i've found both places useful, especcially when it comes to shoving as much in a buffer as required(often you can shove your code other places, but not always). the original .printer (the portbinding, not the released filewriting one) poc code i used looked like: [code1][ebp][eip][setupandjumptocode1][code2] i overflowed eip, hit the setupandjumptocode1, which setup ebp and stack, and jumped back to code 1 that did an expansion/xor loop through therest of the code to set it up, then jump to code2 when it ended. i had to do it that way simply because most of the availible buffer space was at the beginning of the buffer (there was a strlen check, but it still let the overflow through). it was small and sticky, but it worked. there is no best solution to shellcode. whatever gets the job done reliably is good, small is better in my opinion, but keep your options open. one thing i've noted in experience is that ESP based variable references is tricky to keep sane, especially if you play some tricks using stack, and although having ebp free to play is cool, it is often not worth the hassle in most cases. your milage may vary. Signed, Ryan Permeh eEye Digital Security Team http://www.eEye.com/Retina -Network Security Scanner http://www.eEye.com/Iris -Network Traffic Analyzer http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities ----- Original Message ----- From: "RaiSe" <raise@netsearch-ezine.com> To: <vuln-devat_private> Sent: Wednesday, September 05, 2001 10:26 PM Subject: Re: asm shellcode techniques (especially relevant for win32) > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Generally I preffer to code a proof-o-concept this way (when possible): > > > > [AAAAAAAAAAAAAA][EBP][EIP][SHELLCODE] > > > > not this way: > > > > [SHELLCODE][AAAAA][EBP][EIP] > > > Yes, but first code has a problem. Look at this code: > > ** > int main(int argc. char *argv[]) > { > char buffer[256]; > > strcpy(buffer, argv[1]); > printf("%s", argv[2]); > > } > ** > > If you put the shellcode after [EIP], you will overwrite argc and argv, > so, printf will make segv fault. I think that is better to put shellcode > before [EBP] and [EIP] when it is possible. > > > ==============-----------------------------============== > RaiSe > UNDERSEC Security Team / http://www.undersec.com > NetSearch Ezine Staff / http://www.netsearch-ezine.com > ysfk>2{5~~2s~eska2~}dw2k}g<<< XOR 18 > ==============-----------------------------============== > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: Made with pgp4pine 1.76 > > iD8DBQE7lwkhSP4h0VxUtqMRApmOAJ9GpfM3Dt6dUqfkRRwC+7u4SeDfDgCgiXx2 > x83Kq3APOf7ZsCVCgDUYiBo= > =k71I > -----END PGP SIGNATURE----- > > >
This archive was generated by hypermail 2b30 : Wed Sep 05 2001 - 18:10:30 PDT