Re: Does size matter?

[Bas Alberts <bas.alberts () immunitysec com>]

Hrmm..personally I'm more of a functionalist, as long as it A) fits
B) is reliable C) when in a bruting situation, does not foul up
a sensible brute step..I really don't care about 100 bytes more or
less. Ofcourse I'm of the school that thinks all this 'programming
is art' nonsense is umm..nonsense. As a journalism grad I got
into CS to get away from the hippies...oh how foolish I was.. :/

And if you're guessing on a single shot, you need to rethink your
approach ;) Ofcouse when it's a single shot in the sense where you
can't repeat your bug primitive at _all_ (even in 'crash once and it's
gone' scenerios you can often come up with a sensible approach that
rules out guessing to a fair extent), a smaller payload does have
significant advantages.

Now having said that, in practice it's always a game of adaptation,
so if your 600 byte super fancy overengineered socket recycling rc4
shellcode doesn't make the cut..you stage it..if the generic first
stage
is too big, you special case it abusing specific quirks in your target
software that allow for smaller code (knowing a certain fd is always
your socket, being able to assume there's only 1 active connection..etc.
etc.)

As far as platforms go, traditionally Win32 payloads have always
been a bit of a pain in the ass size wise, requiring hashing routines
etc. to be portable. Now there's a whole bunch of people who've done
some neat research into making that less of an issue, most notably
Oded's (I believe he was the first to go 'public', correct me if
I'm wrong) ordinal work. Also the metasploit folk have done some
cute work with regards to optimised win32 payloads.

Ok my mailinglist quota for 2005 is almost full \o/

Regards,
Bas

On Tue, Mar 08, 2005 at 01:07:27AM +0100, Gigi Sullivan wrote:
> Greetings,
>
>    it's not my intention to send spam, despite the email's subject :) 
>    
>    What I'm referring to is related to shellcode (or call it whatever you
>    want) size; it's common knowledge -- or at least it used to be so, IMHO --
>    that it may be possible to experience size constraints while trying to
>    overflow a buffer (just think about plain stack-based overflows without any
>    kind of protection/mitigation techniques) so that one is unable to find
>    enough space to store his fancy executable stuff... directly into the
>    overflowable buffer.
>
>    So I was just curious: does size really still matters nowadays or we have
>    enough space to do whatever we want in order to execute our shellcode [1]?
>
>    Are there any difference between OSes? (i.e. usually Windows apps offer (as
>    a feature? :)) just enough space to do our job)
>    
> TIA, bye
> Lorenzo
>
> [1] yes, syscall proxying and other cool methods could help us developing more
>     complex shellcode without worring too much about size, but I was thinking
>     about old shellcode contests where the winner was who had it more
>     little (always shellcode buddies, always shellcode :))
>
> -- 
> Lorenzo Cavallaro `Gigi Sullivan' <sullivan () sikurezza org>
>
> Until I loved, life had no beauty;
> I did not know I lived until I had loved. (Theodor Korner)
>
> See the reality in your eyes, when the hate makes you blind. (A.H.X)


> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> https://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave