Home page logo

pen-test logo Penetration Testing mailing list archives

Re: pen testing & obfuscated shell code (more neat stuff)
From: "Angelo Dell'Aera" <buffer () antifork org>
Date: Tue, 17 Feb 2004 15:53:51 +0100

On 16 Feb 2004 17:52:45 -0000
Karsten Johansson <ksaj () penetrationtest com> wrote:

In-Reply-To: <002d01c3f358$6339a660$6401a8c0 () harrypotter>

Since  the people  that use  NOP sleds  don't really  care  about the
registers and what's on the stack, then there are probably a lot more
useful NOP  sled opcodes available -  as long as  they don't generate

Don't like too much talking about  myself but I just want to point out
a work I  realized two years ago  for showing how to defeat  an IDS in
"shellcode  catching".  In  that  occasion,  I  wrote  two  completely
alphanumeric codes  you may find  on my homepage (reported  below) and
named buffer-i386-raptus.c  and buffer-i386-delirium.c. In particular,
the latter  is an alphanumeric asm  code which builds  a shellcode and
then executes it.  Using these codes, you can use whatever padding you
want since  they make no assumptions on  the registers'  contents thus
always  setting them  properly. This  is  obviously true  even if  you
generate an  alphanumeric shellcode using  f.e. Rix's ASC  starting by
"I-make-no-assumptions" classic shellcode.



Angelo Dell'Aera 'buffer' 
Antifork Research, Inc.         http://buffer.antifork.org

PGP information in e-mail header

Attachment: _bin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]