 
Dailydave mailing list archives
Re: Does size matter?
From: vlad902 <vlad902 () gmail com>
Date: Mon, 7 Mar 2005 18:17:33 -0800
On Tue, 8 Mar 2005 01:07:27 +0100, Gigi Sullivan <sullivan () sikurezza org> wrote:
Greetings, it's not my intention to send spam, despite the email's subject :) What I'm referring to is related to shellcode (or call it whatever you want) size; it's common knowledge -- or at least it used to be so, IMHO -- that it may be possible to experience size constraints while trying to overflow a buffer (just think about plain stack-based overflows without any kind of protection/mitigation techniques) so that one is unable to find enough space to store his fancy executable stuff... directly into the overflowable buffer. So I was just curious: does size really still matters nowadays or we have enough space to do whatever we want in order to execute our shellcode [1]? Are there any difference between OSes? (i.e. usually Windows apps offer (as a feature? :)) just enough space to do our job)
I sure think so, and the metasploit team and I have worked hard on providing small payloads*. On windows, size is not as big an issue as most people think. If conventional payloads are too large you can still resort to using ordinal stagers (<100 bytes.) Also, in most cases you can locate a buffer at a predictable location, and even if it's very small you can still most likely use an egghunt payload in that scenario. I think that small size is a bigger issue on linux/bsd then windows/solaris. For windows/solaris you are most likely attacking a native binary and can predict where the buffer will be if you know the remote OS version. For linux/bsd however you can never be too sure of where everything is, and so in cases where you have to blindly guess a buffer location a couple more nops here and there can go a long way. :) Just some metasploit whoring, comparisons between sizes in 2.2 and 2.3: Name: Size of payload in 2.2 (bytes) vs. size of payload in 2.3 (bytes) Linux/x86 bindshell: 88 vs. 84 Linux/x86 connect back: 105 vs. 70 Linux/x86 findsock (recv): 95 vs. 69 BSD/x86 bindshell: 151 vs. 78 BSD/x86 connect back: 64 vs. 68 (Size grew because of bug fix) BSD/x86 findsock (recv): None vs. 70 Windows/x86 bindshell: 375 vs. 321** Windows/x86 connectback: 357 vs. 291** Windows/x86 findsock (recv) stager: none vs. 92*** * The win32 non-ordinal stagers still have to be re-written. ** Will be smaller in the next release. *** Ordinal-based stager.
TIA, bye
Lorenzo
[1] yes, syscall proxying and other cool methods could help us developing more
    complex shellcode without worring too much about size, but I was thinking
    about old shellcode contests where the winner was who had it more
    little (always shellcode buddies, always shellcode :))
--
Lorenzo Cavallaro `Gigi Sullivan' <sullivan () sikurezza org>
Until I loved, life had no beauty;
I did not know I lived until I had loved. (Theodor Korner)
See the reality in your eyes, when the hate makes you blind. (A.H.X)
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
-vlad902 _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Does size matter? Gigi Sullivan (Mar 07)
- Re: Does size matter? Bas Alberts (Mar 07)
- Re: Does size matter? vlad902 (Mar 07)
- Re: Does size matter? Bas Alberts (Mar 07)
- Re: Does size matter? Michael Silk (Mar 07)
 
 
- Re: Does size matter? vlad902 (Mar 07)
 
- Re: Does size matter? Bas Alberts (Mar 07)
- Re: Does size matter? vlad902 (Mar 07)


