Re: Advances In Windows Shellcode
From: sk (sk@scan-associates.net)
Date: 01/15/03
- Previous message: John the Kiwi: "Re: AW: MS Terminal Services open to the world"
- Maybe in reply to: Brett Moore: "Advances In Windows Shellcode"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "sk" <sk@scan-associates.net> To: <pen-test@securityfocus.com> Date: Wed, 15 Jan 2003 15:17:08 +0800
The 91++ bytes shellcode not only uses hard code addresses, it also using
hard coded socket descriptor of 0x11, which should _not_ work. (Anyone get
it working?)
Perhaps what is missing is a routine to find socket descriptor of the
current connection?
sk
>From: Ing. Bernardo Lopez (bloodk_at_prodigy.net.mx)
>Date: Wed Jan 01 2003 - 18:32:20 CST
>I know this is not the faster way but...
>
>Could be more easy to get the shellcode if you put in your program and
>rebuild it (whitin a debugger, like softice)then you dump that modified
>addres...
>Whit this you can split the includes and other extra stuff, just getting
>the minimal shellcode nesesary...
>Have a nice day
>PS:Well then , my hipotetical method or by doing a C prog whit includes
>and all?
>El mar, 31-12-2002 a las 23:02, Brett Moore escribió:
> Advances in windows shellcode are few and far between. Papers exist
> detailing the process using anonymous pipes and examples exist showing how
> to use a socket directly as the handle for stdin, stdout and stderr.
>
> RVA techniques can be used to write code that will run regardless of
service
> pack, and there is not often times when shellcode space is extremely
limited
> so we should be happy with universal remote callback shellcode of ~300
> bytes.
>
> David Litchfield's post regarding using a socket as a handle included a
> statement:
> "If you hard code addresses ..... you can get the exploit code down to 160
> bytes"
>
> Which got me to thinking of how to write smaller remote callback
shellcode.
> What evolved was an idea, and then shellcode which sends a remote shell
> back, uses only 2 api calls, and is only 91 bytes in size.
>
> It does have limited uses, has hardcoded address for SP3, messy, could be
> refined but should provoke some interesting thought tangents.
>
> The code is not commented, is not at all user friendly, and to cut the
size
> of the post is ill formated, but those who seek the answer should be able
to
> get it work.
>
> And now I go on holiday, my byte sequence patent should be ready for
filing
> by the time I get back ;)
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
- Next message: Rob Lindenbusch: "RE: Checkpoint FW-1 on Nokia - potential user enumeration bug?"
- Previous message: John the Kiwi: "Re: AW: MS Terminal Services open to the world"
- Maybe in reply to: Brett Moore: "Advances In Windows Shellcode"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
