The 91++ bytes shellcode not only uses hard code addresses, it also using hard coded socket descriptor of 0x11, which should _not_ work. (Anyone get it working?) Perhaps what is missing is a routine to find socket descriptor of the current connection? sk >From: Ing. Bernardo Lopez (bloodk_at_prodigy.net.mx) >Date: Wed Jan 01 2003 - 18:32:20 CST >I know this is not the faster way but... > >Could be more easy to get the shellcode if you put in your program and >rebuild it (whitin a debugger, like softice)then you dump that modified >addres... >Whit this you can split the includes and other extra stuff, just getting >the minimal shellcode nesesary... >Have a nice day >PS:Well then , my hipotetical method or by doing a C prog whit includes >and all? >El mar, 31-12-2002 a las 23:02, Brett Moore escribió: > Advances in windows shellcode are few and far between. Papers exist > detailing the process using anonymous pipes and examples exist showing how > to use a socket directly as the handle for stdin, stdout and stderr. > > RVA techniques can be used to write code that will run regardless of service > pack, and there is not often times when shellcode space is extremely limited > so we should be happy with universal remote callback shellcode of ~300 > bytes. > > David Litchfield's post regarding using a socket as a handle included a > statement: > "If you hard code addresses ..... you can get the exploit code down to 160 > bytes" > > Which got me to thinking of how to write smaller remote callback shellcode. > What evolved was an idea, and then shellcode which sends a remote shell > back, uses only 2 api calls, and is only 91 bytes in size. > > It does have limited uses, has hardcoded address for SP3, messy, could be > refined but should provoke some interesting thought tangents. > > The code is not commented, is not at all user friendly, and to cut the size > of the post is ill formated, but those who seek the answer should be able to > get it work. > > And now I go on holiday, my byte sequence patent should be ready for filing > by the time I get back ;) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 23:30:29 PST