Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

dailydave logo Dailydave mailing list archives

Re: A white-tip shark has a sensitive enough lateral line to hunt the reef in complete darkness
From: <halvar () gmx de>
Date: Fri, 7 Jan 2005 01:17:22 -0800
Hey All,
3. If you search Google for "readclient shellcode" you can see that several Chinese exploits have been succesful at using the readclient/writeclient ISAPI functions for back communications. This is excellent work, but they do leave out one detail - how do you find the connection ID that you'll need to make it work? The shellcode they post publicly appears to assume it's in a particular place, which is not common in my experience. My new shellcode overcomes that problem, and of course, fits into MOSDEF's framework. So you can hack a box over port 443 and then continue that SSL conversation with your new MOSDEF Node. 
http://www.google.com/search?q=shellcode+readclient
Readclient shellcode is the obvious way to go when doing ISAPI. The retrieval of the connection ID is in most cases not a problem -- very few ISAPI's I've seen overflow in a different thread than the one that went through HttpExtensionProc. In that case, unless you're very unlucky, your ESP is still intact, and unless you _really_ smashed the stack (e.g. memcpy(,,-1)) you will have no problem retrieving the lpECB from [ESP+static_offset]. Remember that stack frame sizes are constant for a given executable, and that you can just rely on a value you figured out in your own debugger here. Of yourse, you have to adjust 1 offset in the shellcode to make 
it work for different targets.
The idea is that you can in many situations find a socket handle or equivalent if you look upwards on the stack a bit. All the local variables of the entire chain of functions calling you should be there, and at static offsets -- thus your shellcode can access all local variables of all the functions in that chain as it's own local variables.
I have to admit that I never actually sat down to properly write GOcode-style shellcode, although there are a bunch of situations where it is clearly of use (asymetric situations where the original socket handle is gone and you just want _any_ socket to a box you control). Somebody please figure out the art of cloning yourself for enhanced productivity :(
Concerning cryptographic shellcode: If you don't intend to have decent compatibility (e.g. if you just want to attack windows boxes from windows boxes, and not windows from linux) MS's crypto api is very convenient for properly encrypting any communication 
between you and the owned box. I like convenient API's.

Cheers,
Halvar 
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]