From: Omar Herrera (oherrera@prodigy.net.mx)
Date: Sat Feb 14 2004 - 19:12:24 EST
> -----Original Message-----
> From: Karsten Johansson [mailto:ksaj@penetrationtest.com]
> ...
> Using capital letters is dangerous because the first bunch are INC
and
> DEC's, which may affect the shellcode. The latter capitals are PUSH
and
> POPs, which will surely mess up the stack... this may or may not
matter
> some of the time, but I'm sure it would be unpredictably buggy at
best.
> How 'leet is a buggy hack? (I've always been amused by the fact that
> viruses and worms seem to be better debugged than most other software
out
> in the wild)
Well, if you execute a an injected shellcode in a program you are
already messing up many things, so you shouldn't worry so much.
Actually, your shellcode is going to initialize many of the registers
(you just can't rely on the original values left by the program anyway),
so INC and DEC are ok.
Push and pop might mess the stack, but it is also not a big deal, your
shellcode will push to whatever is pointed by the stack and pop the
same.
You could try to balance push and pops so that you end at the same stack
pointer+-1 (depending where you land in the sled), but I'm not sure if
these would be of too much help.
> But there *is* a good ASCII range: abcdefghijklmno they dno't map to
> anything. Don't use p or beyond since they map to opcodes again.
Actually this range does map to opcodes (See Intel Architecture Software
Developer's Manual, Volume 2: Instruction Set Reference - Appendix A;
you can find a copy here:
http://developer.intel.com/design/pentium/manuals/24319101.pdf)
If you disassemble your ascii sled it will give you something like:
C:\SEGURIDAD\NASM-98-win>ndisasmw.exe reg.asm
00000000 61 popa
00000001 626364 bound sp,[bp+di+0x64]
00000004 65666768696A6B6C gs a32 push dword 0x6c6b6a69
0000000C 6D insw
0000000D 6E outsb
0000000E 6F outsw
(this was done with ndisasmw, included with nasm) and from the reference
above we have:
letter opcode
a popa
b bound
c arpl
d seg=fs
e seg=gs
f "Operand size"
g "Address size"
h push
i imul
j push
k imul
l insb
m insw
n outsb
o outsw
So, it seems that you sled actually did a push, and no harm was done :-)
Jon Erickson actually has examples of ascii-printable shellcode in his
book "Hacking, The Art of Exploitation" and he makes use of INC, DEC,
PUSH and POP a lot (might be worth checking).
Regards,
Omar Herrera
---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.
Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.
Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:48 EDT