From: Karsten Johansson (ksaj@penetrationtest.com)
Date: Mon Feb 16 2004 - 12:52:45 EST
Greetings,
Thanks to those who emailed me. 'abcdefghijklmno'
does indeed map to opcodes. The quick test I did
showed them as unmapped, but they definitely are
mapped. One person found that a .com file with my
suggested NOP sled actually made his mouse jump all
over the place. That's not very NOPish at all.
As well, a few people provided some really good links
on the subject. Here are two good ones:
http://www.livejournal.com/community/
shellcode/1983.html - ASCII shellcode for writing a
message to the console
http://cansecwest.com/noplist-v1-1.txt - NOP
equivalents used by SNORT spp_fnord.c
Since the people that use NOP sleds don't really care
about the registers and what's on the stack, then
there are probably a lot more useful NOP sled opcodes
available - as long as they don't generate errors.
I am thinking about finishing the document that I
posted here on Byte code replacement, because I wrote
that when extended registers weren't an issue. If
anyone wants to help, just let me know.
Karsten Johansson
www.PENETRATIONTEST.com
---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.
Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.
Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:48 EDT