Writing ascii shellcode

From: lists73@skilltube.com
Date: Wed Jul 04 2007 - 11:44:42 EDT

('binary' encoding is not supported, stored as-is) There was a question regarding ascii shellcode development and in particular, how to get the \xcc opcode. We had a similar problem a few weeks ago and we solved it with a well-known approach documented by Steve Hanna. The example below might help others as well.

Suppose we want create the following small shellcode (just an example):

int3
int3
int3
int3

The corresponding opcodes look like the following:

\xcc\xcc\xcc\xcc

These are definitely not printable characters. However, we can write them on the fly with the following loader code (does not contain non-printable characters):

// eax == 0
and eax,454e4f4a
and eax,3a313035

// make "room" for the real shellcode
push esp
pop eax
sub eax,39393333
sub eax,72727550
sub eax,54545645 // depends on the space needed
push eax
pop esp

// write last four byte block of our shellcode
and eax,454e4f4a
and eax,3a313035

sub eax,66666666
sub eax,66666666
sub eax,66666668
push eax

//write next four byte block of our shellcode
etc.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/wf-spi
------------------------------------------------------------------------

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:55 EDT