Re: asm shellcode techniques (especially relevant for win32)

From: RaiSe (raise@netsearch-ezine.com)
Date: 09/06/01

• Previous message: Blue Boar: "Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)"
• In reply to: Enrique A. Compań Gzz.: "Re: asm shellcode techniques (especially relevant for win32)"
• Next in thread: Ryan Permeh: "Re: asm shellcode techniques (especially relevant for win32)"
• Reply: Ryan Permeh: "Re: asm shellcode techniques (especially relevant for win32)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 6 Sep 2001 01:26:50 -0400 (EDT)
From: RaiSe <raise@netsearch-ezine.com>
To: <vuln-dev@securityfocus.com>
Subject: Re: asm shellcode techniques (especially relevant for win32)
Message-ID: <Pine.LNX.4.33L2.0109060119230.1461-100000@apolo>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Generally I preffer to code a proof-o-concept this way (when possible):
>
> [AAAAAAAAAAAAAA][EBP][EIP][SHELLCODE]
>
> not this way:
>
> [SHELLCODE][AAAAA][EBP][EIP]

Yes, but first code has a problem. Look at this code:

**
int main(int argc. char *argv[])
{
char buffer[256];

strcpy(buffer, argv[1]);
printf("%s", argv[2]);

}
**

If you put the shellcode after [EIP], you will overwrite argc and argv,
so, printf will make segv fault. I think that is better to put shellcode
before [EBP] and [EIP] when it is possible.

==============-----------------------------==============
RaiSe
UNDERSEC Security Team / http://www.undersec.com
NetSearch Ezine Staff / http://www.netsearch-ezine.com
ysfk>2{5~~2s~eska2~}dw2k}g<<< XOR 18
==============-----------------------------==============

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQE7lwkhSP4h0VxUtqMRApmOAJ9GpfM3Dt6dUqfkRRwC+7u4SeDfDgCgiXx2
x83Kq3APOf7ZsCVCgDUYiBo=
=k71I
-----END PGP SIGNATURE-----

---

• Previous message: Blue Boar: "Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)"
• In reply to: Enrique A. Compań Gzz.: "Re: asm shellcode techniques (especially relevant for win32)"
• Next in thread: Ryan Permeh: "Re: asm shellcode techniques (especially relevant for win32)"
• Reply: Ryan Permeh: "Re: asm shellcode techniques (especially relevant for win32)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: [Full-disclosure] PWCK Overflow POC Code Redhat/Suse older versions or something (maybe later to ... buffer overflow exploit. ... int main(int argc, char *argv) ... * shellcode for SCO UnixWare ... Mail has the best spam ... (Full-Disclosure) Re: Shellcode itself segfaults ... ebx register, a pointer to a pointer to char, however this ... it's a perfectly correct memory layout and the next "int 80" calls the following command: ... What MIGHT be causing the problems with the shellcode is the fact that it is self-modifying in the disassembly above). ... (Pen-Test) RE: vml.c - Internet Explorer VML Buffer Overflow Download Exec Exploit ... char *url = NULL; ... // Search Shellcode ... int size) ... (Bugtraq) Re: Help developing an exploit ... shellcode because as you said ... your shellcode directly into EIP, ... "After you overflow the stack do any of the registers ... into EAX, EDX, and EIP at various points. ... (Vuln-Dev) vml.c - Internet Explorer VML Buffer Overflow Download Exec Exploit ... char *url = NULL; ... // Search Shellcode ... int size) ... (Bugtraq)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > vuln-dev  > 2001-09