Re: shellcode with standard characters

From: sin (sinat_private)
Date: Thu Jun 12 2003 - 15:42:50 PDT

Next message: Jose Ronnick: "Re: shellcode with standard characters"

Previous message: KF: "Re: shellcode with standard characters"
In reply to: JohnnyRun: "shellcode with standard characters"
Next in thread: Jose Ronnick: "Re: shellcode with standard characters"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

along the same idea's of what you are talking about is a phrack article
called 'Alphanumeric IA32 Shellcode' or simlar, i think its in issue 57.
basically what your looking for is instructions with opcodes that are
within your prereq's, and operands to those instructions are within it; i
myself decided putting the non alphanumeric shellcode on the stack using
'valid' instructions was the best bet, but i dont understand the modr/m &&
sib bytes well enough to fully understand the article; and thus wasnt able
to create a way to jmp or call esp, not without using non alphanumeric
characters anyways; the authors original idea is somewhat neat in that we
can use je/jne/jo/etc that use fixed offset's, so as i understood it
we write our code where certain parts can be called a second time and not
affect things really; i.e. the first time through the code writes to
itself and alters what will be execution the second time; the second time
it actually executes it; but i could be way off base; anyways yes thats
the only article i know of that covers this; you might look into the
papers that described like how they got around imapd's toupper() and
polymorphic/encrypted shellcode papers...
if you find anything good, let me know

j

On Thu, 12 Jun 2003, JohnnyRun wrote:

> Date: Thu, 12 Jun 2003 11:20:00 +0200
> From: JohnnyRun <gianni79at_private>
> To: vuln-devat_private
> Subject: shellcode with standard characters
>
> Hi!
> This is my first post and I'm looking for some documentation.
> A friend of mine has produced a segfault with malloc vulnerability on an
> application.
> We would like to produce something more interesting.
> The field overflowed can accept only characters between 0 and 128. Any
> other character is replaced with a whitespace.
>
> Can we inject shellcode with only this characters avaible?
> Can you suggest me documentation about shellcode writing?
>
> Thanks a lot
> JohnnyRun
>
>
>
> --
> -------------------------------
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+6QHtoEcehqzkkpgRAj6NAKCpdlJ7bb7GEoIdK/Ugd++bHaT15gCfRLHx
JJEm7A7FmQjMUSQfjhgSLSc=
=UNq+
-----END PGP SIGNATURE-----

Next message: Jose Ronnick: "Re: shellcode with standard characters"
Previous message: KF: "Re: shellcode with standard characters"
In reply to: JohnnyRun: "shellcode with standard characters"
Next in thread: Jose Ronnick: "Re: shellcode with standard characters"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 12 2003 - 18:25:54 PDT