a socket as a handle included a
> statement:
> "If you hard code addresses ..... you can get the exploit code down to 160
> bytes"
>
> Which got me to thinking of how to write smaller remote callback
shellcode.
> What evolved was an idea, and then shellcode which sends a remote shell
> back, uses only 2 api calls, and is only 91 bytes in size.
>
> It does have limited uses, has hardcoded address for SP3, messy, could be
> refined but should provoke some interesting thought tangents.
>
> The code is not commented, is not at all user friendly, and to cut the
size
> of the post is ill formated, but those who seek the answer should be able
to
> get it work.
>
> And now I go on holiday, my byte sequence patent should be ready for
filing
> by the time I get back ;)


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Rob Lindenbusch: "RE: Checkpoint FW-1 on Nokia - potential user enumeration bug?"
Previous message: John the Kiwi: "Re: AW: MS Terminal Services open to the world"
Maybe in reply to: Brett Moore: "Advances In Windows Shellcode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 23:30:29 PST