Vuln Dev
creating a "cc" opcode from ASCII shell code Jun 22 2007 09:58AM
Aaron Adams (aadams securityfocus com) (3 replies)
I'm sending this to the list on behalf of deros68 <at> yahoo.com. Please
respond to the list or him directly, rather than me.

Thanks.
Moderator

-------- Original Message --------

I have developed an email exploit, incoming email via
smtp, for a certain email program. I want to develop
a "run calc.exe" POC and submit to the email vendor -
also get credit for it. My first 0 day exploit - not
DOS attack. -:)

If you open or preview the email the stack get
overlaid. So far - so good. However it soon gets
messy. All input data is translated to UTF-8. I
built a translate table, a long process with
Windbg/Olly, and have decided that I am forced to
create ASCII shell code so that I can launch calc.exe
and return to the thread. Only hex 20 -79 input
survive untouched.

problem 1.

EIP EIP +4 EIP +8 etc...------ rest of stack

EIP at 0013c000

I can overwrite EIP with the start of my ASCII
shellcode. For exploit to work the data that overlays
EIP +4 (0013c004) must be a safe address like
40404040 or 60606060, also it must be ASCII otherwise
it gets translated on input.

Fine - I can use a mix of dec ecx/inc ecx hex
49/41 that produces a "safe" address and executable
code that does not effectively change anything. say
49414941

ASCII shell code that runs calc.exe - I think that I
can adapt some found on the net.

What is stumping me is the following:

I want to create several breakpoints in the generated
shell code so that I can debug it in Olly:

I cannot (so far) create some ASCII shell code that
will generate instream the "cc" opcode from
simple ASCII input code.

I tried using the Metasploit "shell code" generator
and failed. Also - there is no means of delivery via
Metasploit so I gave up on using it.

Maybe I am just tired.... My guess is that I must
seed a register with an ASCII value and then
and/xor/not it with approriate value. I have tried
using add/sub with no luck.

thanks

deros68

[ reply ]
Re: creating a "cc" opcode from ASCII shell code Jun 23 2007 12:09AM
Dude VanWinkle (dudevanwinkle gmail com)
Re: creating a "cc" opcode from ASCII shell code Jun 22 2007 10:02PM
H D Moore (sflist digitaloffense net)
Re: creating a "cc" opcode from ASCII shell code Jun 22 2007 06:20PM
Valdis Kletnieks vt edu


 

Privacy Statement
Copyright 2010, SecurityFocus