-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 along the same idea's of what you are talking about is a phrack article called 'Alphanumeric IA32 Shellcode' or simlar, i think its in issue 57. basically what your looking for is instructions with opcodes that are within your prereq's, and operands to those instructions are within it; i myself decided putting the non alphanumeric shellcode on the stack using 'valid' instructions was the best bet, but i dont understand the modr/m && sib bytes well enough to fully understand the article; and thus wasnt able to create a way to jmp or call esp, not without using non alphanumeric characters anyways; the authors original idea is somewhat neat in that we can use je/jne/jo/etc that use fixed offset's, so as i understood it we write our code where certain parts can be called a second time and not affect things really; i.e. the first time through the code writes to itself and alters what will be execution the second time; the second time it actually executes it; but i could be way off base; anyways yes thats the only article i know of that covers this; you might look into the papers that described like how they got around imapd's toupper() and polymorphic/encrypted shellcode papers... if you find anything good, let me know j On Thu, 12 Jun 2003, JohnnyRun wrote: > Date: Thu, 12 Jun 2003 11:20:00 +0200 > From: JohnnyRun <gianni79at_private> > To: vuln-devat_private > Subject: shellcode with standard characters > > Hi! > This is my first post and I'm looking for some documentation. > A friend of mine has produced a segfault with malloc vulnerability on an > application. > We would like to produce something more interesting. > The field overflowed can accept only characters between 0 and 128. Any > other character is replaced with a whitespace. > > Can we inject shellcode with only this characters avaible? > Can you suggest me documentation about shellcode writing? > > Thanks a lot > JohnnyRun > > > > -- > ------------------------------- > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+6QHtoEcehqzkkpgRAj6NAKCpdlJ7bb7GEoIdK/Ugd++bHaT15gCfRLHx JJEm7A7FmQjMUSQfjhgSLSc= =UNq+ -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Jun 12 2003 - 18:25:54 PDT