Re: pen testing & obfuscated shell code

From: Don Parker (dparker@rigelksecurity.com)
Date: Tue Feb 10 2004 - 08:24:14 EST

• Next message: Jan P. Monsch: "COMPASS SECURITY: DNS Tunnel Test Suite"
• Previous message: Aditya [ Aditya Lalit Deshmukh ]: "RE: discovering network layout at layer2"
• Maybe in reply to: Don Parker: "pen testing & obfuscated shell code"
• Next in thread: Dragos Ruiu: "Re: pen testing & obfuscated shell code"
• Reply: Dragos Ruiu: "Re: pen testing & obfuscated shell code"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello Marius, indeed the trick is in using a 1 byte function, but also in making sure
that it does not affect the egg itself. That is the real trick. There is no shortage of
1 byte functions for use, problem is to make it still works after. It is simple to just
use an ascii character as well, but that is a different story as well. Thanks for your
reply :-)

Cheers

Don

-------------------------------------------
Don Parker, GCIA
Intrusion Detection Specialist
Rigel Kent Security & Advisory Services Inc
www.rigelksecurity.com
ph :613.249.8340
fax:613.249.8319
--------------------------------------------

On Feb 9 , Marius Huse Jacobsen <mahuja@c2i.net> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Don,

Friday, January 30, 2004, 5:44:53 AM, you wrote:

DP> Hello group, have a question to ask which is about using obfuscated shell code
during a
DP> pen test. Do any of you actually use home cooked obfuscated shell code during a pen
test?
DP> By that I mean do you replace the known sled of x90 with another 1 byte instruction
that
DP> won't affect the egg?

There are many instructions that would fit the bill... Incrementing
and decrementing registers, for example. To avoid further filters,
you may wish to alternate. E.g.
NOP
INC EAX
INC EDX
NOP
NOP
INC EAX
DEC EDX
INC EAX
XOR EAX,EAX

The clue is that the instruction, in machine code, should be one byte
only. Simply because if there were two, there would be a chance it
"landed" on the odd byte.

- --
Best regards,
 Marius mailto:mahuja@c2i.net

-----BEGIN PGP SIGNATURE-----

iQA/AwUBQCh1EpfZ2CSWpu1rEQK2/ACfdem7rx1ZAjGDH0gkHnYlCt8wp1UAoJdC
jssl3iQxyaI6nT+ptaCgLqP7
=iJ1j
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------

• Next message: Jan P. Monsch: "COMPASS SECURITY: DNS Tunnel Test Suite"
• Previous message: Aditya [ Aditya Lalit Deshmukh ]: "RE: discovering network layout at layer2"
• Maybe in reply to: Don Parker: "pen testing & obfuscated shell code"
• Next in thread: Dragos Ruiu: "Re: pen testing & obfuscated shell code"
• Reply: Dragos Ruiu: "Re: pen testing & obfuscated shell code"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:48 EDT