Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Writing ascii shellcode (\xcc)

Writing ascii shellcode (\xcc)

From: <lists73_at_skilltube.com>
Date: 4 Jul 2007 15:43:06 -0000
('binary' encoding is not supported, stored as-is) There was a question regarding ascii shellcode development and in particular, how to get the \xcc opcode. We had a similar problem a few weeks ago and we solved it with a well-known approach documented by Steve Hanna. The example below might help others as well.

Suppose we want create the following small shellcode (just an example):

int3
int3
int3
int3

The corresponding opcodes look like the following:

\xcc\xcc\xcc\xcc

These are definitely not printable characters. However, we can write them on the fly with the following loader code (does not contain non-printable characters):

// eax == 0
and eax,454e4f4a
and eax,3a313035

// make "room" for the real shellcode
push esp
pop eax
sub eax,39393333
sub eax,72727550
sub eax,54545645 // depends on the space needed
push eax
pop esp

// write last four byte block of our shellcode
and eax,454e4f4a
and eax,3a313035

sub eax,66666666
sub eax,66666666
sub eax,66666668
push eax

//write next four byte block of our shellcode
etc.
Received on Jul 04 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos